Testing Guidance

July 2026 Patch Tuesday Testing Guidance

Readiness July 2026 Testing Guidance card showing the Rho Ophiuchi region captured through Carl's telescope, with the Readiness and Microsoft marks, by Greg Lambert

Microsoft’s July 2026 Patch Tuesday is a security-only release: 180 test-guidance entries, fourteen of them High Risk (June had one). Printing and graphics are the centre of gravity: win32kfull.sys, the kernel-mode window manager, is the most-patched binary (fourteen entries), and seven High Risk flags sit alongside it — the Print Spooler, four win32k entries, and two GDI+ metafile entries. NTFS is the second theme, with ten entries, two High Risk. Every entry reports no functional changes — pure regression validation — and the packages span Windows 11 26H1 back to Server 2012 ESU.

Printing and Graphics (High Risk)

The Print Spooler flag centres on shared printers, whose queue status must track jobs accurately; the win32k flags cover 32-bit application printing, font rendering in printed and exported output, on-screen rendering, and window management; the GDI+ flags cover metafiles.

  • Share a printer from a print server, print from a separate client in varied sizes and formats, and cancel a job, confirming the queue reflects every state change
  • Print from your 32-bit applications, and print text-heavy, graphics-heavy, and multi-page documents to physical and virtual (PDF or XPS) printers, repeating after orientation, scaling, and resolution changes
  • Export documents with varied fonts to PDF and confirm fonts and layout survive; render EMF+ files that apply effects to very large images, and convert EMF files to WMF
  • Open and close windows rapidly, drive common dialogs by mouse and keyboard, and close parents with children open — no orphaned windows

Storage and File Systems (High Risk)

Both NTFS High Risk flags target integrity — extended attributes, and volume recovery after an unexpected shutdown. File History carries its own High Risk flag on clients; a Server 2025-only bundle across boot, BitLocker, and ReFS demands the full Secure Boot/BitLocker matrix. Eight entries hit Server 2025 alone, including WSL, GPU partitioning, and a scripted Windows Server Backup pass repeating recovery after rolling the date 90 days forward.

  • Exercise NTFS extended attributes — older-system EAs, backup workflows that preserve them, concurrent same-file operations where supported — with antivirus, encryption, or storage filters active
  • Simulate an unexpected shutdown during file activity, verify the volume mounts intact, run chkdsk, and confirm indexing, shadow copies, and backup still work
  • Run a full File History pass: back up, modify and back up again, exclude folders, change frequency, move the destination
  • On Server 2025, boot all four Secure Boot/BitLocker combinations, in standard and confidential VMs where supported

Devices, Input, and Networking (High Risk)

Three further High Risk flags land here: HID input (hidparse.sys with win32k) — touch, keyboard, mouse, touchpad, through disconnects and restarts; the WinSock bundle (afd.sys plus Bluetooth and multicast drivers); and IrDA. The heaviest ask is not High Risk at all: the NetAdapterCx driver (24H2/25H2, Server 2025) wants 500-plus adapter enable-disable cycles under Driver Verifier.

  • Run the connectivity suite: browsing, large downloads, mapped drives, an RDP session idle 30+ minutes, a Teams call, an hour of streaming, and localhost apps such as Docker or WSL
  • Stress Bluetooth: pairing, 10+ minutes of audio, input after idle, and reconnection after sleep
  • Where infrared hardware exists, transfer a file and run at least 100 connect-disconnect cycles
  • Sweep the rest: DNS Server (zone data must stay under its configured database directory), the client resolver (five entries), DHCP Server (five entries), SMB, NFS, Message Queuing (five entries), RRAS administration, client VPN, and WinHTTP/WinINet consumers

Other Windows Components

This is the catch-all: a spread of components that each get a lighter touch rather than a High Risk flag. Several of them sit on the boot and recovery path, though, so it’s not a section to skip.

