June 9, 2026—KB5094041 (Monthly Rollup)
Applies To
|
Important The installation of this Extended Security Update (ESU) might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012 R2. For a successful installation, please make sure all Subset of endpoints for ESU only are met as described in Connected Machine agent network requirements. |
Windows Secure Boot certificate expirationÂ
Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the past months. Devices that haven’t received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. We will continue to install the newer certificates via Windows updates in the coming months.
You can check your PC status on the Windows Security app. If you are an IT administrator, follow the guidance on the Secure Boot Playbook for Windows clients and Windows Server.
Support for Windows Server 2012 R2 will end in October 2026
Windows Server 2012 R2Â reached the end of support (EOS) on October 10, 2023.Â
Extended Security Updates (ESUs) are available for purchase and will continue for three years, renewable on an annual basis, until the final date on October 13, 2026. For information about the procedure to continue receiving security updates, see KB5031043.Â
We recommend that you upgrade to a later version of Windows Server. For more information, see Overview of Windows Server upgrades.
Summary
Learn more about this cumulative security update, including improvements, any known issues, and how to get the update.
Windows Server 2012 R2
This security update includes fixes and quality improvements that are part of the following update:
The following is a summary of the issues that this update addresses. The bold text within the brackets indicates the item or area of the change we are documenting.
-
​​[Secure Boot] This update adds a new policy setting, LimitSecureBootRequiredServiceData, under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When this setting is enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is also included in the Windows Restricted Traffic Limited Functionality Baseline package. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.
For more information about the resolved security vulnerabilities, please refer to the Deployments | Security Update Guide and the June 2026 Security Updates.
For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, see Description of the standard terminology that is used to describe Microsoft software updates.
To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2 update history home page.
Known issues in this update​​​​​​​
We are currently not aware of any issues with this update. For the most up-to-date information about known issues for Windows Server 2012 R2, please go to the Windows release health dashboard.
How to get this update
Before installing this update
To install any Windows Server 2012 R2 Monthly Rollup released on or after January 14, 2025, we recommend you first install the latest Servicing Stack Update (SSU). If your device or offline image does not have the latest SSU installed, you might not be able to install this update.
Caution:Â Until you install the latest SSU, this update might not be offered to your device. To reduce your security risk, install the latest SSU as soon as possible.
-
If you use Windows Update, the latest SSU (KB5079233) ​will be offered to you automatically. If the latest SSU is not installed, you might not be able to install this update.
-
If you use the Update Catalog, we recommend you download and install the latest SSU (KB5079233). If the latest SSU is not installed, you might not be able to install this update.
-
If you are a Windows Server Update Services (WSUS) administrator, you must approve SSU KB5079233Â and this update KB5094041.
Deployment
If you deploy dynamic updates such as this update to an existing Windows image, ensure the boot.stl file is included as part of the installation media. Failure to include the file may prevent devices from successfully starting from the installation media and can result in error code 0xc0430001.
Note: The boot.stl file is used during Secure Boot validation and must match the Windows version and architecture of the image you are updating.
To ensure the boot.stl file is included as part of the installation media, do one of the following:
·       Use the Update WinPE script to update an existing Windows image. (Recommended)
·       Manually copy the boot.stl file from the devices Windows\Boot\EFI folder to the corresponding folder on your installation media before deploying the update.
For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
Language packs
If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Learn about adding a language pack to Windows.
Install this update
To install this update, use one of the following release channels.
|
Available |
Next step |
|
|
This update will be downloaded and installed automatically from Windows Update. |
|
Available |
Next step |
|
|
To get the standalone package for this update, go to the Microsoft Update Catalog website. To download updates from the Update Catalog, see Steps to download updates from the Windows Update Catalog. |
|
Available |
Next step |
|
|
This update will automatically sync with Windows Server Update Services (WSUS) if you configure Products and Classifications as follows:
|
File information
A list of the files that are included in this update are provided in a CSV (Comma delimited) (*.csv) file. The file can be opened in a text editor such as Notepad or in Microsoft Excel.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
