KB5087538 - May 12, 2026 Cumulative Security Update for Windows Server 2019 / Windows 10 LTSC 2019 (OS Build 17763.8755)

Summary

KB5087538 is a cumulative security update for Windows Server 2019 and Windows 10 Enterprise LTSC 2019, bringing both products to OS Build 17763.8755. Released on May 12, 2026, it addresses security vulnerabilities and quality issues including Secure Boot certificate handling, a Remote Desktop rendering bug, a Microsoft account sign-in failure, and a Daylight Saving Time correction for Egypt. Source: Microsoft Support

Highlights

• Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices. Devices that have not yet received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install.
• IT administrators can check device status in the Windows Security app and should follow guidance in the Secure Boot Playbook for Windows clients and Windows Server.

Improvements and fixes

• Remote Desktop rendering fix: Corrects a bug where the Remote Desktop Connection security warning dialog could display incorrectly on multi-monitor setups with different display scaling settings. The problem could appear after installing the security update from April 14, 2026 (KB5082123) or later.
• Secure Boot - dynamic status reporting: Adds dynamic status reporting for Secure Boot states directly within the Windows Security app, giving users and administrators clearer visibility into their device's Secure Boot posture.
• Secure Boot - improved device targeting: Windows quality updates now carry additional high-confidence device targeting data, which broadens the pool of devices eligible to receive updated Secure Boot certificates automatically. Certificates are only delivered after a device demonstrates sufficient successful update signals, keeping the rollout controlled and phased.
• Secure Boot - new automation scripts: On eligible devices, this update creates a new SecureBoot folder under C:\Windows. The folder holds example scripts that IT professionals can use to detect Secure Boot certificate update status and automate deployment through a safe rollout mechanism in an Active Directory environment. See the Sample Secure Boot E2E Automation Guide for details.
• Microsoft account sign-in fix: Resolves a problem introduced by the March 10, 2026 (or later) Windows update where some users saw a "no Internet" error when signing in to apps with a Microsoft account, even on devices with a working internet connection. This prevented access to Microsoft services and apps including Microsoft Teams.
• Daylight Saving Time - Egypt: Applies a DST update for the Arab Republic of Egypt to reflect the government DST change order issued in 2023.

Known issues

Microsoft lists no known issues for this update at the time of writing.

How to get this update

Prerequisite: You must have the August 10, 2021 servicing stack update (KB5005112) installed before applying this cumulative update.

This update also includes servicing stack update KB5089760 (version 17763.8754), which improves the reliability of the update process. Note that the SSU includes enhanced logic to verify whether a device is hosted on Azure, using an updated certificate chain for validation. Administrators should ensure devices can reach the required certificate update domains.

The update is available through the following channels:

• Windows Update - downloaded and installed automatically.
• Windows Update for Business - deployed automatically in accordance with configured policies.
• Microsoft Update Catalog - standalone package available for manual download.
• Windows Server Update Services (WSUS) - syncs automatically when Products and Classifications are configured as follows:
  • Product: Windows 10 LTSB, Windows Server 2019
  • Classification: Security Updates

To remove this update after installation, use the DISM /online /remove-package command with the LCU package name as the argument. Running wusa.exe /uninstall on the combined package will not work because the package contains the SSU, and the SSU cannot be removed after installation.

Frequently asked questions

Will devices that haven't received new Secure Boot certificates stop working after June 2026?

No. According to the page, devices that have not yet received the newer Secure Boot certificates will continue to start and operate normally after June 2026. Standard Windows updates will also continue to install. Microsoft plans to continue rolling out the updated certificates through Windows Update in the coming months.

What is the SSU included with this update, and do I need to install it separately?

Microsoft now bundles the latest servicing stack update (SSU) with the cumulative update (LCU) in a single package. The SSU in this release is KB5089760 at version 17763.8754. You do not install it separately - it is included automatically. The only separate prerequisite is the August 10, 2021 SSU (KB5005112), which must already be present on the device.

How can IT administrators manage Secure Boot certificate deployment across their fleet?

This update places example automation scripts in a new C:\Windows\SecureBoot folder on eligible devices. Administrators can use these scripts to detect Secure Boot certificate update status and automate deployment through a safe, phased rollout mechanism in an Active Directory environment. Microsoft points to the Sample Secure Boot E2E Automation Guide for further guidance.

When does support end for the products covered by this update?

Both Windows Server 2019 and Windows 10 Enterprise LTSC 2019 reach end of support on January 9, 2029. After that date, Microsoft will no longer provide free software updates from Windows Update, technical assistance, or security fixes. Microsoft recommends planning an upgrade to a later version of Windows Server before that deadline.