Microsoft pushed out its June 2026 Patch Tuesday updates on June 9, and they pack more than the usual security fixes. The two headline updates—KB5095051 for Windows 11 26H1 (Build 28000.2269) and KB5093998 for Windows 11 23H2 (Build 22631.7219)—bring critical patches for Secure Boot and BitLocker, fresh AI capabilities for the latest Windows version, and behind-the-scenes servicing stack refinements. If you're running either of these Windows 11 flavors, you'll want to install these fixes promptly; they close multiple vulnerabilities rated "critical" by Microsoft.

Windows 11 26H1 Build 28000.2269 (KB5095051) Debuts New Features

The 26H1 update, also known as the Windows 11 2026 Feature Update, receives its latest cumulative update with KB5095051. More than a simple patch, this release bakes in several quality-of-life improvements alongside the security rollup. Microsoft has been positioning 26H1 as the platform for its next-generation AI experiences, and this update enables several that had been in testing.

AI-Powered File Search and Contextual Suggestions

One of the most visible additions is an expanded AI file search that uses natural language processing. Instead of typing exact file names, you can describe what you're looking for—think "the spreadsheet I worked on last Thursday about budget projections"—and Windows will surface the right file. It builds on the semantic indexing introduced earlier in 26H1's lifecycle. Early feedback from Windows Insiders had been mixed; some praised its accuracy, while others hit false positives. This cumulative update fine-tunes the model and expands language support beyond English and German to include French, Spanish, and Japanese.

You'll also notice more contextual suggestions in File Explorer and the Start menu. The system now recommends recent files or frequently used folders based on time of day and your activity patterns. It's reminiscent of what Microsoft 365 does online, but it's running locally on your device, thanks to the dedicated NPU hardware that many 26H1-capable PCs now include.

Copilot Gets a Sidebar and Deeper Settings Integration

Copilot in Windows has evolved from a web wrapper into a genuine system assistant. With KB5095051, it gains the ability to control more system settings by voice or text: change display scaling, manage Bluetooth devices, or even troubleshoot network issues through a guided dialog. The Copilot sidebar is now resizable and can be pinned to the desktop, a long-requested feature that arrived earlier this year but now works more reliably.

Microsoft also added a new "Copilot Suggested Actions" banner that appears in Settings when the assistant has a relevant tip—for example, suggesting you turn on battery saver if it detects your laptop isn't charging and you have a long work session ahead. The prompts are surprisingly useful, though you can dismiss them if they irritate you.

Windows 11 23H2 Build 22631.7219 (KB5093998): Security and Stability First

For the millions of devices still on Windows 11 23H2, the June 2026 Patch Tuesday delivers critical updates sans the flashy AI features. Build 22631.7219 focuses squarely on security and reliability. Microsoft has previously stated that 23H2 will remain supported until November 2026, so this isn't a token update; it's a substantial one.

KB5093998 addresses over two dozen vulnerabilities listed in the Microsoft Security Response Center (MSRC). Among them are three zero-day exploits that were being actively used in the wild. One of those, CVE-2026-3467, allowed a remote attacker to execute code via a crafted SMB packet if the target had network file sharing enabled. The fix modifies how the SMBv3 protocol handles certain buffer allocations, and it's enabled by default after you install the update.

Another patched zero-day (CVE-2026-4023) involved the Windows Graphics Component. An attacker could embed malicious code in a seemingly innocent image file; merely viewing it in a preview pane could trigger the exploit. That's been sealed.

BitLocker Encryption Bug Finally Squashed

One long-standing issue that KB5093998 resolves is a BitLocker bug that would intermittently fail to resume encryption after a suspend/resume cycle on some NVMe drives. The problem had been plaguing IT admins for months, with reports on Microsoft's own Tech Community forums detailing how BitLocker would get stuck in a "encryption paused" state and refuse to restart without a manual script or reboot. The fix ensures that the encryption engine correctly resets the suspend state when the system wakes from modern standby or hibernation.

Additionally, the update strengthens BitLocker's pre-boot authentication on newer TPM 2.0 chips. A previous vulnerability allowed an attacker with physical access to brute-force the PIN by abusing a timing attack. The patch changes the TPM communication to use constant-time operations, killing that attack vector.

Secure Boot Servicing Update: Why It Matters

Both KB5095051 and KB5093998 include an updated Secure Boot signature database (DBX). This is the second Secure Boot revoke-and-update of 2026, driven by the discovery that certain boot loaders signed with leaked certificates could bypass Secure Boot protections. Microsoft handles this through a controlled, phased rollout—each servicing update adds hashes of compromised binaries to the UEFI revocation list, but only after ensuring broad hardware compatibility.

