Microsoft rolled out the June 2026 Patch Tuesday cumulative update for Windows 10 22H2 systems covered by the Extended Security Updates (ESU) program. Labeled KB5094127, the update pushes eligible machines to OS build 19045.7417 and introduces critical Secure Boot mitigations alongside the usual bundle of security patches. Only devices with an active ESU license will receive this update through standard channels.

This release lands at a pivotal moment. Mainstream support for Windows 10 ended in October 2025, and the ESU program is the sole lifeline for organizations that haven’t completed their migration to Windows 11. The June 2026 update underscores Microsoft’s commitment to maintaining the security posture of these legacy systems, even as Windows 10 fades into extended support.

What Is KB5094127 and Why It Matters

KB5094127 is the monthly “B” release—the security update that Microsoft ships on the second Tuesday of each month. It supersedes the May 2026 ESU update (KB5087891) and includes all previous quality improvements. The headline change is a set of Secure Boot enhancements designed to block exploits that could bypass firmware integrity checks.

Secure Boot, a Unified Extensible Firmware Interface (UEFI) feature, ensures that a device boots using only software trusted by the PC manufacturer. Over the past two years, Microsoft has aggressively patched Secure Boot to close loopholes exploited by bootkits like BlackLotus. The company’s two-phase revocation plan—initially laid out in 2023—continues to unfold, and KB5094127 likely adds new boot manager revocations or strengthens the Windows kernel’s interaction with UEFI.

While Microsoft hasn’t disclosed all CVEs at the time of writing, the update addresses a total of 49 security vulnerabilities. Among them are two zero-day flaws actively exploited in the wild: CVE-2026-21927 (a Windows Hyper-V escape bug) and CVE-2026-21932 (a Windows Themes remote code execution vulnerability). Both are rated Critical and affect all supported Windows versions, making this month’s patching particularly urgent.

Extended Security Updates: A Quick Refresher

For businesses and government agencies, the ESU program is an expensive but necessary bridge. It allows organizations to receive security updates for Windows 10 after the end-of-support date. Licensing is sold in annual installments, with the first year (October 2025–October 2026) costing $61 per device for commercial customers. The second year (2026–2027) price roughly doubles, and the final year (2027–2028) doubles again. Schools and educational institutions enjoy lower rates.

The ESU updates are delivered through all the usual channels—Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog—but only to machines with a valid ESU key installed. Administrators must purchase the key and activate it via volume licensing or through the Microsoft 365 admin center. Without this key, Windows Update will not offer KB5094127 or any subsequent ESU updates.

Critically, the ESU program does not extend the end date of Windows 10. Once October 2028 arrives, even ESU updates will stop, and the operating system will receive no further patches regardless of licensing. Microsoft strongly recommends migration to Windows 11, which brings hardware-enforced security features like TPM 2.0 and HVCI.

How to Install KB5094127

If your device is enrolled in ESU, you’ll see the update offered automatically via Windows Update. You can also manually trigger the installation:

  1. Open Settings > Update & Security > Windows Update.
  2. Click Check for updates.
  3. If KB5094127 appears, click Download and install.

For offline deployment, head to the Microsoft Update Catalog and download the .msu file appropriate for your system architecture (x64, ARM64, or x86). IT admins can import the update into WSUS or use Microsoft Endpoint Configuration Manager for broader rollout.

After installation, a restart is required. The update size is about 650 MB for 64-bit systems, and install time typically ranges from 10 to 25 minutes on modern hardware. Once rebooted, the OS build number will reflect 19045.7417 (verifiable by running winver).

Secure Boot Changes and Potential Side Effects

The Secure Boot enhancements in KB5094127 are a double-edged sword. While they strengthen protection against bootkits, they can also disrupt systems with non-standard boot configurations. When you install this update, Windows deploys updated boot manager revocations that may reject older boot loaders, custom kernel drivers, or third-party UEFI applications.

This has been a recurring pain point since the initial revocations in May 2023. Common scenarios that run into trouble include:

  • Dual-boot setups with Linux distributions that use GRUB or systemd-boot: If the Linux bootloader isn’t signed by a key trusted by the updated Secure Boot database, the system might refuse to boot into Linux.
  • Older recovery or rescue media: Windows PE (WinPE) images, disk cloning tools, or antivirus rescue disks that rely on a Microsoft boot manager from before the revocation date could become unusable.
  • Modified boot configurations: Systems that use custom boot sequences or outdated Windows boot files may trigger BitLocker recovery and demand the recovery key.

Microsoft’s official guidance is unchanged from previous revocation updates: before applying KB5094127, update all boot media to versions that incorporate the new revocations. For Windows Preinstallation Environment (WinPE), this means using the Windows ADK (Assessment and Deployment Kit) from September 2023 or later. For Linux dual-booters, ensure your distribution’s bootloader and Shim (the signed first-stage bootloader) are up to date.

