Microsoft June 2026 Patch Tuesday: Windows Server and Admin Checklist

Microsoft’s June 2026 Security Updates are live. The official MSRC CVRF feed for June 2026 Security Updates shows a current release time of 2026-06-09T07:00:59. In the feed pulled for this article, MSRC listed 653 CVE entries, with no Microsoft CVE marked Exploited:Yes at that moment, three marked publicly disclosed, and fifteen marked Exploitation More Likely.

The useful takeaway is simple: do not wait for a single headline zero-day before planning the window. This release touches Windows, Windows Server, Remote Desktop, Hyper-V, SharePoint, Office, Exchange, Azure components, Secure Boot, BitLocker, HTTP.sys, NTLM, DHCP, and other pieces that matter to hosting providers, small businesses, agencies, and internal IT teams.

This is a protect-only operations guide. It focuses on safe patch planning, reboot order, role-specific checks, and verification without reproducing exploit details or unsafe testing instructions.

What stands out in June 2026

• Three CVEs are publicly disclosed in the MSRC feed. The parsed CVRF data flagged CVE-2026-45586, CVE-2026-49160, and CVE-2026-50507 as publicly disclosed and not exploited.
• Fifteen CVEs are marked Exploitation More Likely. The list includes Windows DWM Core Library, NT OS Kernel, Remote Desktop Client, Windows graphics, Winlogon, HTTP.sys, SharePoint, BitLocker, CTFMON, and NTLM items.
• No Microsoft CVE was marked Exploited:Yes in the pulled MSRC data. Keep watching CISA KEV and MSRC because that can change after release day.
• Windows and server roles need attention. The release includes issues relevant to RDS, Hyper-V, domain services, IIS/HTTP.sys, DHCP, Secure Boot, BitLocker, and exposed management workstations.

Patch order for business and hosting admins

1. Back up first. Confirm recent backups for domain controllers, Hyper-V hosts, IIS servers, file servers, RDS hosts, management servers, and business-critical workstations.
2. Patch exposed management machines early. Prioritize machines used for RDP, VPN, WHM/cPanel, Plesk, WordPress admin, cloud consoles, DNS, billing, backups, and password-manager access.
3. Patch domain controllers carefully. Update one DC at a time, verify replication, DNS, time sync, Kerberos/NTLM-dependent apps, login behavior, and event logs before moving to the next DC.
4. Patch Hyper-V hosts in a maintenance flow. Check cluster health, live migration, backup jobs, VM checkpoints, guest tools, storage paths, and failover behavior before and after host reboots.
5. Patch RDS and jump hosts deliberately. Drain sessions, notify users, patch gateways and brokers, reboot cleanly, and test sign-in, profile loading, printer mapping, and published apps afterward.
6. Patch IIS and web servers with rollback in hand. Confirm site backups, app pool behavior, TLS bindings, HTTP.sys exposure, logs, and monitoring before declaring the window done.
7. Patch SharePoint, Exchange, Office, and developer tools separately. Use the product-specific guidance and test workflows that depend on those platforms.

Update paths to use

• Windows Update: Good for individual machines and smaller fleets when you can verify the result afterward.
• WSUS: Use approvals, rings, and reporting so servers do not all reboot together.
• Intune or RMM: Use deployment rings for workstations, exposed admin devices, and remote staff. Watch devices that are offline or stuck pending reboot.
• Microsoft Update Catalog: Use offline installers when a server cannot reach normal update channels, but verify the exact KB, OS build, and architecture before installing.
• Manual maintenance windows: Use these for clustered servers, Hyper-V, domain controllers, RDS, and customer-facing systems where reboot order matters.

Post-reboot verification

• Confirm Windows build and installed hotfixes with your normal inventory, RMM, WSUS, Intune, PowerShell, or server-management tooling.
• Check for pending reboots after the first restart, especially on servers with servicing stack or .NET updates.
• Review Event Viewer, service status, backup agent health, endpoint protection, and monitoring alerts.
• Test IIS sites, RDS logins, Hyper-V guest health, domain controller replication, DNS resolution, and business applications.
• Verify customer-facing sites, APIs, mail flow, VPN, remote support tools, and scheduled jobs after the patch window.
• Document any machines held back, why they were held back, and when the next attempt will happen.

Related Fix I.T. Phill reading

• Chrome CVE-2026-11645 browser patch guide
• Microsoft Secure Boot certificate warning
• Microsoft Defender CISA KEV patch guide
• MiniPlasma Windows zero-day admin checklist
• How to plan an update window without breaking the site

Sources

• Microsoft MSRC CVRF: June 2026 Security Updates
• Microsoft Security Update Guide
• Microsoft Update Catalog
• Windows release health
• CISA Known Exploited Vulnerabilities catalog

Need help planning a Windows or Windows Server patch window? Fix I.T. Phill can help stage the updates, sequence reboots, check backups, and verify servers and admin machines after the work is done.