www.it-connect.fr
June 2026 Windows Server Updates: What’s New in KB5094125, KB5094128, KB5094123 and KB5094122
On Tuesday, June 9, 2026, Microsoft released new mandatory cumulative updates for Windows Server machines. What’s new? Here’s what you need to know!
Table of Contents
Key point: Secure Boot certificate expiration
Before diving into the update details for each Windows Server version, let’s talk once again about Secure Boot. Secure Boot certificates expire as of June 2026, so that point has now arrived! Over the past few months, Microsoft has started rolling out new certificates, but this issue affects your entire fleet, both workstations and servers.
It is worth noting that devices that have not yet received the new certificates will continue to boot normally, and standard Windows updates will continue to install. Updated certificates will keep being delivered through Windows Update in the coming months. The main risk here is related to potential malware.
Windows Server 2025 - What’s new in KB5094125
The update for Windows Server 2025 fixes several bugs and introduces one new feature.
- Secure Boot
In line with the certificate expiration mentioned above, this update expands the pool of machines eligible to automatically receive the new certificates (issued by Microsoft in 2023). As has been the case for several months, deployment remains gradual: a device receives the new certificates only after it has shown enough successful update signals.
This update also introduces a new Group Policy setting called LimitSecureBootRequiredServiceData, which allows you to limit the Secure Boot service data sent to Microsoft (telemetry). It is available under: Computer Configuration > Administrative Templates > Windows Components > Secure Boot.
- BitLocker recovery (known issue fixed)
This update resolves an issue where some devices could enter BitLocker recovery after boot files were updated, on systems with certain TPM validation settings (notably invalid PCR7 configurations). This behavior could occur after installing the April 2026 update (KB5082063).
- Folder customization (desktop.ini)
The update introduces stronger security in the way Windows handles desktop.ini files. As a result, some users may notice the disappearance of custom folder icons or localized folder names for content coming from the Internet or remote locations. Note that folder access itself is not affected. The goal is to protect users from malicious files.
If a file has been downloaded, it must be unblocked using the PowerShell command Unblock-File (which removes the MotW tag). Microsoft explains this in more detail in this support article. Otherwise, the icon will not display correctly.
Note that these Secure Boot and folder customization changes also apply to other Windows Server versions.
In addition, this update introduces a set of changes:
- DNS over HTTPS
The Windows Server 2025 DNS server now supports DNS over HTTPS (DoH). This enables encrypted DNS communication between the server and its clients, improving privacy and security by protecting DNS queries, especially against certain attacks.
This feature is now generally available. Note: DoH support applies only to server-to-client communication, not to encrypted communication between servers. I’ll cover this new feature in more detail in a future article.
- Session reliability
This update improves reliability when loading the user profile by managing system resources more efficiently.
- Deployment via WUSA (known issue fixed) :
This update fixes an issue where updates installed through the WUSA program could fail with error code ERROR_BAD_PATHNAME. This could happen when double-clicking a .msu file or running WUSA from a network share containing multiple .msu files. This has been a long-standing issue.
Windows Server 2022 - What’s new in KB5094128
The June 9, 2026 update (KB5094128) for Windows Server 2022 includes the cross-version changes mentioned earlier (Secure Boot, the LimitSecureBootRequiredServiceData setting, File Explorer search, and desktop.ini hardening), as well as a change in the Windows Security app. Windows Security now includes the Secure Boot status, and it is updated in real time to display a reliable state.
Keep an eye on a known issue in this version: on a limited number of systems with a non-recommended BitLocker Group Policy configuration (PCR7 included in the TPM validation profile, PCR7 binding state set to "Impossible", etc.), BitLocker recovery key entry may be requested on the first reboot after installation. This is not a new issue, as it has been around for several months.
Windows Server 2019 (KB5094123) and Windows Server 2016 (KB5094122)
For these two older versions, Microsoft is releasing security-focused cumulative updates, named KB5094123 (Windows Server 2019) and KB5094122 (Windows Server 2016) respectively. They include the changes common to all versions, especially the Secure Boot updates and the hardening of desktop.ini files, along with this month’s security fixes.
This is a good time to recall that the June 2026 Patch Tuesday includes fixes for 200 vulnerabilities.
Windows Server update summary
Here is the list of mandatory cumulative updates released by Microsoft since the start of 2026.
| Month | WS 2025 | WS 2022 | WS 2019 | WS 2016 |
|---|---|---|---|---|
| June 2026 | KB5094125 | KB5094128 | KB5094123 | KB5094122 |
| May 2026 | KB5087539 | KB5087545 | KB5087538 | KB5087537 |
| April 2026 | KB5082063 | KB5082142 | KB5082123 | KB5082198 |
| March 2026 | KB5078740 | KB5078766 | KB5078752 | KB5078938 |
| February 2026 | KB5075899 | KB5075906 | KB5075904 | KB5075999 |
| January 2026 | KB5073379 | KB5073457 | KB5073723 | KB5073722 |
