KB5094125: Windows Server 2025 June 2026 Cumulative Update (OS Build 26100.32995)

Summary

This is the June 9, 2026 security cumulative update for Windows Server 2025, released as KB5094125 and resulting in OS Build 26100.32995. It is a monthly security update that also incorporates non-security improvements from the prior month's optional preview release. It covers all editions of Windows Server 2025. See Microsoft Support for the official release page.

Highlights

• Secure Boot certificate rollout expands: most Windows devices have Secure Boot certificates set to expire starting in June 2026. Microsoft has been updating certificates on consumer and non-managed business devices, and the rollout continues through Windows Update in coming months.
• Windows Server 2025 DNS Server now supports DNS over HTTPS (DoH) for encrypted server-to-client DNS communication, generally available and compatible with existing DNS infrastructure.
• File Explorer search is improved with support for Chinese text, UTF-8 encoded files without a byte order mark (BOM), and clearer display across search results, Content view, and tooltips.
• A fix addresses devices entering BitLocker Recovery after the April 2026 security update updated boot files on systems with certain TPM validation settings.
• A fix resolves Windows Update Standalone Installer (WUSA) failures with error code ERROR_BAD_PATHNAME when run from network shares containing multiple .msu files.

Improvements and fixes

• Secure Boot - certificate targeting: Quality updates now include additional high-confidence device targeting data, broadening the range of devices eligible to automatically receive updated Secure Boot certificates. Certificates are delivered only after successful update signals are confirmed, keeping the rollout phased and controlled.
• Secure Boot - new Group Policy setting: A new LimitSecureBootRequiredServiceData policy and MDM setting is added under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, Windows suppresses the Secure Boot service data event normally sent to Microsoft. This policy is part of the Windows Restricted Traffic Limited Functionality Baseline.
• BitLocker Recovery fix: Resolves an issue where some devices entered BitLocker Recovery after boot files were updated on systems with certain TPM validation settings, including invalid PCR7 configurations. This could occur after installing the April 2026 security update (KB5082063).
• File Explorer search: Improved support for Chinese text and UTF-8 encoded files without a BOM. Text rendering is more consistent across search results, Content view, and tooltips.
• DNS over HTTPS (DoH): Windows Server 2025 DNS Server now supports DoH for encrypted DNS communication between the server and clients, protecting query content from inspection and preventing unauthorized modification of responses. Note: this applies to server-client communication only and does not cover server-to-server encrypted DNS.
• Reliability - user profile load: System resource management during user profile load is improved for greater reliability.
• WUSA fix: Resolves ERROR_BAD_PATHNAME failures when installing updates using WUSA from a network share containing multiple .msu files, whether triggered by double-clicking a .msu file or running WUSA from the command line.
• Folder customization - security hardening: Introduces a security hardening change to how Windows processes desktop.ini files. Some users may notice missing custom folder icons or localized folder names for downloaded or remote content. Folder access is not affected.

Known issues

WSUS does not display synchronization error details

Symptom: After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting.

Workaround: This functionality was temporarily removed to address the Remote Code Execution vulnerability CVE-2025-59287. No additional workaround is documented on the page at this time.

Microsoft Office applications might fail to open from certain third-party apps

Symptom: Certain third-party applications may be unable to launch Microsoft Office applications or open documents after installing Windows updates released on or after June 9, 2026. The issue affects third-party applications that use OLE automation to interact with Office. In some cases, the Office application or document fails to open without displaying an error message. Affected Office applications may include Word, Excel, PowerPoint, Access, and others. Reported affected third-party applications include CCH Engagement, Workpaper Manager, dental software such as Dentrix and Softdent, and Zotero; other similar applications may also be impacted.

Workaround: A resolution is in progress and will be included in a future Windows update. In the meantime, open the application or document directly rather than launching it from the affected third-party application. For organizations needing a device-level workaround, contact Microsoft Support for business.

How to get this update

Microsoft combines the latest servicing stack update (SSU) with this cumulative update. The accompanying SSU for this release is KB5094137 (version 26100.32985).

This update is available through the following channels:

• Windows Update / Microsoft Update: Downloads and installs automatically.
• Windows Update for Business: Deploys automatically according to configured policies.
• Microsoft Update Catalog: Download the .msu files manually. You can install all MSU files together using DISM with the /PackagePath pointing to the folder, or install them individually in order - first windows11.0-kb5043080-x64_953449672073f8fb99badb4cc6d5d7849b9c83e8.msu, then windows11.0-kb5094125-x64_8e89fa4917df313fe118b9fe150611975ab92565.msu.
• WSUS: Syncs automatically when Products is set to Microsoft Server operating system-24H2 and Classification is set to Security Updates.

If deploying dynamic updates to an existing Windows image, ensure the boot.stl file is included in the installation media. Omitting it may prevent devices from starting from that media and can produce error code 0xc0430001. Use the Update WinPE script (recommended) or manually copy the file from the device's Windows\Boot\EFI folder to the corresponding folder on the installation media.

Frequently asked questions

Does this update include the servicing stack update, or do I need to install it separately?

Microsoft combines the latest servicing stack update with this cumulative update. The SSU for this release is KB5094137, version 26100.32985. For devices receiving updates through Windows Update or Windows Update for Business, no separate SSU installation step is required before applying KB5094125.

Will Secure Boot certificate changes affect device startup or normal update installation?

According to Microsoft, devices that have not yet received the newer Secure Boot certificates will continue to start and operate normally. Standard Windows updates will continue to install on those devices. Updated certificates will continue to be delivered through Windows Update over the coming months in a phased rollout based on successful update signals.

What should I do if users report missing custom folder icons after this update?

The June 2026 update introduces a security hardening change to how Windows processes desktop.ini files. This can cause custom folder icons or localized folder names to disappear for folders originating from downloaded or remote locations. Folder access is not affected. Microsoft has published a separate support article titled "Custom folder icons or localized folder names might not appear after installing the June 2026 Windows security update" with further detail.

Is the new DNS over HTTPS support in Windows Server 2025 compatible with my existing DNS infrastructure?

Microsoft states that DNS over HTTPS support on Windows Server 2025 DNS Server is generally available and compatible with existing DNS infrastructure and management workflows. However, this feature covers server-to-client communication only. Encrypted DNS communication between DNS servers is not supported by this feature.