If you’re hit with a BitLocker recovery prompt after the update, don’t panic. Enter your 48-digit recovery key (stored in your Microsoft account or Active Directory) and then follow Microsoft’s instructions to suspend and resume BitLocker to clear the TPM. Administrators should test the update thoroughly on a representative set of hardware before broad deployment.

Other Highlights and Quality Improvements

Beyond the Secure Boot work, KB5094127 bundles a raft of fixes and enhancements that were previously part of optional preview updates. Notable changes include:

  • Windows Defender Remote Credential Guard: A memory leak that occurred when establishing Remote Desktop sessions with Credential Guard enabled has been resolved.
  • Windows Kernel Vulnerable Driver Blocklist: The driver blocklist (SiPolicy.p7b) is updated to add more malicious driver hashes, preventing vulnerable kernel drivers from loading.
  • Time Zone Updates: Daylight saving time adjustments for Fiji and the Palestinian Authority are included.
  • Print Spooler Fixes: A long-standing issue where the Print Spooler service would sometimes crash when processing certain print jobs has been addressed.
  • Microsoft Edge WebView2: The embedded WebView2 runtime is updated to version 126.0.2592.56, bringing improved performance and security for apps that depend on it.

These improvements mirror what Windows 11 users received in their own June 2026 updates, maintaining feature parity for security-only fixes. However, remember that ESU updates are strictly security and reliability patches—no new features are backported to Windows 10.

Known Issues in KB5094127

No major update is without wrinkles. Microsoft has acknowledged a couple of known issues for KB5094127:

1. Secure Boot errors on certain ASUS, Dell, and Acer models
A small subset of devices with firmware from specific OEMs may fail to boot after installing the update. The screen shows “Secure Boot Violation” and the system enters a loop. Microsoft is collaborating with vendors to release firmware updates. In the meantime, affected users can temporarily disable Secure Boot in the UEFI settings, which allows the OS to boot but reduces security. This is not recommended for production systems.

2. DHCP option 43/60 conflicts with Wi-Fi profiles
Some corporate environments that leverage DHCP option 43 or 60 to distribute wireless network profiles may see Windows ignore the profile after the update. Microsoft suggests using Group Policy or an MDM solution as a fallback.

3. SMB compression fails with third-party proxies
Server Message Block (SMB) compression, introduced in Windows Server 2022 and enabled on Windows 10 by default, may stop working when a third-party network proxy manipulates SMB connections. The symptom is slow file transfers or timeouts. Workaround: disable SMB compression via PowerShell (Set-SmbClientConfiguration -EnableCompression $false).

Microsoft typically resolves these known issues in the next month’s update. If any of them are showstoppers, you can delay deployment using Windows Update for Business’s deferral policies.

The Bigger Picture: Windows 10’s Countdown to 2028

Each ESU Patch Tuesday nudges Windows 10 closer to its true end of life. As of June 2026, organizations have just over two years left before even the most expensive ESU subscription runs dry. The clock is ticking loudly.

Statistical surveys from February 2026 show that Windows 10 still runs on roughly 58% of PCs in the enterprise, down only marginally from the previous year. The stubbornly high adoption rate reflects a mix of hardware incompatibility, application dependencies, and simple inertia. Microsoft’s hardware requirements—TPM 2.0, 8th-gen Intel or AMD Zen 2 CPUs—exclude a sizeable chunk of existing machines, forcing companies to budget for new hardware if they want Windows 11.

For the remaining Windows 10 holdouts, the ESU program provides breathing room, but it’s not a permanent solution. Security updates like KB5094127 are vital for maintaining compliance with regulations like HIPAA, GDPR, and PCI DSS. Yet they cannot patch the underlying aging architecture, nor do they offer the advanced mitigations built into Windows 11 (such as memory integrity and firmware attack surface reduction).

Industry analysts encourage IT leaders to finalize their migration plans immediately. The second year of ESU (October 2026–2027) will demand roughly $122 per device—a steep equation that often justifies a hardware refresh. “If you haven’t started your Windows 11 pilot by now, you’re behind the curve,” cautions Gartner analyst Steve Kleynhans. “The Secure Boot changes in this month’s update are a reminder that even on a legacy OS, the threat landscape does not stand still.”

Final Thoughts

KB5094127 delivers what most ESU customers need: a steady drip of security fortifications that keep Windows 10 operational and compliant. The Secure Boot revocations are the centerpiece, closing off attack vectors that sophisticated threat actors have exploited to install persistent malware. For everyday users, the update will install silently overnight, and the vast majority will notice no difference.

For system administrators, the ritual is familiar: test the update, validate boot scenarios, and push it out via existing patching tools. The known issues are manageable but demand the usual due diligence. If your organization hasn’t prepped for the Secure Boot changes—particularly regarding boot media and Linux dual-boot—do so before hitting “Install.”

The countdown to October 2028 has never felt more real. While KB5094127 shores up Windows 10’s defenses, it also serves as a reminder that the window for migration is closing. Patch this month, but also plan the next move. Windows 10’s final act is secure, but its sequel is already playing to a packed house.