Flexis June 2026 Patch Recommendation

Improvements 

This security update contains fixes and quality improvements from KB5087545 (released May 12, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change. 

• [Secure Boot] 

• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout. 

• This update adds the LimitSecureBootRequiredServiceData Group Policy and mobile device management (MDM) setting under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. When enabled, Windows limits the Secure Boot service data it sends by suppressing the event normally sent to Microsoft. This policy is included in the Windows Restricted Traffic Limited Functionality Baseline. For information about the policy, see Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services.  

• [App] This update improves visibility and reliability of device security by enabling real-time status updates for Secure Boot within the Windows Security app. 

• [File Explorer] This update improves File Explorer search, including support for Chinese text, and UTF 8–encoded files without a byte order mark (BOM). Text now displays more clearly and consistently across search results, Content view, and tooltips. 

• [Texts and Fonts] This update improves Windows fonts by adding the new Saudi Riyal currency symbol. This change helps keep text clear, accurate, and visually consistent across your Windows apps and experiences. 

• [Folder customization] This update introduces a security hardening change to how Windows processes desktop.ini files. As a result, some users might notice missing custom folder icons or localized folder names for content from downloaded or remote locations. Note that access to folders is not affected. For more information, see Custom folder icons or localized folder names might not appear after installing the June 2026 Windows security update. 

Known issues in this update 

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery Key 

Symptoms 

Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update. 

This issue only affects a limited number of systems in which ALL of the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments. 

BitLocker is enabled on the OS drive. 

The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually). 

System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as “Not Possible”. 

The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023 signed Windows Boot Manager to be made the default. 

The device is not already running the 2023-signed Windows Boot Manager. 

In this scenario, the BitLocker recovery key only needs to be entered once — subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key. 

Enterprises are recommended to audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing this update. (See the Workaround below.) 

Workaround  

1. Remove the Group Policy configuration before installing the update (Recommended)
2. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. 
3. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. 
4. Set “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured”. 
5. Run the following command on affected devices to propagate the policy change: gpupdate /force 
6. Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: 
7. Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: 
8. This updates the BitLocker bindings to use the Windows-selected default PCR profile. 

A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available. 

Windows Server Update Services (WSUS) does not display error details 

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.