KB5094122 - Windows Server 2016 / Windows 10 1607 Security Update (OS Build 14393.9234)

Summary

KB5094122 is a cumulative security update for Windows Server 2016, Windows 10 Enterprise LTSB 2016, and Windows 10 IoT Enterprise LTSB 2016, producing OS build 14393.9234. Released on June 9, 2026, it builds on the May 12, 2026 update (KB5087537) and delivers security fixes plus quality improvements across all three editions. See Microsoft Support for the official page.

Highlights

• New LimitSecureBootRequiredServiceData Group Policy setting limits the Secure Boot service data sent to Microsoft.
• Windows quality updates now carry additional high-confidence device targeting data, broadening automatic Secure Boot certificate coverage.
• A DFS Namespaces bug on domain controllers with exactly 15-character hostnames has been fixed (Windows Server 2016 only).
• Security hardening changes alter how Windows processes desktop.ini files, which may affect custom folder icons or localized folder names.

Improvements and fixes

• Secure Boot - new policy: A new Group Policy setting, LimitSecureBootRequiredServiceData, is available under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, it suppresses the Secure Boot service data event that would otherwise be sent to Microsoft. The policy is also part of the Windows Restricted Traffic Limited Functionality Baseline package.
• Secure Boot - certificate targeting: Quality updates now include additional high-confidence device targeting data. This widens the pool of devices eligible to receive new Secure Boot certificates automatically, while keeping the rollout controlled and phased - devices only receive new certificates after sufficient successful update signals are confirmed.
• DFS Namespaces fix (Windows Server 2016 only): An issue that caused DFS Namespaces to malfunction on servers whose hostnames were exactly 15 characters long has been resolved.
• Folder customization - security hardening: Windows now processes desktop.ini files with additional security restrictions. Some users may see missing custom folder icons or localized folder names for content originating from downloaded or remote locations. Folder access itself is not affected.

Known issues

Microsoft Office applications might fail to open from certain third-party apps

Symptom: Certain third-party applications that use OLE automation to interact with Microsoft Office may be unable to launch Office apps or open documents after installing updates released on or after June 9, 2026. In some cases the Office application or document fails to open with no error message displayed. Affected Office applications may include Word, Excel, PowerPoint, Access, and others when launched from within the affected third-party application. Reported affected applications include CCH Engagement, Workpaper Manager, dental software such as Dentrix and Softdent, and Zotero; other similar applications may also be impacted.

Workaround: A fix is in progress and will be included in a future Windows update. As a workaround, open the application or document directly rather than launching it from the affected third-party application. For organizations, an additional workaround is available for affected devices - contact Microsoft Support for business to apply it.

How to get this update

Before installing KB5094122, Microsoft recommends installing the latest Servicing Stack Update (SSU), KB5094141. If the SSU is not present, the cumulative update may not be offered to the device, increasing security risk. Install the SSU as soon as possible.

• Windows Update / Windows Update for Business: KB5094141 is offered automatically before this update. The cumulative update then downloads and installs without manual steps.
• Microsoft Update Catalog: Download the standalone package for KB5094122 directly from the Catalog website. Also download and install KB5094141 separately if it is not already present.
• Windows Server Update Services (WSUS): Administrators must explicitly approve both KB5094141 and KB5094122. Configure Products as Windows Server 2016, Windows 10, and Windows 10 LTSB and Classification as Security Updates to receive the update via automatic sync.

If you deploy dynamic updates to an existing Windows image, ensure the boot.stl file is included in the installation media. Omitting it can prevent devices from starting from that media and may produce error code 0xc0430001. Use the Update WinPE script (recommended) or manually copy boot.stl from the device's Windows\Boot\EFI folder to the corresponding folder on the installation media.

Frequently asked questions

What is the LimitSecureBootRequiredServiceData policy and should I enable it?

This new Group Policy setting, found under Computer Configuration > Administrative Templates > Windows Components > Secure Boot, suppresses the Secure Boot service data event sent to Microsoft when enabled. It is also part of the Windows Restricted Traffic Limited Functionality Baseline. Organizations that restrict telemetry or data sent to Microsoft should evaluate enabling it per their data governance policies.

Why might custom folder icons or folder names disappear after installing this update?

The update introduces a security hardening change to how Windows handles desktop.ini files. Content from downloaded or remote locations may no longer display custom icons or localized names. Folder access is not blocked. Microsoft has published a dedicated article - referenced in the support page - covering this behavior and steps users can take to understand the impact.

Is a fix available for the OLE automation issue blocking Office from opening?

Not yet. Microsoft has confirmed the issue and states that a resolution will be delivered in a future Windows update. In the meantime, open affected documents or applications directly rather than through the third-party application. Organizations experiencing widespread impact can contact Microsoft Support for business to receive an available organizational workaround.

When does support end for the products covered by this update?

Windows 10 Enterprise LTSB 2016 and Windows 10 IoT Enterprise 2016 LTSB reach end of support on October 13, 2026. Windows Server 2016 reaches end of support on January 12, 2027. After those dates, Microsoft will no longer provide free software updates, technical assistance, or security fixes from Windows Update.