Microsoft has unveiled the Windows 10 KB5094127 extended security update, addressing vulnerabilities identified during the June 2026 Patch Tuesday while introducing enhanced capabilities to monitor the rollout of updated Secure Boot certificates, which are set to replace those expiring this month.
For users operating on Windows 10 Enterprise LTSC or those enrolled in the ESU program, the installation process remains straightforward. Simply navigate to Settings, select Windows Update, and perform a manual ‘Check for Updates.’
Source: BleepingComputer
Upon successful installation, Windows 10 will be upgraded to build 19045.7417, while Windows 10 Enterprise LTSC 2021 will transition to build 19044.7417.
What’s new in Windows 10 KB5094127
As Microsoft shifts its focus away from introducing new features for Windows 10, the KB5094127 update primarily emphasizes security enhancements and bug fixes. This update encompasses resolutions for vulnerabilities disclosed during the June 2026 Patch Tuesday, addressing a total of 200 vulnerabilities, including three zero-day flaws that had been publicly revealed.
The highlights of the KB5094127 update are as follows:
- [File Explorer] Enhancements to File Explorer search functionality now include support for Chinese text and UTF-8 encoded files without a byte order mark (BOM). The update ensures that text displays more clearly and consistently across search results, content views, and tooltips.
- [Secure Boot]
- This update introduces dynamic status reporting for Secure Boot states within the Windows Security App.
- A new policy setting, LimitSecureBootRequiredServiceData, has been added under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When activated, this setting restricts the Secure Boot service data sent to Microsoft by suppressing the usual event notifications. This policy is also part of the Windows Restricted Traffic Limited Functionality Baseline package. For more details, refer to Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.
- The update enhances Windows quality updates with additional high-confidence device targeting data, thereby improving the coverage of devices eligible for automatic receipt of new Secure Boot certificates. Devices will only obtain the new certificates after demonstrating sufficient successful update signals, ensuring a controlled and phased rollout.
However, Microsoft has issued a caution regarding a known issue that may prompt BitLocker recovery notifications on certain Windows systems following the installation of recent updates. This issue predominantly impacts devices configured with a specific BitLocker Group Policy that explicitly includes PCR7 in the TPM validation profile, along with certain Secure Boot and Windows Boot Manager configurations related to the newer Windows UEFI CA 2023 certificate.
As a temporary measure, Microsoft recommends removing the Group Policy setting, followed by suspending and resuming BitLocker to regenerate the default PCR bindings, while the company works towards a permanent resolution.