  • Windows Installer: run a full install, uninstall, and repair, then force a rollback
  • Hyper-V and Windows Sandbox: push virtual-switch traffic, confirm Virtual Filtering Platform policies enforce, and exercise Windows Sandbox
  • Server roles: drive HTTP.sys over HTTP/3, and test AD FS sign-in across WS-Fed, SAML, and WS-Trust
  • Media and graphics: work the sixteen media entries — playback, HEVC and MPEG-TS, USB audio, and MIDI 2.0 — and put dxgkrnl.sys (three entries) through GPU and 4K workloads
  • Boot and code integrity (winload.efi, ci.dll, Secure Kernel, and VBS policies, on every baseline): restart repeatedly, enable VBS where it’s deployed, and boot WinRE from USB media to prove the recovery path
  • Round out the sweep with Storage Spaces, UDF, and cloud-files sync

Shell Hardening and LSA Isolation

These two entries are a little different from the rest of the cycle: they ask you to confirm a security behaviour actively works, not just that nothing regressed. A pass here means the protection fired, so treat them as functional checks rather than box-ticking.

  • Shortcut handling (windows.storage.dll; Windows 11 23H2 and earlier, plus Server 2022): drop a shortcut file carrying the Mark of the Web into a folder and confirm the system refuses to extract its icon and leaks no NTLM credential hash — include the zero-click paths, where the icon would otherwise render without you opening anything
  • LSA isolation and KeyGuard (24H2/25H2, Server 2025): run the supplied PowerShell validation script, which turns on Virtualization-based Security if it isn’t already, exercises KeyGuard key operations in both required and best-effort isolation modes, and reports pass or fail — it needs TPM 2.0, UEFI with Secure Boot disabled, and PowerShell 7
  • Run that script on a dedicated test machine, never a shared one: it enables test signing, disables automatic updates, and reboots without asking

Office & SharePoint

July’s Office wave is security-only — everything landed on 14 July, and nothing Critical or non-security shipped in the 7 July preview. It’s an MSI-only cycle, so Click-to-Run estates can sit this one out; the work is on Office 2016 and SharePoint Server.

  • On MSI Office 2016, apply the client updates — Excel (KB5002886), Word (KB5002890), PowerPoint (KB5002867), and five suite-level rollups (KB5002273, KB5002887, KB5002748, KB5002857, KB5002830) — then exercise macros, external data, embedded objects, and any line-of-business add-ins
  • On SharePoint Server, patch 2016 (KB5002891, plus the KB5002892 language pack) and Subscription Edition (KB5002882), then check browser-based editing; the guidance lists SharePoint 2019 with a baseline but ships no 2019 package, so there is nothing to install there
  • Mind the rollback rules before you schedule the window: most client updates can be uninstalled, but the server updates cannot and always require a reboot

Developer Tools & Databases

The developer estate gets a broad but low-drama sweep this month. Both .NET and SQL Server patch widely, but the ask is representative-application validation rather than anything exotic — install on the matching branch and confirm normal behaviour.

  • .NET: install the SDK updates (8.0.423, 9.0.316, 10.0.302, x64 and x86) and the Framework rollups spanning 3.5 through 4.8.1 — which reach from Windows Server 2012 up to Windows 11 26H1 and Server 2025 — then run a representative set of applications and confirm they function normally
  • SQL Server: the GDR updates span 2016 SP3 through 2025 — install each on its matching branch (RTM+GDR and cumulative-update+GDR from 2017 onwards, KB5101346/KB5102333 for 2025; plus SP3+GDR, KB5102340, and the SP3 Azure Connect Feature Pack+GDR, KB5102339, for 2016) and test that each removes cleanly
  • Check an encrypted client connection through the separately patched Windows SQL client (dbnetlib.dll), which ships outside the server branches

July 2026 Patch Tuesday Testing Priorities

If you can’t test everything at once, this is the order that retires the most risk first.

  • Start with printing and graphics: half the High Risk flags sit in the Print Spooler, win32k, and GDI+, so regress shared printers, 32-bit printing, PDF export, metafiles, and window management before anything else
  • Take NTFS next — extended attributes and crash recovery both touch data integrity — and add a client File History backup-and-restore pass
  • Give Server 2025 its wider matrix — the Secure Boot/BitLocker combinations, WSL, GPU partitioning, and the scripted backup pass — and work through the stress suites
  • Run the scripted KeyGuard validation on any VBS estate, on a dedicated machine
  • Close out the rest: Office is MSI-only with Click-to-Run untouched, and .NET and SQL Server are representative-application checks