KB5094127: Windows 10 June 2026 Patch Tuesday update (OS Builds 19045.7417 and 19044.7417)

Summary

This is the June 2026 cumulative security update for Windows 10, released on June 9, 2026, targeting Windows 10 ESU, Windows 10 Enterprise LTSC 2021, and Windows 10 IoT Enterprise LTSC 2021. It brings OS builds to 19045.7417 and 19044.7417 and includes security fixes, quality improvements, and several notable component changes. Source: Microsoft Support

Highlights

• File Explorer search receives improvements including support for Chinese text and UTF-8-encoded files without a byte order mark (BOM).
• Secure Boot gains dynamic status reporting in the Windows Security app, a new data-limiting policy, and expanded automatic certificate distribution.
• A security hardening change alters how Windows processes desktop.ini files, which may cause custom folder icons or localized folder names to stop appearing for content from downloaded or remote locations.

Improvements and fixes

• File Explorer search: Search quality is improved with added support for Chinese text and UTF-8-encoded files that lack a byte order mark (BOM). Text rendering is more consistent across search results, Content view, and tooltips.
• Secure Boot - dynamic status reporting: The Windows Security app now shows dynamic status for Secure Boot states.
• Secure Boot - new policy for limiting service data: A new Group Policy setting, LimitSecureBootRequiredServiceData, is available under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. Enabling it causes Windows to suppress the Secure Boot service data event normally sent to Microsoft. This policy is also part of the Windows Restricted Traffic Limited Functionality Baseline package.
• Secure Boot - expanded certificate targeting: Quality updates now carry additional high-confidence device targeting data, broadening the pool of devices that can automatically receive new Secure Boot certificates. Certificates are distributed only after devices demonstrate sufficient successful update signals, keeping the rollout phased and controlled.
• Folder customization security hardening: Windows now applies stricter processing of desktop.ini files. Some users may find that custom folder icons or localized folder names no longer appear for folders from downloaded or remote locations. Folder access itself is not affected.
• This update builds on the fixes delivered in the May 12, 2026 - KB5087544 (OS Builds 19045.7291 and 19044.7291) update.

Known issues

BitLocker recovery key prompt after update install

Symptom: Devices that have an unrecommended BitLocker Group Policy configuration may be prompted to enter their BitLocker recovery key on the first restart after installing this update. All of the following conditions must apply for a device to be affected: BitLocker is enabled on the OS drive; the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is set with PCR7 included in the validation profile (or the equivalent registry key is set manually); msinfo32.exe reports Secure Boot State PCR7 Binding as "Not Possible"; the Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database (DB); and the device is not already running the 2023-signed Windows Boot Manager. The recovery key is only required once - subsequent restarts will not trigger another BitLocker recovery screen as long as the Group Policy configuration remains unchanged.

Workaround: Microsoft is working on a resolution. The recommended temporary workaround is to remove the Group Policy configuration before installing the update:

1. Open Group Policy Editor (gpedit.msc) or the Group Policy Management Console.
2. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".
4. Run gpupdate /force to propagate the policy change.
5. Run manage-bde -protectors -disable C: to suspend BitLocker.
6. Run manage-bde -protectors -enable C: to resume BitLocker.

This updates the BitLocker bindings to use the Windows-selected default PCR profile. Enterprises should audit their BitLocker Group Policies for explicit PCR7 inclusion and check msinfo32.exe for PCR7 binding status before deploying this update.

Microsoft Office applications may fail to open from certain third-party apps

Symptom: Certain third-party applications may be unable to launch Microsoft Office applications or open documents after installing Windows updates released on or after June 9, 2026. The issue affects third-party applications that use OLE automation to interact with Office. In some cases, the Office application or document fails to open with no error message displayed. Affected Office applications may include Word, Excel, PowerPoint, Access, and others. Reported affected applications include CCH Engagement, Workpaper Manager, dental software such as Dentrix and Softdent, and Zotero; other similar applications may also be impacted.

Workaround: A resolution is in progress and will be included in a future Windows update. As an immediate workaround, open the application or document directly rather than launching it from the affected third-party application. Organizations needing a device-level workaround should contact Microsoft Support for business.

How to get this update

Before installing KB5094127, you must have the latest servicing stack update (SSU) installed. Failing to install the latest SSU first may result in the cumulative update not being offered to the device. This release incorporates the Windows 10 servicing stack update KB5094145 (version 19041.7402), which is combined with the cumulative update.

For organizations deploying dynamic updates to existing Windows images:

• Ensure the boot.stl file is included in installation media. Omitting it may prevent devices from starting from that media and can cause error code 0xc0430001. Use the Update WinPE script (recommended) or manually copy boot.stl from Windows\Boot\EFI on a device to the corresponding folder on the installation media.
• For offline OS image servicing: if the image does not include the July 25, 2023 (KB5028244) or later LCU, install the standalone October 13, 2023 SSU (KB5031539) before applying this update.

The update is available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.

Frequently asked questions

Does this update apply to Windows 10 Home or Pro editions?

No. According to Microsoft, this update applies specifically to Windows 10 ESU, Windows 10 Enterprise LTSC 2021, and Windows 10 IoT Enterprise LTSC 2021. Administrators managing these editions should plan deployment accordingly and use the appropriate enablement package for their target version.

How should IT departments handle the BitLocker known issue before rolling out this update?

Microsoft recommends that enterprises audit their BitLocker Group Policies for explicit PCR7 inclusion and verify PCR7 binding status via msinfo32.exe before deployment. If devices meet all the affected conditions, the recommended path is to set the TPM platform validation policy to "Not Configured" and cycle BitLocker protectors before installing the update.

What is the impact of the desktop.ini security hardening change?

The change affects how Windows processes desktop.ini files for content from downloaded or remote locations. Custom folder icons and localized folder names may stop appearing in those locations. Importantly, folder access is not affected - only the visual customization is impacted. Microsoft links to a dedicated support article for further details.

Is the new LimitSecureBootRequiredServiceData policy mandatory?

No. The new Group Policy setting is optional. When enabled, it suppresses the Secure Boot service data event that Windows would normally send to Microsoft. It is also included in the Windows Restricted Traffic Limited Functionality Baseline package, making it relevant for environments that restrict operating system telemetry and outbound connections to Microsoft services.