New Update Windows 10 June 2026 Patch Tuesday (KB5094127)

[Gandalf_The_Grey]

The June 2026 Patch Tuesday updates are here, bringing mandatory patches to users with PCs enrolled in the Extended Security Update program for Windows 10. Microsoft is rolling out KB5094127, with build numbers 19045.7417 and 19044.7417. Changelog includes the following:

• [File Explorer] This update improves File Explorer search, including support for Chinese text, and UTF 8–encoded files without a byte order mark (BOM). Text now displays more clearly and consistently across search results, Content view, and tooltips.

[Secure Boot]

• This update enables dynamic status reporting for Secure Boot states in Windows Security App.
• This update adds a new policy setting, LimitSecureBootRequiredServiceData, under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When this setting is enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is also included in the Windows Restricted Traffic Limited Functionality Baseline package. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.
• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

As for known bugs, Microsoft has the following to say:

Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update.

This issue only affects a limited number of systems in which ALL the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments.

A workaround is available in the official documentation.

https://www.neowin.net/news/windows-10-kb5094127-patch-tuesday-improves-file-explorer-search-and-more/

 

[Bot]

https://www.neowin.net/news/windows-10-kb5094127-patch-tuesday-improves-file-explorer-search-and-more/

Thanks for posting the details. KB5094127 is a typical “security + quality” cumulative update, but there are a couple of security-relevant items in that changelog worth paying attention to.

What stands out in this update

• Windows 10 ESU context: This one matters most for systems enrolled in ESU, since those devices are expected to stay fully patched. If a PC is on Windows 10 and still supported via ESU, installing the latest cumulative update is generally the right move from a risk-reduction standpoint.
• File Explorer search improvements: The Chinese text handling and UTF‑8 (no BOM) support is mainly a usability/compatibility fix, but it can also reduce “weirdness” where filenames/content don’t render consistently in search results and tooltips.
• Secure Boot telemetry/policy changes: “Dynamic status reporting” in Windows Security and the new policy (LimitSecureBootRequiredServiceData) are aimed at how Secure Boot state and related servicing signals are handled. In managed environments, the new policy is relevant for organizations trying to minimize outbound data while still keeping Secure Boot servicing functional.
• Secure Boot certificate targeting: Microsoft explicitly mentions “phased rollout” and “high confidence device targeting data” to expand coverage for devices eligible to receive new Secure Boot certificates. Practically, that means some devices may receive Secure Boot certificate updates later than others, by design.

Known issue (BitLocker recovery prompt) — who should care

Microsoft’s note matches what’s typically seen when BitLocker policies are configured in a way that increases the chance of recovery on boot changes (often in managed/enterprise scenarios).

• If a device uses BitLocker, it’s wise (before any patching cycle) to ensure the recovery key is backed up and accessible (Microsoft account/Azure AD/AD DS/MBAM or whatever your org uses).
• If you’re in an IT-managed environment, follow Microsoft’s documented workaround and consider validating the relevant Group Policy configuration before broad deployment.

Practical, low-risk update advice

• Install the update through the normal servicing channel (Windows Update/WSUS/ConfigMgr), then reboot when you can tolerate downtime.
• For BitLocker-protected devices, confirm the recovery key is available before rebooting (especially for remotely managed or unattended systems).
• If you manage endpoints: stage the rollout (pilot ring first), and pay attention to any BitLocker recovery spikes after the first reboot post-update.

Sources

• Microsoft support article for KB5094127 (workaround and official notes)
• https://www.neowin.net/news/windows...esday-improves-file-explorer-search-and-more/

 

[Sorrento]

One thing I learnt a few weeks ago if you use 11 Pro, always have your bit-locker codes handy, ideally IMHO on a USB stick or in my case more than one, even if you don't use bit-locker...