KB5087544: May 12, 2026 Cumulative Security Update for Windows 10 (OS Builds 19045.7291 and 19044.7291)

Summary

This is the cumulative security update released on May 12, 2026, bringing Windows 10 version 22H2 and Windows 10 Enterprise/IoT Enterprise LTSC 2021 to OS builds 19045.7291 and 19044.7291. It addresses security vulnerabilities and quality issues, including a known Remote Desktop rendering bug and several Secure Boot certificate management improvements. Source: Microsoft Support

Important - Secure Boot certificate expiration: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices. Devices that have not yet received the newer certificates will continue to start and operate normally, and standard Windows updates will continue to install. IT administrators should consult the Secure Boot Playbook for Windows clients and Windows Server for guidance.

Highlights

• Fixed an incorrect rendering of the Remote Desktop Connection security warning dialog in multi-monitor configurations with different display scaling settings.
• Expanded Secure Boot improvements, including dynamic status reporting, broader device targeting for certificate rollouts, and new example automation scripts for IT-managed environments.
• Added a Daylight Saving Time data update for the Arab Republic of Egypt.

Improvements and fixes

• Remote Desktop security warning dialog (known issue fix): Corrects a rendering problem with the Remote Desktop Connection security warning dialog that could appear incorrectly on multi-monitor setups using different display scaling settings. This bug was introduced by the April 14, 2026 security update (KB5082200).
• Secure Boot - dynamic status reporting: Windows Security App now displays dynamic status reporting for Secure Boot states, giving users and administrators better visibility into the current Secure Boot configuration.
• Secure Boot - improved device targeting: Quality updates now carry additional high-confidence device targeting data to broaden the set of devices that can automatically receive updated Secure Boot certificates. Certificates are only delivered once a device demonstrates sufficient successful update signals, keeping the rollout controlled and phased.
• Secure Boot - new automation scripts: Eligible devices receive a new SecureBoot folder under C:\Windows. This folder contains example scripts for IT professionals to detect Secure Boot certificate update status and automate deployment through a safe rollout process in Active Directory environments. Refer to the Sample Secure Boot E2E Automation Guide for details.
• Daylight Saving Time: Updates time zone data for the Arab Republic of Egypt to reflect the government DST change order issued in 2023.

This update also incorporates all fixes from the April 14, 2026 cumulative update (KB5082200). If earlier updates are already installed, only the new content in this package will be downloaded.

Known issues

BitLocker recovery key prompt after update on devices with non-default PCR7 policy

Symptom: Some devices with an unrecommended BitLocker Group Policy configuration may be prompted to enter their BitLocker recovery key on the first restart after installing this update. This affects only devices where all of the following conditions are true - BitLocker is enabled on the OS drive; the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured with PCR7 included in the validation profile (or the equivalent registry key is set manually); msinfo32.exe reports Secure Boot State PCR7 Binding as "Not Possible"; the Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database (DB); and the device is not already running the 2023-signed Windows Boot Manager. In this scenario, the recovery key only needs to be entered once - subsequent restarts will not trigger another recovery screen as long as the Group Policy configuration remains unchanged. This issue is unlikely to affect personal devices not managed by IT.

Microsoft recommends enterprises audit their BitLocker Group Policies for explicit PCR7 inclusion and check msinfo32.exe for PCR7 binding status before deploying this update.

Workaround: Microsoft is working on a resolution. As a temporary workaround, remove the Group Policy configuration before installing the update:

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".
4. Run gpupdate /force on affected devices to propagate the policy change.
5. Suspend BitLocker: manage-bde -protectors -disable C:
6. Resume BitLocker: manage-bde -protectors -enable C:

This updates the BitLocker bindings to use the Windows-selected default PCR profile.

How to get this update

Prerequisite: You must have the latest servicing stack update (SSU) installed before applying this update. Failing to do so may result in the update not being offered.

• Offline OS image servicing: If the image does not include the July 25, 2023 (KB5028244) or later LCU, install the standalone October 13, 2023 SSU (KB5031539) first.
• WSUS or Microsoft Update Catalog (standalone): If devices do not have the May 11, 2021 (KB5003173) or later LCU, install the standalone August 10, 2021 SSU (KB5005260) first.

This update is available through the following channels:

• Windows Update / Windows Update for Business: Downloaded and installed automatically according to configured policies.
• Microsoft Update Catalog: Download the standalone package directly from the Microsoft Update Catalog website.
• Windows Server Update Services (WSUS): Syncs automatically when configured. For Windows 10 version 22H2, set Product to "Windows 10, version 1903 and later" and Classification to "Security Updates". For Windows 10 version 21H2, set Product to "Windows 10 LTSB" and Classification to "Security Updates".

This update also includes the servicing stack update KB5084130 (version 19041.7183), which improves update reliability. The SSU in this package includes enhanced logic to verify whether a device is hosted on Azure, using an updated certificate chain for validation.

Frequently asked questions

Does this update apply to Windows 10 Home or Pro?

No. According to the support page, KB5087544 applies only to Windows 10 ESU, Windows 10 Enterprise LTSC 2021, and Windows 10 IoT Enterprise LTSC 2021. Standard consumer editions such as Home and Pro are not listed in the applicability for this specific cumulative update.

Will my device automatically get the new Secure Boot certificates after this update?

Not necessarily, and not immediately. The update adds additional device targeting data to broaden eligibility, but certificates are only delivered once a device has demonstrated sufficient successful update signals. The rollout is controlled and phased, so not all eligible devices receive the certificates at the same time.

What should I do before deploying this update to managed devices with BitLocker enabled?

Microsoft recommends auditing BitLocker Group Policies for explicit PCR7 inclusion before deployment. Check msinfo32.exe on managed devices to confirm PCR7 Binding status. If PCR7 is explicitly configured and binding is "Not Possible", consider applying the Group Policy workaround described in the Known Issues section before rolling out the update fleet-wide.

Is a separate servicing stack update required before installing KB5087544?

The latest SSU is bundled with this cumulative update as KB5084130 (version 19041.7183), so no separate SSU download is typically needed for most deployment methods. However, for WSUS or standalone catalog deployments on devices lacking the May 11, 2021 LCU, the standalone August 10, 2021 SSU (KB5005260) must be installed first.