KB5093998: Windows 11 version 23H2 June 2026 Patch Tuesday update (OS Build 22631.7219)

Summary

KB5093998 is the monthly security cumulative update for Windows 11, version 23H2, producing OS build 22631.7219. Released on June 9, 2026, it addresses security vulnerabilities and carries forward non-security improvements from last month's optional preview release. It applies to all editions of Windows 11 version 23H2. See Microsoft Support for the official page.

Highlights

• Secure Boot certificate delivery expanded, with additional device targeting data included in quality updates to increase coverage of eligible devices.
• A new Group Policy and MDM setting lets administrators limit the Secure Boot service data sent to Microsoft.
• A BitLocker Recovery issue tied to boot file updates on systems with certain TPM validation settings is now fixed.
• File Explorer search improved, including support for Chinese text and UTF-8 encoded files without a byte order mark.
• A security hardening change for how Windows processes desktop.ini files is introduced, which may affect custom folder icons or localized folder names.

Improvements and fixes

• Secure Boot - expanded certificate targeting: Quality updates now include additional high-confidence device targeting data, broadening the set of devices eligible to receive new Secure Boot certificates automatically. Certificates are delivered only after successful update signals are confirmed, keeping the rollout controlled and phased.
• Secure Boot - new data-limiting policy: A new LimitSecureBootRequiredServiceData Group Policy and MDM setting is added under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, Windows suppresses the Secure Boot service data event normally sent to Microsoft. This policy is part of the Windows Restricted Traffic Limited Functionality Baseline.
• BitLocker Recovery fix: An issue that could cause some devices to enter BitLocker Recovery after boot file updates on systems with certain TPM validation settings - including invalid PCR7 configurations - is resolved. This problem could occur after installing the April 2026 security update (KB5082052).
• Country and Operator Settings Asset (COSA): Mobile operator profiles are updated to current specifications for certain carriers.
• Device management - certificate sync reliability: Connectivity improvements are made for devices enrolled in both Microsoft Management Platform Configuration and Secure Lifecycle Device Management, helping them reliably sync and renew certificates.
• Device management - dual-enrolled device reliability: Reliability is improved for devices managed by mobile device management platforms, including the Modern Management Platform Connector, so that certificate sync and renewal complete successfully.
• File Explorer search: Search quality is improved with added support for Chinese text and UTF-8 encoded files that lack a byte order mark. Text rendering is now more consistent across search results, Content view, and tooltips.
• Folder customization - security hardening: Windows now applies stricter processing rules for desktop.ini files. Some users may notice that custom folder icons or localized folder names no longer appear for content from downloaded or remote locations. Folder access itself is not affected.

Known issues

Microsoft Office applications might fail to open from certain third-party apps

Symptom: Certain third-party applications that use OLE automation to interact with Microsoft Office may be unable to launch Office applications or open documents after installing Windows updates released on or after June 9, 2026. In some cases the Office application or document fails to open without displaying an error message. Affected Office applications may include Word, Excel, PowerPoint, Access, and others when launched from within the affected third-party application. Reported affected applications include CCH Engagement, Workpaper Manager, dental software such as Dentrix and Softdent, and Zotero; other similar applications may also be impacted.

Workaround: A resolution is in progress and will be included in a future Windows update. More information will be shared when it becomes available. As a workaround, open the application or document directly rather than launching it from the affected third-party application. For organizations, a workaround is available for affected devices; contact Microsoft Support for business to apply it.

How to get this update

Microsoft combines the latest servicing stack update (SSU) - in this case KB5094146 for build 22621.7209 - with the latest cumulative update, so no separate SSU installation step is required before applying KB5093998.

If you are deploying dynamic updates to an existing Windows image, you must include the boot.stl file in the installation media. Omitting it may prevent devices from starting from that media and can produce error code 0xc0430001. To include the file, either use the Update WinPE script (recommended) or manually copy boot.stl from the device's Windows\Boot\EFI folder to the matching folder on your installation media.

This update is available through the following channels:

• Windows Update and Microsoft Update: Downloads and installs automatically.
• Windows Update for Business: Deploys automatically according to configured policies.
• Microsoft Update Catalog: Download the standalone package directly.
• Windows Server Update Services (WSUS): Syncs automatically when Products is set to Windows 11 and Classification is set to Security Updates.

Frequently asked questions

Will devices without updated Secure Boot certificates stop working?

No. According to Microsoft, devices that have not yet received newer Secure Boot certificates will continue to start and operate normally. Standard Windows updates will continue to install on those devices, and updated certificates will continue to be delivered through Windows Update in the coming months.

What is the end-of-support date for Windows 11 version 23H2 Enterprise and Education?

Windows 11 version 23H2 Enterprise and Education editions reach end of updates on November 10, 2026. After that date, those editions will no longer receive security updates, time zone updates, fixes for known issues, or technical support. Microsoft recommends upgrading to the latest version of Windows 11 before that deadline.

How does the new folder customization change affect shared or downloaded content?

The security hardening change to desktop.ini file processing means that custom folder icons or localized folder names may no longer display for content from downloaded or remote locations. Importantly, access to the folders themselves is not affected - only the visual customization. Microsoft has published a dedicated support article covering this behavior change.

How do I get the standalone update package if Windows Update is not an option?

The standalone package for KB5093998 is available from the Microsoft Update Catalog. For WSUS environments, configure the Product as Windows 11 and the Classification as Security Updates so the update syncs automatically. File information for both the cumulative update and the servicing stack update (KB5094146) can be downloaded separately from the official support page.