NEWS
Windows 10 KB5094127 Adds File Explorer and Secure Boot Changes
Windows 10 KB5094127 lists OS Builds 19045.7417 and 19044.7417 with File Explorer search fixes, Secure Boot status reporting and offline packages.
Windows 10 KB5094127 is Microsoft’s June 9, 2026 cumulative security update for Windows 10 ESU and Windows 10 LTSC systems. Microsoft’s page lists OS Builds 19045.7417 and 19044.7417, and the release notes put two visible changes beside the security fixes: File Explorer search improvements and Secure Boot certificate status reporting.
For offline installation, Microsoft points users to the standalone package route through the catalog, while Windows Update and Windows Update for Business get the automatic path. The useful question is simple: which PCs are covered, what changes, and when should an administrator pause before pushing the patch?
Who Gets Windows 10 KB5094127
Microsoft’s KB5094127 release notes and build list say the update applies to Windows 10 ESU, Windows 10 Enterprise LTSC 2021 and Windows 10 IoT Enterprise LTSC 2021. The same page describes it as a cumulative security update that includes security issues and quality improvements.
The target list is narrow. Microsoft says Windows 10 version 22H2 support ended on October 14, 2025, and the ESU program is the route for PCs that keep receiving critical and important security updates after that date.
Microsoft’s Windows 10 ESU program rules also say ESUs do not include new features, customer-requested nonsecurity updates or design change requests. KB5094127 still carries a File Explorer change, but Microsoft places it inside a security update for enrolled or LTSC systems.
File Explorer Search Gets a Text Fix
The File Explorer entry has two parts. Microsoft says File Explorer search now supports Chinese text and UTF 8 encoded files without a byte order mark. It also says text displays more clearly and consistently across search results, Content view and tooltips.
There is no new File Explorer control named in the release notes. The change is scoped to search behavior and text display, which makes it a small daily-use fix inside a security package.
For the newer OS, our related read on Windows 11 performance work tracks a separate File Explorer thread on Windows 11. KB5094127 is the Windows 10 side of the month, and its File Explorer line is shorter.
Secure Boot Work Moves into View
The Secure Boot section is more operational. Microsoft says the update enables dynamic status reporting for Secure Boot states in the Windows Security app.
KB5094127 also adds a policy setting named LimitSecureBootRequiredServiceData under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When that setting is enabled, Microsoft says Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft.
The same release notes say Windows quality updates include additional high confidence device targeting data with this update. Microsoft says that increases coverage of devices eligible to automatically receive new Secure Boot certificates, and that devices receive the new certificates only after sufficient successful update signals.
Microsoft’s Secure Boot certificate expiration table gives the larger context. The older certificates were originally issued in 2011, and Microsoft says devices without the newer 2023 certificates will continue to start and receive standard Windows updates, but will no longer receive new security protections for the early boot process.
- Fully updated: the device has received all required Secure Boot certificate updates and the updated Boot Manager has been installed.
- Not yet updated: the device is still using an older Secure Boot certificate, and Microsoft says the update is expected to be applied automatically through Windows Update.
- Requires action: Microsoft says a boot security update cannot be delivered to the device’s current boot configuration, and the badge changes to a red stop icon.
The status route is Windows Security > Device security > Secure Boot. Microsoft explains the badge text and warnings in its Secure Boot status badge meanings.
Offline Installers Are a Catalog Job
Microsoft says KB5094127 will be downloaded and installed automatically from Windows Update. Windows Update for Business also gets it automatically according to configured policies.
For manual installation, Microsoft says the standalone package is available from standalone packages for KB5094127. The catalog page lists the Windows 10 Version 22H2 packages by architecture, product and size.
| Package | Product | Last Updated | Size |
|---|---|---|---|
| 2026-06 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems (KB5094127) | Windows 10, version 1903 and later | 6/9/2026 | 873.0 MB |
| 2026-06 Cumulative Update for Windows 10 Version 22H2 for x86-based Systems (KB5094127) | Windows 10, version 1903 and later | 6/9/2026 | 533.5 MB |
| 2026-06 Cumulative Update for Windows 10 Version 22H2 for ARM64-based Systems (KB5094127) | Windows 10, version 1903 and later | 6/9/2026 | 805.7 MB |
Pick the row that matches the device architecture. Microsoft also lists Windows Server Update Services availability for the update, with Windows 10 version 22H2 under product Windows 10, version 1903 and later, and classification Security Updates.
The BitLocker Risk Has a Specific Shape
Microsoft names one known issue for this update. Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing KB5094127.
The affected set is limited. Microsoft says the issue only affects systems where BitLocker is enabled on the OS drive, PCR7 is included in the TPM validation profile, System Information reports Secure Boot State PCR7 Binding as Not Possible, the Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database, and the device is not already running the 2023-signed Windows Boot Manager.
Microsoft says those conditions are unlikely on personal devices not managed by IT departments. In the scenario Microsoft describes, the BitLocker recovery key needs to be entered once, and later restarts will not trigger a recovery screen as long as the group policy configuration remains unchanged.
