KB5087420: Windows 11 version 23H2 Security Update (OS Build 22631.7079) - May 2026

Summary

This is the May 12, 2026 cumulative security update for Windows 11, version 23H2, producing OS build 22631.7079. Released on May 12, 2026, it is a monthly security update that also rolls in non-security quality improvements from the previous optional preview release. See Microsoft Support for the official page.

Highlights

• Secure Boot certificate targeting coverage is expanded, with additional high-confidence device data used to determine which devices receive updated certificates automatically.
• A new SecureBoot folder is added under C:\Windows on eligible devices, containing example scripts for IT pros to detect certificate update status and automate deployment in Active Directory environments.
• Microsoft Defender SmartScreen is updated to send file hashes for unsigned files, enabling newer reputation models and improving application reputation checks.
• A known Remote Desktop Connection rendering issue affecting multi-monitor setups with different scaling - introduced by the April 2026 update - is resolved.

Improvements and fixes

• Secure Boot: Windows quality updates now include additional high-confidence device targeting data, broadening the set of devices eligible to receive new Secure Boot certificates automatically. The rollout remains phased and controlled.
• Secure Boot folder: A new SecureBoot folder is placed under C:\Windows on eligible devices. It holds sample scripts that IT administrators can use to check Secure Boot certificate update status and automate deployment through a safe rollout mechanism in Active Directory.
• Country and Operator Settings Asset (COSA): Mobile operator profiles are refreshed for certain carriers.
• Daylight saving time (DST): Support is added for the 2023 DST change specific to the Arab Republic of Egypt.
• Enterprise State Roaming (ESR): ESR can now be managed through Windows Backup for Organizations policies, simplifying configuration for IT administrators.
• Microsoft Defender SmartScreen: SmartScreen in the Windows shell is updated to send file hashes for unsigned files, supporting newer reputation models and improving the accuracy of application reputation checks.
• Remote Desktop Connection (known issue fix): An issue is resolved where the Remote Desktop Connection security warning dialog could render incorrectly in multi-monitor scenarios when monitors had different display scaling set. This problem was introduced by the April 2026 update (KB5082052).

Known issues

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key

Symptom: Some devices with an unrecommended BitLocker Group Policy configuration may be required to enter their BitLocker recovery key on the first restart after installing this update. The issue only affects systems where all of the following conditions are true - these conditions are unlikely on personal devices not managed by IT:

• BitLocker is enabled on the OS drive.
• The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured with PCR7 included in the validation profile (or the equivalent registry key is set manually).
• System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".
• The Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database (DB), making the device eligible for the 2023-signed Windows Boot Manager to be set as default.
• The device is not already running the 2023-signed Windows Boot Manager.

In this scenario, the BitLocker recovery key only needs to be entered once - subsequent restarts will not trigger a BitLocker recovery screen as long as the group policy configuration remains unchanged.

Workaround: This issue is addressed in KB5093998. After installing KB5093998, devices with the incompatible group policy configuration are prevented from installing the 2023-signed Windows Boot Manager. If a device was affected, Event ID 1032 will appear in the System event log during Windows update installation.

Microsoft strongly recommends removing the Group Policy configuration before installing updates. To do so:

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".
4. Run gpupdate /force on affected devices to propagate the policy change.
5. Run manage-bde -protectors -disable C: to suspend BitLocker (if BitLocker is enabled on the C: drive).
6. Run manage-bde -protectors -enable C: to resume BitLocker.
7. This updates the BitLocker bindings to use the Windows-selected default PCR profile.

If you do not wish to remove the Group Policy configuration, you can install the new Windows Boot Manager by temporarily suspending BitLocker:

1. Run manage-bde -protectors -disable C: to suspend BitLocker.
2. Run Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update".
3. Restart the device.
4. Once the new Windows Boot Manager is successfully installed, run manage-bde -protectors -enable C: to re-enable BitLocker.

How to get this update

Before installing, note that Microsoft combines the latest servicing stack update (SSU) - in this case KB5086307 for servicing stack build 22621.6937 - with the cumulative update in a single package. The SSU cannot be removed after installation.

• Windows Update / Microsoft Update: The update downloads and installs automatically.
• Windows Update for Business: Deploys automatically in accordance with configured policies.
• Microsoft Update Catalog: The standalone package is available for manual download.
• Windows Server Update Services (WSUS): The update syncs automatically when Products and Classifications are set to Product: Windows 11 and Classification: Security Updates.

To remove only the cumulative update after installation of the combined package, use the DISM /Remove-Package command with the LCU package name as the argument. Use DISM /online /get-packages to find the package name. Running wusa.exe /uninstall against the combined package will not work because the SSU is included.

Frequently asked questions

Do I need to install anything before applying KB5087420?

Microsoft bundles the latest servicing stack update (KB5086307, build 22621.6937) together with the cumulative update in a single package, so no separate SSU installation step is required. However, to upgrade to Windows 11 version 23H2 in the first place, you must use the enablement package KB5027397.

Why is my device asking for a BitLocker recovery key after installing this update?

A specific combination of BitLocker and Group Policy settings related to PCR7 validation can trigger a one-time recovery key prompt when the 2023-signed Windows Boot Manager is applied. The prompt should only occur on the first restart. Enterprises should audit BitLocker group policies and check msinfo32.exe for PCR7 binding status before deployment. The full workaround is detailed in the Known Issues section above.

What is the Secure Boot certificate expiration issue, and does it affect my devices?

Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been rolling out updated certificates to consumer and non-managed business devices. Devices that have not yet received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. IT administrators should follow the Secure Boot Playbook for Windows clients and Windows Server for managed environments.

How do the new scripts in the C:\Windows\SecureBoot folder help IT administrators?

This update places sample scripts in a new C:\Windows\SecureBoot folder on eligible devices. These scripts are intended for IT pros who actively manage updates across a device fleet. They can be used to detect the Secure Boot certificate update status on individual devices and to automate certificate deployment through a safe, staged rollout mechanism in an Active Directory environment. More detail is available in the Sample Secure Boot E2E Automation Guide linked from the official update page.