For most users, the Secure Boot changes are invisible. Your PC simply downloads the new DBX, validates it against the existing signatures, and applies it on the next restart. However, enterprises with custom boot configurations or dual-boot setups should test before deploying. A small number of older motherboards (primarily from 2018-2020) have required a UEFI firmware update from the OEM to accept the new DBX, otherwise the system will fall back to the previous secure boot state, which still offers partial protection.

If you're unsure whether your device received the Secure Boot update, you can check by running msinfo32 and looking at the Secure Boot State; if it's On and the KB article mentions your build, you're protected.

Servicing Stack and Under-the-Hood Improvements

Patch Tuesday updates almost always ship with a servicing stack update (SSU), and this month is no exception. The SSU included with both KBs improves the robustness of the servicing stack itself—the component that installs Windows updates. A problematic race condition that occasionally caused cumulative updates to fail with error 0x800f0922 on systems with certain antivirus drivers has been resolved. Users of third-party AV software from Malwarebytes, Sophos, and Trend Micro had been particularly affected; the new SSU works around the driver timing issue by serializing a critical section of the update process.

Another behind-the-scenes fix addresses a memory leak in the Windows Management Instrumentation (WMI) service when querying battery information on devices with multiple batteries (like some Surface Book models). That leak had led to gradual system slowdown over several days, forcing reboots. The KB updates plug the leak completely.

Performance watchers will note a subtle improvement in login times on domain-joined machines. Starting with June's patch, the Local Security Authority (LSA) no longer redundantly enumerates every Universal Group Membership during login if the domain controller supports a more efficient query method introduced in Server 2025. The result is 2-4 seconds shaved off the "Welcome" screen on large Active Directory environments.

Known Issues: Hidden Traps to Watch For

No Patch Tuesday is without gremlins, and June 2026 has a few.

On Windows 11 26H1, some users with AMD Ryzen 8000-series processors may experience a blue screen (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) after installing KB5095051 if they have certain AMD chipset drivers older than version 5.12.0.31. Microsoft and AMD are aware, and the short-term workaround is to update the chipset driver from AMD's website before allowing the cumulative update. A support article (KB5095120) details the exact affected driver versions.

For 23H2, a small subset of devices with Intel Smart Sound Technology (SST) audio drivers might lose sound output after the update. This is the same bug that appeared in January's patch and was supposedly fixed; it seems to have re-surfaced because a recent driver update from Intel reverted a registry key. The fix is to re-run the Intel SST driver installer or manually set "LoadAppInit_DLLs" to 0 under the audio enhancement registry paths—a hack familiar to affected users.

The Copilot new-settings integration on 26H1 currently only works when the system language is set to one of the supported languages; otherwise, you'll see a "Copilot can't do that yet" message. Microsoft says full international support will arrive with the July optional update.

Finally, the update may fail with error 0x80070002 on PCs that have manually removed certain inbox apps using PowerShell. The workaround is to re-install the missing apps before updating. The reserved storage feature should protect against this, but some power users disable reserved storage, triggering the problem.

How to Install and Verify

Most users will get these updates automatically via Windows Update. If you want to install them manually, head to Settings > Windows Update and click "Check for updates." The packages should appear as:

  • 2026-06 Cumulative Update for Windows 11 Version 26H1 for x64-based Systems (KB5095051)
  • 2026-06 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5093998)

Alternatively, you can download the standalone installers from the Microsoft Update Catalog website. Search for the KB number, and pick the correct .msu file for your system architecture. Enterprise customers can import the updates into WSUS or Microsoft Endpoint Manager already.

After installation, your build number will change: to 28000.2269 for 26H1, or 22631.7219 for 23H2. You can verify by running winver from the Run dialog.

Microsoft hasn't indicated any critical problems with these updates as of publication, but it's always wise to wait a few days if your PC is mission-critical, to see if the community uncovers broader issues. So far, aside from the AMD and Intel driver-specific glitches, feedback on Reddit and Microsoft's feedback hub has been largely positive.

Looking Ahead: What's Next for Windows 11

With this Patch Tuesday, Microsoft solidifies the 26H1 branch as the primary innovation vehicle while keeping 23H2 secure and stable. The Secure Boot DBX update is a reminder that the hardware root-of-trust needs periodic updates to stay ahead of attackers. Meanwhile, the AI features in 26H1 show that Microsoft is betting heavily on natural language and contextual assistance to keep Windows relevant in an era where users increasingly expect apps that just know what they need.

If you're on 23H2 and are curious about the AI features, you can upgrade to 26H1 for free through Windows Update as long as your hardware meets the requirements (TPM 2.0, Secure Boot, and a compatible processor). The feature update takes about 30-50 minutes depending on your storage speed.

For now, prioritize installing June's patches. They address actively exploited vulnerabilities, and the BitLocker fixes may save you from boot surprises. Remember to check for driver updates before applying if you're on AMD or Intel hardware mentioned above.