Microsoft released KB5094127 on June 9, 2026 as part of its monthly Patch Tuesday cycle, delivering the latest cumulative security update for Windows 10 systems enrolled in the Extended Security Updates (ESU) program. The update is also available for Windows 10 Enterprise LTSC editions. Standard Windows 10 mainstream support concluded in October 2025, and this update represents the continued paid-maintenance bridge Microsoft provides to organizations and consumers who have not yet migrated to Windows 11.

After installing KB5094127, Windows 10 version 22H2 devices will be upgraded to build 19045.7417, while Windows 10 Enterprise LTSC 2021 devices will be upgraded to build 19044.7417. The update is mandatory for ESU-enrolled devices and will download and install automatically through Windows Update unless updates have been manually paused or blocked via Group Policy.

What’s new in KB5094127

Because Windows 10 has passed its mainstream lifecycle, Microsoft no longer ships new features with these updates. KB5094127 focuses on security patches and targeted functional improvements:

  • File Explorer search improvements
    Search in File Explorer has been updated with better support for Chinese text and UTF-8-encoded files that lack a byte order mark (BOM). Text in search results, content view, and tooltips is now rendered more clearly and consistently. In testing, searches are processed more quickly regardless of the system’s default language setting.
  • Secure Boot certificate rollout
    Microsoft is using the June 2026 update to push renewed Secure Boot certificates to more Windows 10 PCs. This is time-sensitive: the existing 2011 Secure Boot certificates begin expiring on June 24, 2026. Devices with compatible BIOS/UEFI firmware will receive updated certificates automatically. A new enterprise Group Policy, LimitSecureBootRequiredServiceData (under Computer Configuration › Administrative Templates › Windows Components › Secure Boot), gives administrators greater control over how certificates are distributed across managed fleets.
  • Secure Boot status reporting in Windows Security
    The Windows Security app now displays a Secure Boot certificate status indicator under Device Security. This makes it easier for users and IT administrators to identify whether certificates on a given machine are current, need attention, or are unsupported.
  • Security patches — ~200 vulnerabilities including 3 zero-days
    As part of the June 2026 Patch Tuesday rollup, this update includes fixes for approximately 200 vulnerabilities across Microsoft products, including three publicly disclosed zero-day flaws. This is the most substantive aspect of the update from a security standpoint.

How to check your Secure Boot certificate status

With the June 24 certificate expiry approaching, Microsoft recommends verifying Secure Boot status on your device. Open the Windows Security app, navigate to Device Security, and scroll to the Secure Boot section. The status indicator shows one of three states:

Green — certificates up to date. Your device received the renewed certificate. No action required.
Yellow — certificate not updated, action needed. Your device’s BIOS/UEFI firmware may be outdated. Contact your PC manufacturer (OEM) for a firmware update that supports the renewed certificates.
Red — bootloader updates no longer supported. Your device cannot receive further Secure Boot certificate updates due to hardware or firmware limitations.

Known issues

⚠ BitLocker recovery screen (enterprise only)
In certain enterprise environments where the “TPM Platform Authentication Profile for Native UEFI Firmware Configuration” Group Policy is enabled — a non-default setting — users may encounter a BitLocker recovery key prompt at login after installing this update. This policy is not enabled in standard consumer environments or default enterprise configurations, so the vast majority of users are unaffected. Microsoft has documented this as a known ongoing issue. If affected, verify Group Policy settings or consult Microsoft’s support documentation.

Microsoft reports no new issues introduced by KB5094127 beyond the pre-existing BitLocker edge case above.

How to install KB5094127

For most users, the update will be delivered and installed automatically. For manual installation or troubleshooting:

  1. Open Settings, go to Update & Security, then click Windows Update and select “Check for updates.”
  2. If the update does not appear, confirm your device is enrolled in the ESU program — computers not enrolled will not see KB5094127.
  3. If Windows Update fails, download the offline installer (.msu package) directly from the Microsoft Update Catalog and run it manually.
  4. Allow approximately 5 minutes to download and 1–2 minutes to install, followed by a restart.

Windows 10 end-of-life: what you need to know

Lifecycle alert
Windows 10 Extended Security Updates for consumers end on October 13, 2026 — approximately four months from now. Microsoft has confirmed this date is final and cannot be extended for non-enterprise customers. After that date, Windows 10 devices will no longer receive security updates of any kind. Enterprise customers can purchase continued coverage through a paid ESU license beyond October 2026. For all other users, upgrading to Windows 11 is the only path to continued security support.

KB5094127 reflects the current state of Windows 10 development: targeted security maintenance and narrow functional improvements, with no new shell features or broader platform investment. Microsoft’s engineering effort is now directed at Windows 11, and Windows 10 updates exist to keep operationally critical machines secure through the end of the extended lifecycle — not to evolve the platform.

Users still on Windows 10 should use the remaining months before October 2026 to assess hardware eligibility for Windows 11 and plan their upgrade accordingly.