Key Takeaways
The Biggest Microsoft Patch Tuesday: 211 Fixes and Active Exploits; What to Do Next

- Microsoft Patch Tuesday started in 2003 to replace chaotic ad-hoc patching with predictable monthly releases
- July 2026 set a record with 722 CVEs patched, including two actively exploited zero-days
- SharePoint Server 2016/2019 and SQL Server 2016 reached end of support in July 2026
Microsoft Patch Tuesday, the second Tuesday of every month when Microsoft releases security updates for Windows, Office, SQL Server, and other products, turned 20 years old in 2023. The practice has become so ingrained in enterprise IT operations that Adobe and other vendors now follow the same cadence. For IT administrators, the monthly ritual of testing, staging, and deploying patches remains one of the most predictable parts of the job.
Why did Microsoft create Patch Tuesday?
Before 2003, Microsoft released security patches whenever vulnerabilities were discovered. IT departments had no way to plan maintenance windows or coordinate testing across departments. A critical fix might drop on a Friday afternoon or the day before a major product launch.
The Microsoft Security Response Center addressed this in a blog post marking the 20th anniversary: "Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner." The company confirmed that Patch Tuesday "will continue to be an important part of our strategy to keep users secure."
The predictability changed everything for enterprise IT. System administrators could schedule monthly maintenance windows, QA teams could allocate testing resources, and help desks could prepare for user questions about reboots and downtime.
July 2026: The largest Patch Tuesday on record
Microsoft addressed 722 CVEs in July 2026 after setting aside 427 Chromium upstream relays. That's roughly three times a normal cycle and one of the largest single months in Patch Tuesday history. Two vulnerabilities arrived under active exploitation: an elevation of privilege in Active Directory Federation Services (CVE-2026-56155) and an elevation of privilege in SharePoint Server (CVE-2026-56164).
A third vulnerability, a BitLocker security feature bypass (CVE-2026-50661), was publicly disclosed but not yet exploited at release time. The July release earned "Patch Now" recommendations for Windows, Office, Exchange, and SQL Server. SharePoint had two critical RCEs on top of its exploited zero-day, and Exchange Server returned with a critical on-premises spoofing flaw.
Complicating matters, SharePoint Server 2016/2019 and SQL Server 2016 all reached end of support on the same day. Organizations still running these products faced a collision: patch now and migrate soon, or accept unpatched risk going forward.
What the past six months looked like
June 2026 brought 206 updates affecting Windows, Office, Exchange Server, and developer tools. Three Windows vulnerabilities were publicly disclosed: an elevation of privilege in the Collaborative Translation Framework (CVE-2026-45586), a denial of service in HTTP.sys (CVE-2026-49160), and a BitLocker security feature bypass (CVE-2026-50507). None were under active exploitation, but all three were rated "Exploitation More Likely." Microsoft recommended installing the Exchange update "as soon as possible."
May 2026 saw 139 updates affecting Windows, Office, .NET, and SQL Server with no Exchange updates and no zero-days. The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, and a large TCP/IP vulnerability cluster still warranted an accelerated deployment schedule.
April 2026 was described as a "whopper," with 165 updates and roughly 340 unique CVEs, including two zero-days. One was already being exploited at release.
How IT teams should approach monthly patching
The core workflow hasn't changed much in 20 years: review the release notes, identify which patches apply to your environment, test in a staging environment, then deploy in waves. What has changed is scale. With cloud infrastructure, remote workforces, and hybrid environments, a "Patch Now" recommendation can mean coordinating updates across thousands of endpoints in dozens of locations.
Most enterprise teams use a tiered approach. Critical vulnerabilities under active exploitation get emergency treatment. Everything else follows the standard monthly window. The key is having the infrastructure to deploy quickly when needed. Tools like ClickUp or Asana can help track patch deployment tasks across IT teams, while Slack keeps communication flowing when urgent patches drop.
Disclosure
Some links in this post are affiliate links — Logicity earns a commission if you sign up, at no extra cost to you. We only link products we have used or actively recommend.
The end-of-support problem
July 2026's collision of end-of-support dates highlights a recurring problem. Organizations running legacy software often delay migration until forced. When a major Patch Tuesday coincides with end-of-support, IT teams face two urgent projects at once: patch the vulnerabilities and accelerate the migration timeline.
Microsoft publishes end-of-support dates years in advance. SharePoint Server 2016's date was announced in 2021. SQL Server 2016's was announced in 2022. The information is available; the challenge is organizational. Budget cycles, competing priorities, and the "it still works" mentality push migrations to the last possible moment.
Logicity's Take
The July 2026 record isn't just about volume. It signals that Microsoft's attack surface keeps expanding as the company integrates more products into its ecosystem. CIOs should treat the end-of-support collision as a warning: if your organization still runs software from 2016, you're not just missing patches. You're accumulating technical debt that compounds monthly. Consider investing in automated patch management tools (Microsoft's own WSUS, or third-party options like ManageEngine or Ivanti) to reduce the manual burden. The companies that handle Patch Tuesday smoothly are the ones that built the infrastructure before they needed it urgently.
Frequently Asked Questions
When is Microsoft Patch Tuesday each month?
Patch Tuesday falls on the second Tuesday of every month. Updates typically release between 10 AM and 2 PM Pacific Time.
What products does Patch Tuesday cover?
Microsoft releases security updates for Windows, Office, SQL Server, Exchange Server, .NET, Edge, and its developer tools. The specific products vary each month.
Do other companies follow Patch Tuesday?
Yes. Adobe and other vendors release their security updates on the same day to simplify IT planning. The practice has become an industry standard.
What does 'Patch Now' mean in Microsoft's guidance?
A 'Patch Now' recommendation indicates that vulnerabilities are critical enough to warrant immediate deployment rather than waiting for the standard testing cycle.
How many vulnerabilities does Microsoft typically patch each month?
A typical Patch Tuesday addresses 100-150 CVEs. Months with zero-days or accumulated fixes can exceed 200. July 2026's 722 CVEs was exceptionally high.
Full breakdown of the largest Patch Tuesday on record
Need Help Implementing This?
If your organization struggles to keep up with monthly patching cycles or needs help planning end-of-support migrations, reach out to Logicity's enterprise IT consulting partners. We can connect you with specialists who've handled Patch Tuesday at scale.
Source: Computerworld
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.






