Microsoft pushed the optional June preview update KB5095093 to Windows 11 versions 24H2 and 25H2 on June 23, 2026, advancing the two releases to builds 26100.8737 and 26200.8737 respectively. The patch is not just a routine maintenance rollup; it packs a clutch of under-the-hood enhancements for enterprise printing, on-device AI acceleration, and platform security that IT administrators and power users will want to test before the July Patch Tuesday mandatory rollout.

IPP Printing Stack Gets a Long-Overdue Refresh

The most substantial chunk of KB5095093 retools the Internet Printing Protocol (IPP) subsystem that Microsoft has been championing as the replacement for legacy v3 and v4 print drivers. With this build, the IPP Class Driver and the print spooler service gain several reliability fixes that address spooler crashes on print servers handling more than 500 queues. Microsoft says the update also tightens the security model for IPP-over-USB connections, closing a vector that could allow a malicious USB device to elevate privileges through the spooler process.

For network printing, the IPP implementation now supports the “ipp-usb” and “ipps” URI schemes natively, which simplifies printer discovery in mixed environments. Specifically, Windows will now attempt a secure IPP connection first if the printer advertises IPP-over-HTTPS, falling back to plain IPP only if TLS negotiation fails. This mirrors the hardening already present in Windows Server 2025 and brings client behavior into alignment with the zero-trust networking trends.

Administrators who manage print servers using Group Policy will notice a new administrative template setting under “Printers” that lets them force all IPP connections to use TLS 1.3 exclusively. The setting, “Force IPP connections to use TLS 1.3,” is disabled by default to avoid breaking legacy printers but can be enabled via GPO or a custom ADMX ingestion.

Early reports from Windows Insider telemetry suggest that the spooler crash fix alone could reduce helpdesk calls by up to 15% in large organizations that have transitioned to IPP. The update also resolves a known issue where printers with long device IDs would appear as “Unspecified” in the Devices and Printers control panel.

Local AI Capabilities Get a Boost

Tucked inside the preview notes is a mention of improved support for local AI workloads. While Microsoft has not published a full whitepaper, the update appears to enable a new power management profile for Neural Processing Units (NPUs) when running Windows Studio Effects, Live Captions, or the on-device version of Copilot. The profile allows the NPU to remain active during “Modern Standby” and Connected Standby states, processing AI tasks without waking the CPU and GPU. The practical outcome: smoother audio transcription and camera effects during video calls, with noticeably less fan noise on Snapdragon X Elite and Intel Core Ultra 200V devices.

Developers working on Windows Copilot Runtime extensions will also benefit from a new DirectML operator that accelerates token generation for small language models, such as Microsoft’s Phi-4 and DeepSeek-R1 distilled variants. The operator—DML_OPERATOR_ROTARY_POSITION_EMBEDDING—exposes hardware rotary position embedding (RoPE) on NPUs that support the feature natively, cutting latency by roughly 30% for batch sizes under 8 tokens. While this isn’t a consumer-facing feature today, it sets the stage for third-party AI plugins that can run entirely offline.

Secure Boot and Platform Integrity Updates

KB5095093 refreshes the Secure Boot Forbidden Signature Database (DBX) and applies new certificate revocation lists that block bootloaders vulnerable to the BlackLotus-style bootkit abuse disclosed in CVE-2023-24932. The updated DBX prevents several UEFI application signatures that were exploited in the wild, even if Secure Boot is disabled, because the Windows Boot Manager now audits the DBX during early initialization.

Additionally, the update brings the Trusted Platform Module (TPM) attestation components in line with FIPS 140-3 requirements, a critical step for government and defense contractors who must meet the September 2026 compliance deadline. The TPM 2.0 driver stack now supports TPM commands required for full platform attestation—PCR23, TPM2_PolicySigned, and enhanced dictionary attack prevention—without requiring a separate vendor-specific driver.

One silent change that will please enterprise security teams: the Windows Defender Credential Guard now operates in a virtualized mode even on systems that lack hardware-virtualized security features, by leveraging the same Secure Launch technology used for memory integrity. The change means more corporate laptops can enable credential isolation without a full OEM hardware refresh.

Additional Fixes and Known Issues

Beyond the headline features, KB5095093 rolls up dozens of quality-of-life fixes:

  • Addresses an issue where dual-scan camera profiles caused the Camera app to crash on Quanta Computer-built devices.
  • Fixes a memory leak in the Graphics Device Interface (GDI) when applications use the StartDocW function with large print jobs.
  • Resolves a deadlock in the Remote Desktop Session Host that occurred when users disconnected while clipboard redirection was active.
  • Improves the accuracy of the Estimated Battery Time Remaining tooltip on systems with multiple battery packs.
  • Updates the Chinese lunar calendar data for TianGanDiZhi date formatting in the taskbar calendar flyout.

Microsoft acknowledges two known issues in this preview:

  1. Recovery partition size: Devices that were upgraded from Windows 10 may see a “Not enough disk space” error when the servicing stack attempts to resize the recovery partition. A scripted workaround that shrinks the OS partition by 250 MB is available in the KB article.
  2. Citrix HDX Audio: Machines with Citrix Workspace version 2402 or earlier may lose audio redirection after installing the update. Citrix provides a hotfix, CTX578392, for compatible Workspace versions.

How to Get the Preview

KB5095093 is an optional quality update—a “C” week release—available through Windows Update, WSUS, and the Microsoft Update Catalog. Users must proactively check for updates and select “Download and install” under the optional updates section. The update will not install automatically; it is a preview of the fixes slated for the July 8, 2026 Patch Tuesday release.

Enterprise administrators can download the cumulative update MSU file directly from the Microsoft Update Catalog for offline deployment. The same KB article provides an .msu for arm64, AMD64, and Windows on Arm devices.

Why This Preview Matters

Optional previews have evolved from simple hotfix rollups into mini-feature releases that let Microsoft validate new code on tens of millions of volunteer testers before the mandatory rollout. For organizations with complex printing infrastructure, the IPP overhaul alone justifies spinning up a test ring immediately. For anyone building local AI experiences on the Windows Copilot Runtime, the DirectML operator refresh is a signal that Microsoft expects on-device inference to become a first-class citizen in the Windows platform.

Secure Boot updates, meanwhile, are a recurring cat-and-mouse game. The DBX refresh in KB5095093 closes several real-world attack paths, and the TPM attestation changes will ease compliance for regulated industries. While there is no urgency to deploy this non-security preview on production systems, the fixes it contains will become mandatory in 15 days, so IT teams should begin validation now.

Microsoft has not published a dedicated blog post for KB5095093, but the official release notes are live on the Windows 11 24H2 and 25H2 update history pages.