Microsoft says it is working on a resolution. Its temporary workaround is a sequence for affected devices:
- Open Group Policy Editor or the Group Policy Management Console.
- Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- Set
Configure TPM platform validation profile for native UEFI firmware configurationstoNot Configured. - Run
gpupdate /forceon affected devices. - Suspend BitLocker with
manage-bde -protectors -disable C:, then resume it withmanage-bde -protectors -enable C:.
Microsoft says that final step updates the BitLocker bindings to use the default PCR profile selected by Windows.
Certificate Dates Sit Behind the Patch
Secure Boot is a UEFI firmware feature that verifies trusted software during a device’s boot sequence. Microsoft says the original Secure Boot certificates are nearing expiration and that devices are affected if they have any of the listed certificate versions.
The date list is specific:
- June 24, 2026: Microsoft Corporation KEK CA 2011 expires, with Microsoft Corporation KEK 2K CA 2023 as the new certificate.
- October 19, 2026: Microsoft Windows Production PCA 2011 expires, with Windows UEFI CA 2023 as the new certificate.
- June 27, 2026: Microsoft UEFI CA 2011 expires for third-party boot loaders and EFI applications, with Microsoft UEFI CA 2023 as the new certificate.
- June 27, 2026: Microsoft UEFI CA 2011 expires for third-party option ROMs, with Microsoft Option ROM UEFI CA 2023 as the new certificate.
Microsoft says most Windows devices will receive the updated certificates automatically, and many OEMs provide firmware updates when needed. That is the same certificate work KB5094127 now surfaces through Windows Security reporting.
Before You Install, Check the Servicing Stack
KB5094127 includes Windows 10 servicing stack update KB5094145, version 19041.7402. Microsoft says the latest servicing stack update must be installed, and that Windows updates might not be offered until the latest SSU is present.
For deployment work, Microsoft gives an extra warning. If administrators deploy dynamic updates to an existing Windows image, the boot.stl file must be included as part of the installation media. Microsoft says failure to include that file may prevent devices from starting from the installation media and can result in error code 0xc0430001.
Microsoft also lists prerequisites for older deployment paths. For offline OS image servicing, an image without the July 25, 2023 KB5028244 or later LCU must get the October 13, 2023 KB5031539 SSU before KB5094127. For WSUS deployment or a standalone package from the catalog, devices without the May 11, 2021 KB5003173 or later LCU must get the August 10, 2021 KB5005260 SSU first.
Frequently Asked Questions
Is Windows 10 KB5094127 available for offline installation?
Yes. Microsoft says the standalone package is available through the catalog, and the catalog lists Windows 10 Version 22H2 packages for x64, x86 and ARM64 systems.
What changes in File Explorer?
KB5094127 improves File Explorer search, including support for Chinese text and UTF 8 encoded files without a byte order mark. Microsoft also says text displays more consistently in search results, Content view and tooltips.
Why does KB5094127 mention Secure Boot?
The update adds Secure Boot status reporting in Windows Security and additional targeting data for the Secure Boot certificate rollout. Microsoft says older Secure Boot certificates begin expiring in June 2026.
Should I worry about BitLocker recovery after installing it?
Microsoft says the BitLocker recovery prompt issue affects a limited number of systems with a specific unrecommended Group Policy and Secure Boot configuration. It says those conditions are unlikely on personal devices not managed by IT departments.
NHS Cyber Attack Warning Says Risk Now Tops Pandemic
Taliban Smartphone Ban Exposes the WhatsApp Problem
Galaxy Z Flip 8 Satellite FCC Filing Leaves Out UWB
Apple and Met Police Sign Deal to Render Stolen iPhones Useless
Delhi High Court Orders Takedown of Posts Linking Amul to Cow Meat
Kingdom Hearts 4 Teaser Returns as Collection Gets October 8 Date
The $6.3 Billion Business of Media Monitoring, Explained
Vivo X500 Specs Leak Reveals 7,500mAh Battery, Four-Model Lineup
Met Police Push for Law to Make Stolen Phones Unusable
YESHOMY Modern TV Stand: 58 Inches Wide for a 65-Inch TV
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Ghana CSA Plants Office In Ho As Volta Cybercrime Climbs
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
Anthropic Hits $965 Billion Valuation, Edges Past OpenAI
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
Hormuud Bets $19 Down Will Finally Pull Somalia Online
Trump’s AI Memo Strips Vendors of Veto Power Over Military
Metalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
Apple Turns Accessibility AI Into an Operating System Test
-
CRYPTO1 month agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
CRYPTO1 month agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
NEWS1 month agoGhana CSA Plants Office In Ho As Volta Cybercrime Climbs
-
NEWS1 month agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
AI2 weeks agoAnthropic Hits $965 Billion Valuation, Edges Past OpenAI
-
APPS1 month ago
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
-
NEWS1 month agoHormuud Bets $19 Down Will Finally Pull Somalia Online
-
AI6 days agoTrump’s AI Memo Strips Vendors of Veto Power Over Military