"The update also includes fixes released as part of today's June 2026 Patch Tuesday, which addressed 200 vulnerabilities, including three publicly disclosed zero-day flaws."
What KB5094127 delivers and how to get it
Microsoft has published the Windows 10 KB5094127 extended security update for systems still on the Windows 10 servicing path covered by Enterprise LTSC or the Extended Security Updates (ESU) program. After installation, Windows 10 will be updated to build 19045.7417; Windows 10 Enterprise LTSC 2021 will be updated to build 19044.7417. If you are running Windows 10 Enterprise LTSC or are enrolled in the ESU program, you can install this update by opening Settings > Windows Update and performing a manual 'Check for Updates.'
Microsoft notes it is no longer releasing new features for Windows 10; KB5094127 is primarily a security and reliability rollup that also bundles the fixes from the June 2026 Patch Tuesday release.
June 2026 Patch Tuesday: scope of fixes in KB5094127
The update incorporates the June 2026 Patch Tuesday fixes, which Microsoft says addressed 200 vulnerabilities, including three publicly disclosed zero-day flaws. The KB contains the full set of security updates and additional bug fixes packaged for eligible Windows 10 installations.
File Explorer and other quality fixes
Among the non-security fixes included in KB5094127, Microsoft lists improvements to File Explorer search. The update improves support for Chinese text and for UTF-8–encoded files without a byte order mark (BOM), and it aims to make text display more clearly and consistently across search results, Content view, and tooltips.
Secure Boot changes: reporting, policy, and a phased certificate rollout
KB5094127 introduces several changes tied to Secure Boot. First, the update enables dynamic status reporting for Secure Boot states in the Windows Security app, so systems will surface those states to local security tooling. Second, Microsoft adds a new Group Policy setting named LimitSecureBootRequiredServiceData under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, the policy causes Windows to limit the Secure Boot service data it sends by suppressing the event normally transmitted to Microsoft. The policy is included in the Windows Restricted Traffic Limited Functionality Baseline package; Microsoft points administrators to the guidance page titled "Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services" for more information.
Finally, Microsoft says Windows quality updates will now include additional "high confidence device targeting data," widening coverage of devices eligible to automatically receive new Secure Boot certificates. Devices, however, will only receive the new certificates after demonstrating sufficient successful update signals — a controlled and phased rollout designed to reduce risk when replacing certificates that are expiring this month.
BitLocker recovery prompts: the known issue and a temporary workaround
Microsoft warns of a known issue that can cause BitLocker recovery prompts on some systems after installing recent updates. According to the advisory, the problem primarily affects devices configured with a specific BitLocker Group Policy that explicitly includes PCR7 in the TPM validation profile, together with certain Secure Boot and Windows Boot Manager configurations related to the newer Windows UEFI CA 2023 certificate.
As a temporary workaround while Microsoft develops a permanent fix, administrators are advised to remove the Group Policy setting that explicitly includes PCR7, then suspend and resume BitLocker so the system regenerates the default PCR bindings. Microsoft is working on an official resolution.
How technologists, enterprises, and end users should act
- Technologists and security teams: Apply KB5094127 on eligible Windows 10 Enterprise LTSC and ESU-enrolled systems using Windows Update's manual check, and verify systems report the expected build numbers (19045.7417 or 19044.7417). Monitor Secure Boot state reporting in the Windows Security app and, if you manage Group Policy, review the new LimitSecureBootRequiredServiceData setting and the Windows Restricted Traffic Limited Functionality Baseline package referenced by Microsoft.
- Enterprises and procurement leaders: Note that Microsoft packaged June Patch Tuesday fixes (200 vulnerabilities, three publicly disclosed zero-days) into this extended update for eligible devices. Plan staged deployments that track the certificate rollout signals Microsoft described, and be prepared to apply the temporary BitLocker policy workaround for impacted device groups while awaiting a permanent fix.
- End users on managed systems: If your device is managed under Enterprise LTSC or ESU, expect administrators to install the update; if you encounter BitLocker recovery prompts after recent updates, report the issue to your IT team so they can evaluate the Group Policy workaround described by Microsoft.
Microsoft's KB5094127 ties together the June 2026 security rollup with targeted Secure Boot controls and a short-term mitigation for BitLocker interruptions. Organizations that still run eligible Windows 10 editions should install and validate the update, watch the phased Secure Boot certificate rollout, and follow the documented BitLocker workaround where applicable while waiting for Microsoft's permanent remediation.
Source: BleepingComputer — Microsoft releases Windows 10 KB5094127 extended security update
