June 9, 2026—KB5094127 (OS Builds 19045.7417 and 19044.7417)
Applies To
Release Date:
6/9/2026
Version:
OS Builds 19045.7417 and 19044.7417
Summary
This article lists the security issues and quality improvements included in this cumulative security update.
Applies to: Windows 10 ESU
Important:Â Use EKB KB5015684 to update to Windows 10, version 22H2.
This security update includes fixes and quality improvements that are part of the following updates:
The following is a summary of the issues that this update addresses when you install this update. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change we are documenting.
-
[File Explorer] This update improves File Explorer search, including support for Chinese text, and UTF 8–encoded files without a byte order mark (BOM). Text now displays more clearly and consistently across search results, Content view, and tooltips.
-
[Secure Boot]
-
This update enables dynamic status reporting for Secure Boot states in Windows Security App.
-
This update adds a new policy setting, LimitSecureBootRequiredServiceData, under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When this setting is enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is also included in the Windows Restricted Traffic Limited Functionality Baseline package. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.
-
With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
-
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
For more information about security vulnerabilities, please refer to the new Security Update Guide website and the June 2026 Security Updates.
For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 22H2, see its update history page.
Known issues in this update
Symptoms
Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update.
This issue only affects a limited number of systems in which ALL the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments.
-
BitLocker is enabled on the OS drive.
-
The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
-
System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".
-
The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
-
The device is not already running the 2023-signed Windows Boot Manager.
In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key.
Enterprises are recommended to audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing this update.
Resolution
We are working on a resolution and will provide more information when it is available.
To temporarily work around this issue, remove the Group Policy configuration before installing the update (Recommended)Â
-
Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
-
Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
-
Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".
-
Run the following command on affected devices to propagate the policy change: gpupdate /force
-
Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:Â
-
Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:Â
-
​​​​​​​This updates the BitLocker bindings to use the Windows-selected default PCR profile.
Applies to: Windows 10 Enterprise LTSC 2021 and Windows 10 IoT Enterprise LTSC 2021
Important:Â Use EKB KB5003791 to update to Windows 10, version 21H2 on supported editions.
This security update includes fixes and quality improvements that are part of the following updates:
The following is a summary of the issues that this update addresses when you install this update. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change we are documenting.
-
[File Explorer]​​​​​​​ This update improves File Explorer search, including support for Chinese text, and UTF 8–encoded files without a byte order mark (BOM). Text now displays more clearly and consistently across search results, Content view, and tooltips.
-
[Secure Boot]
-
This update enables dynamic status reporting for Secure Boot states in Windows Security App.
-
This update adds a new policy setting, LimitSecureBootRequiredServiceData, under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When this setting is enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is also included in the Windows Restricted Traffic Limited Functionality Baseline package. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.
-
With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
-
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
For more information about security vulnerabilities, please refer to the new Security Update Guide website and the June 2026 Security Updates.
For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 22H2, see its update history page.
Known issues in this update
Symptoms
Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update.
This issue only affects a limited number of systems in which ALL the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments.
-
BitLocker is enabled on the OS drive.
-
The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
-
System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".
-
The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
-
The device is not already running the 2023-signed Windows Boot Manager.
In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key.
Enterprises are recommended to audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing this update.
Resolution
We are working on a resolution and will provide more information when it is available.
To temporarily work around this issue, remove the Group Policy configuration before installing the update (Recommended)Â
-
Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
-
Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
-
Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".
-
Run the following command on affected devices to propagate the policy change: gpupdate /force
-
Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:Â
-
Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:Â
-
​​​​​​​This updates the BitLocker bindings to use the Windows-selected default PCR profile.
Windows 10 servicing stack update (KB5094145) - version 19041.7402
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improves the reliability of the update process and includes fixes to the servicing stack, the component that installs Windows updates.
Note: This servicing stack update (SSU) includes enhanced logic to verify whether a device is hosted on Azure, leveraging an updated certificate chain for validation. To ensure that the device can access the required certificate update domains to successfully download and install certificate updates, see Certificate downloads and revocation lists and Azure Certificate Authority details. To learn more about SSUs, see Servicing stack updates.
How to get this update
Before you install this update
Important You must have the latest servicing stack update (SSU) installed. Not installing the latest SSU before applying Windows updates might result in the Windows update not being offered until the latest SSU is installed.
Deployment
-
If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file may prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.
Note The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.
To ensure the boot.stl file is included as part of the installation media, do one of the following:
-
Use the Update WinPE script to update an existing Windows image. (Recommended)
-
Manually copy the boot.stl file from the devices Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.
-
-
If you deploy this update, choose one of the following based on your installation scenario:
For offline OS image servicing
-
If your image does not have the July 25, 2023 (KB5028244) or later LCU, you must install the special standalone October 13, 2023 SSU (KB5031539) before installing this update.​​​​​​​
​​​​​​​For Windows Server Update Services (WSUS) deployment or when installing the standalone package from Microsoft Update Catalog
-
For information about how to apply Dynamic Update packages to existing Windows images, see Update Windows installation media with Dynamic Update.
Get and install this update
To get and install this update, use one of the following Windows and Microsoft release channels.
|
Available |
Next Step |
|
|
This update will be downloaded and installed automatically from Windows Update. |
|
Available |
Next Step |
|
|
This update will be downloaded and installed automatically from Windows Update for Business in accordance with configured policies. |
|
Available |
Next Step |
|
|
To get the standalone package for this update, go to the Microsoft Update Catalog website. For information about how to download and install updates from the Update Catalog, see How to download updates that include drivers and hotfixes from the Windows Update Catalog. |
|
Available |
Next Step |
|
|
This update will automatically sync with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows:
To set up your WSUS server to sync based on products and classifications, see Synchronizing Update by Product and Classification. To manually import updates into WSUS, see Import updates into WSUS by using PowerShell. |
File information
A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.
Note: The English (United States) version of this software update might contain files for additional languages.
Related topics
Secure Boot
Windows Secure Boot certificate expirationÂ
Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the past months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. We will continue to install the newer certificates via Windows updates in the coming months.
You can check your PC status on the Windows Security app. If you are an IT administrator, follow the guidance on the Secure Boot Playbook for Windows clients and Windows Server.
​​​​​​​Microsoft Store application updates
Windows updates do not install Microsoft Store application updates. If you are an enterprise user, see Microsoft Store apps - Configuration Manager. If you are a consumer user, see Get updates for apps and games in Microsoft Store.
End of support
Windows 10, versions 21H2/22H2 and Windows 10 Enterprise LTSC 2021 end of support
Microsoft will no longer provide free software updates from Windows Update, technical assistance, or security fixes on the following end dates:
♦ Windows 10, version 21H2: Support ended on June 13, 2023
♦ Windows 10, version 22H2: Support ended on October 14, 2025
♦ Windows 10 Enterprise LTSC 2021: January 12, 2027
♦ Windows 10 IoT Enterprise LTSC 2021: January 13, 2032
Note: To continue to receive critical and important security updates for Windows 10, see ​​​​​​​Windows 10 Extended Security Updates (ESU). Otherwise, we recommend you upgrade to a later version of Windows.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
