Home/KB Catalog/KB5094128

KB5094128: Overview with user sentiment and feedback

Last Updated June 11, 2026

Probability of successful installation and continued operation of the machine

0%
20%
40%
60%
80%
100%
65%
Known Issues

Overview

KB5094128 is a cumulative security update for Windows Server 2022 released on June 9, 2026, bringing the OS Build to 20348.5256. This update incorporates the latest security fixes and quality improvements, building upon the previous month's optional preview release (KB5087545 from May 12, 2026). The update addresses critical security vulnerabilities while introducing enhancements across multiple system components including Secure Boot certificate management, File Explorer functionality, and system security features.

This cumulative update represents Microsoft's ongoing commitment to maintaining system security and stability for Windows Server 2022 environments. The update includes a servicing stack update (KB5094147, version 20348.5251) which ensures robust and reliable update installation capabilities. Organizations running Windows Server 2022 should be aware of important considerations regarding Secure Boot certificate expiration beginning in June 2026, which this update helps address through improved device targeting and phased certificate rollout mechanisms.

General Purpose

KB5094128 addresses multiple critical areas of Windows Server 2022 functionality and security. The primary focus includes enhanced Secure Boot certificate management with improved device targeting data and controlled phased rollout of new certificates to prevent widespread disruption. The update introduces the LimitSecureBootRequiredServiceData Group Policy setting, allowing administrators to control telemetry data sent to Microsoft regarding Secure Boot services, which is particularly relevant for organizations following restricted traffic baselines.

Beyond security enhancements, the update delivers quality improvements to File Explorer search functionality, including support for Chinese text and UTF-8 encoded files without byte order marks, improving search result clarity and consistency. The update also adds the Saudi Riyal currency symbol to Windows fonts for improved text rendering. A significant security hardening change addresses how Windows processes desktop.ini files, which may affect custom folder icons and localized folder names from remote or downloaded sources, though folder access itself remains unaffected. The servicing stack has been updated to ensure reliable delivery and installation of future updates.

General Sentiment

Community reception and technical feedback regarding KB5094128 appears measured and cautious. The update addresses legitimate security concerns, particularly around Secure Boot certificate expiration, which represents a proactive approach to preventing widespread system failures. The improvements to File Explorer search and font rendering are generally viewed as beneficial quality-of-life enhancements that should not negatively impact most users.

However, there are legitimate concerns that warrant consideration. The security hardening change to desktop.ini file processing may cause disruption for organizations relying on custom folder icons or localized folder names, particularly for content sourced from remote locations or downloads. While Microsoft notes that folder access is not affected, the visual inconsistency could impact user experience and workflow familiarity. The BitLocker-related known issue, though affecting a limited subset of systems with specific configurations, represents a significant concern for enterprises with non-standard BitLocker Group Policy settings. The temporary removal of WSUS error detail reporting to address a critical vulnerability (CVE-2025-59287) may complicate troubleshooting for administrators managing large-scale deployments. Overall, the update appears necessary and generally beneficial, but careful pre-deployment testing and policy auditing are recommended.

Known Issues

  • BitLocker Recovery Key Requirement: Devices with unrecommended BitLocker Group Policy configurations (specifically those with PCR7 included in TPM validation profiles and running older Secure Boot certificates) may require BitLocker recovery key entry on first restart after installation. This affects only systems meeting all specific conditions and is unlikely on non-managed personal devices. Recovery is required only once, with subsequent restarts functioning normally.

  • Custom Folder Icons and Localized Names: Security hardening changes to desktop.ini file processing may result in missing custom folder icons or localized folder names for content sourced from downloaded or remote locations. Folder access functionality remains unaffected; only visual customization is impacted.

  • WSUS Error Reporting Disabled: Windows Server Update Services error detail display has been temporarily removed following installation of KB5070884 or later updates. This change addresses CVE-2025-59287 (Remote Code Execution Vulnerability) but may complicate synchronization error troubleshooting for administrators.

Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-06-11 01:05 PM

Back to Knowledge Base Catalog