KB5087539 - Windows Server 2025 Security Update (OS Build 26100.32860)

Summary

This is the May 12, 2026 cumulative security update for Windows Server 2025, carrying OS build 26100.32860. Released on May 12, 2026, it is a monthly security update that bundles the latest security fixes together with non-security improvements from the prior optional preview release. See Microsoft Support for the official documentation.

Highlights

• Secure Boot certificate rollout now uses additional high-confidence device targeting data, expanding automatic coverage while maintaining a phased approach.
• A new C:\Windows\SecureBoot folder is added on eligible devices, containing sample scripts for IT pros to detect certificate update status and automate deployment in Active Directory environments.
• Active Directory Certificate Services gains support for Module-Lattice-Based Digital Signature Algorithm (ML-DSA) post-quantum signatures.
• A fix is included for the Remote Desktop Connection security warning dialog rendering incorrectly on multi-monitor setups with different scaling, introduced by the April 2026 update.

Improvements and fixes

• Secure Boot - expanded targeting: Windows quality updates now include additional high-confidence device targeting data, increasing the number of devices eligible to automatically receive new Secure Boot certificates through a controlled, phased rollout.
• Secure Boot - new scripts folder: On eligible devices, a SecureBoot folder is created under C:\Windows. It contains example scripts that IT pros can use to check Secure Boot certificate update status and automate safe certificate deployment within an Active Directory environment.
• Connectivity - SSDP reliability: The reliability of Simple Service Discovery Protocol (SSDP) notifications is improved to prevent the service from becoming unresponsive.
• Daylight saving time: Support is added for the 2023 DST change for the Arab Republic of Egypt.
• Domain controller performance: LSASS performance on domain controllers running Microsoft Defender is improved, reducing CPU and memory usage during Event Tracing for Windows collection of IDL_DRSGetNCChanges events.
• Remote Desktop fix: Resolves an issue where the Remote Desktop Connection security warning dialog rendered incorrectly in multi-monitor scenarios with different per-monitor scaling settings. This issue was introduced by the April 2026 update (KB5082063).
• Sign-in issue: Addresses a problem where, after installing updates released on or after March 10, 2026, some users could not sign in to apps with a Microsoft account, receiving a spurious "no Internet" error even when connectivity was working, blocking access to Microsoft services and apps such as Microsoft Teams.
• Active Directory Certificate Services - post-quantum support: Adds ML-DSA post-quantum signature support in AD CS. Administrators can configure new certification authorities using ML-DSA-44, ML-DSA-65, or ML-DSA-87 and issue quantum-resistant certificates for code signing, TLS, and OCSP response signing.

Known issues

Devices with an unrecommended BitLocker Group Policy configuration may prompt for recovery key

Symptom: Some devices may be required to enter the BitLocker recovery key on the first restart after installing this update. This only affects devices where all of the following conditions are true: BitLocker is enabled on the OS drive; the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is set with PCR7 included in the validation profile (or the equivalent registry key is set manually); System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible"; the Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database; and the device is not already running the 2023-signed Windows Boot Manager. The recovery key only needs to be entered once - subsequent restarts will not trigger a recovery screen as long as the Group Policy configuration remains unchanged.

Workaround: This issue is addressed in KB5094125. After installing KB5094125, devices with this incompatible Group Policy configuration are prevented from installing the 2023-signed Windows Boot Manager. If a device is affected, Event ID 1032 will appear in the System event log. Microsoft strongly recommends removing the Group Policy configuration before installing updates. To do so: open Group Policy Editor (gpedit.msc) or Group Policy Management Console; navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives; set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured"; run gpupdate /force; run manage-bde -protectors -disable C:; then run manage-bde -protectors -enable C:. If you do not wish to remove the Group Policy, you can temporarily suspend BitLocker, run Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update", restart the device, and then re-enable BitLocker with manage-bde -protectors -enable C:.

WSUS does not display synchronization error details

Symptom: After installing KB5070881 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting.

Workaround: This functionality is temporarily removed to address the Remote Code Execution Vulnerability CVE-2025-59287. No additional workaround is documented on the page.

How to get this update

Microsoft combines the latest servicing stack update (SSU) - KB5089717, version 26100.32837 - with this cumulative update in a single package. No separate SSU installation step is required before deployment.

This update is available through the following channels:

• Windows Update / Microsoft Update: Downloads and installs automatically.
• Windows Update for Business: Deploys automatically in accordance with your configured policies.
• Microsoft Update Catalog: Download the MSU package manually and install using DISM or Windows Update Standalone Installer. Two installation methods are supported: installing all MSU files together using DISM with PackagePath pointing to a folder, or installing each MSU file individually in order (KB5043080 first, then KB5087539).
• Windows Server Update Services (WSUS): Syncs automatically when Product is set to "Microsoft Server operating system-24H2" and Classification is set to "Security Updates".

To remove only the LCU after installation, use DISM /online /remove-package with the LCU package name. Note that running wusa.exe /uninstall on the combined package will not work because the SSU cannot be removed after installation.

Frequently asked questions

Does this update apply to Windows 11 client editions?

No. According to the official page, KB5087539 applies only to Windows Server 2025, all editions. The update history and release health dashboard entries are specific to Windows Server 2025. Client editions of Windows 11 receive separate cumulative updates each month.

What is the Secure Boot certificate expiration warning about?

Microsoft notes that Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This could prevent affected devices from booting securely if certificates are not updated in time. Administrators are advised to review guidance in the Windows Secure Boot certificate expiration and CA updates article and the Windows Server Secure playbook blog before June 2026.

What does the new ML-DSA support in AD CS mean for my environment?

This update adds post-quantum cryptography support to Active Directory Certificate Services. Administrators can now configure new certification authorities with ML-DSA-44, ML-DSA-65, or ML-DSA-87 algorithms and issue quantum-resistant certificates for code signing, TLS, and OCSP response signing. Existing CAs are not automatically converted; this applies to newly configured CAs.

Why might some users still see a sign-in error after this update?

This update addresses a known sign-in issue introduced by updates released on or after March 10, 2026, where a false "no Internet" error blocked Microsoft account sign-in to apps like Microsoft Teams even on connected devices. Installing KB5087539 includes the fix for this behavior as part of its cumulative improvements.