Microsoft Releases Windows 10 KB5094127 with Secure Boot Certificate Updates and Bug Fixes
Microsoft has issued the KB5094127 update for Windows 10, addressing June 2026 Patch Tuesday vulnerabilities and introducing new features for managing expiring Secure Boot certificates.
Microsoft has released the Windows 10 KB5094127 extended security update, a cumulative patch that addresses vulnerabilities patched during the June 2026 Patch Tuesday cycle. This update is particularly crucial for users enrolled in the Extended Security Updates (ESU) program or running Windows 10 Enterprise LTSC, as it ensures continued security for these specific editions.
For eligible users, the update can be installed through the standard Windows Update mechanism by navigating to Settings and manually checking for updates. Upon successful installation, Windows 10 will be updated to build 19045.7417, while Windows 10 Enterprise LTSC 2021 will reach build 19044.7417.
While Microsoft is no longer introducing new features to Windows 10, KB5094127 focuses on essential security updates and bug fixes. A significant component of this release is the inclusion of fixes from the June 2026 Patch Tuesday, which tackled a total of 200 vulnerabilities, including three that were publicly disclosed as zero-day flaws.
Beyond the general security patches, KB5094127 introduces notable enhancements related to Secure Boot certificates. These updates are critical as existing certificates are set to expire this month. The update enables dynamic status reporting for Secure Boot states within the Windows Security App, providing users with better visibility into their system's security posture.
Furthermore, a new policy setting, LimitSecureBootRequiredServiceData, has been added under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, this policy limits the Secure Boot service data sent to Microsoft by suppressing specific events, contributing to a more controlled data flow. This policy aligns with the Windows Restricted Traffic Limited Functionality Baseline package.
Microsoft is also implementing a phased rollout for new Secure Boot certificates. Windows quality updates now include enhanced device targeting data, ensuring that devices eligible for the new certificates are identified more effectively. Devices will only receive these updated certificates after demonstrating successful update signals, maintaining a controlled and stable deployment process.
However, the update also comes with a warning about a known issue that may trigger BitLocker recovery prompts on certain Windows systems. This problem primarily affects devices configured with a specific BitLocker Group Policy that includes PCR7 in the TPM validation profile, especially when combined with certain Secure Boot and Windows Boot Manager configurations related to newer Windows UEFI CA 2023 certificates.
As a temporary workaround for the BitLocker issue, Microsoft advises users to remove the problematic Group Policy setting and then suspend and resume BitLocker. This action will regenerate the default PCR bindings, mitigating the recovery prompt until Microsoft releases a permanent fix. The company is actively working on resolving this known issue.