June 9, 2026 - KB5094123 (OS Build 17763.8880) Security Update

Summary

KB5094123 is a cumulative security update for Windows Server 2019 and Windows 10 Enterprise LTSC 2019, bringing the OS to build 17763.8880. Released on June 9, 2026, it includes security fixes and quality improvements that build on the May 12, 2026 update (KB5087538). Source: Microsoft Support.

Highlights

• Secure Boot receives dynamic status reporting, a new limiting policy, and expanded certificate targeting data.
• A security hardening change alters how Windows processes desktop.ini files, which may affect custom folder icons or localized folder names from downloaded or remote locations.

Improvements and fixes

• Secure Boot - dynamic status reporting: Windows Security App now reports Secure Boot states dynamically, giving users and administrators a real-time view of Secure Boot status.
• Secure Boot - new policy setting: A new Group Policy setting, LimitSecureBootRequiredServiceData, is available under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. Enabling it suppresses the Secure Boot service data event that Windows would otherwise send to Microsoft. This policy is also part of the Windows Restricted Traffic Limited Functionality Baseline package.
• Secure Boot - expanded certificate coverage: Quality updates now carry additional high-confidence device targeting data. This widens the pool of devices eligible to receive new Secure Boot certificates automatically. Certificates are delivered only after a device demonstrates sufficient successful update signals, keeping the rollout controlled and phased.
• Folder customization - security hardening: Windows now applies stricter processing rules to desktop.ini files. Some users may see custom folder icons or localized folder names disappear for content sourced from downloaded or remote locations. Folder access itself is not affected.

Known issues

Microsoft Office applications might fail to open from certain third-party apps

Symptom: Certain third-party applications that use OLE automation to interact with Microsoft Office may be unable to launch Office applications or open Office documents after installing Windows updates released on or after June 9, 2026. The Office application or document may fail to open without displaying any error message. Affected Office applications can include Word, Excel, PowerPoint, Access, and others when launched from within the third-party application. Reported affected applications include CCH Engagement, Workpaper Manager, dental software such as Dentrix and Softdent, and Zotero; other similar applications may also be affected.

Workaround: A permanent fix is in progress and will be delivered in a future Windows update. In the meantime, open the Office application or document directly rather than launching it from the affected third-party application. For organizations, a separate workaround is available for affected devices - contact Microsoft Support for business to apply it across your environment.

How to get this update

Prerequisite: The August 10, 2021 servicing stack update (KB5005112) must be installed before applying KB5094123.

Deployment note for dynamic updates: If you deploy this update to an existing Windows image, the boot.stl file must be included in the installation media. Omitting it can prevent devices from starting from that media, resulting in error code 0xc0430001. Use the Update WinPE script to update the image (recommended), or manually copy boot.stl from the device's Windows\Boot\EFI folder to the matching folder on your installation media before deployment.

This update is also bundled with servicing stack update KB5094143 (version 17763.8860). The SSU includes enhanced logic to verify whether a device is hosted on Azure, using an updated certificate chain for validation. Ensure affected devices can reach the required certificate update domains.

The update is available through the following channels:

• Windows Update - downloaded and installed automatically.
• Windows Update for Business - delivered automatically according to configured policies.
• Microsoft Update Catalog - standalone package available for manual download.
• Windows Server Update Services (WSUS) - syncs automatically when Products and Classifications are set to Product: Windows 10 LTSB / Windows Server 2019 and Classification: Security Updates.

Frequently asked questions

Will my custom folder icons disappear permanently after installing this update?

Not permanently. The security hardening change to desktop.ini processing means custom folder icons and localized folder names may not appear for content from downloaded or remote locations. Folder access is not affected. Microsoft has published separate guidance on this behavior; the change is intentional and part of the June 2026 security hardening.

Do I need to install a servicing stack update before applying KB5094123?

Yes. The August 10, 2021 SSU (KB5005112) must be present on the device before you install this cumulative update. KB5094123 also ships with an integrated SSU (KB5094143, version 17763.8860), so no separate SSU download is needed beyond that prerequisite.

When do Windows Server 2019 and Windows 10 Enterprise LTSC 2019 reach end of support?

Microsoft has set January 9, 2029 as the end-of-support date for both Windows Server 2019 and Windows 10 Enterprise LTSC 2019. After that date, free software updates, security fixes, and technical assistance from Windows Update will no longer be provided. Microsoft recommends planning an upgrade to a later version of Windows Server before that deadline.

Are Secure Boot certificates expiring on affected devices?

Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft states that devices which have not yet received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. Microsoft is continuing to distribute the updated certificates through Windows updates and will do so in the coming months. Administrators can check device status in the Windows Security app and should consult the Secure Boot Playbook for guidance.