KB5087545: Windows Server 2022 Cumulative Update (OS Build 20348.5139) - May 2026

Summary

This is the May 12, 2026 cumulative security update for Windows Server 2022, bringing the OS build to 20348.5139. Released on May 12, 2026, it packages the latest security fixes together with non-security improvements carried forward from the April 2026 optional preview release. Source: Microsoft Support.

Highlights

• Secure Boot certificate rollout expands coverage: Windows quality updates now include additional high-confidence device targeting data, increasing the number of devices eligible to receive new Secure Boot certificates automatically.
• A new C:\Windows\SecureBoot folder is added on eligible devices, containing sample scripts for IT administrators to detect certificate update status and automate deployment in Active Directory environments.
• Sign-in reliability fix: addresses an issue where users could receive a "no Internet" error when signing in to Microsoft account-dependent apps even on connected devices, introduced after the March 10, 2026 update.
• Remote Desktop Connection security warning dialog fixed for multi-monitor setups where monitors use different display scaling.

Improvements and fixes

• Secure Boot - expanded targeting: Quality updates now carry additional device targeting data to widen automatic delivery of new Secure Boot certificates, while keeping the rollout phased and controlled based on successful update signals.
• Secure Boot - new folder and scripts: A SecureBoot folder is created under C:\Windows on eligible devices. It contains example scripts for IT professionals to check certificate update status and run safe, automated deployments across Active Directory-managed fleets.
• App calculation accuracy: Improvements to the accuracy and reliability of calculations used by apps and system components, with more consistent results when handling very small numeric values.
• Daylight saving time (DST): Adds support for the 2023 DST change applicable to the Arab Republic of Egypt.
• Desktop responsiveness: Improves how the Windows Server interface behaves during everyday tasks, reducing instances where windows stop responding and producing smoother interactions.
• Microsoft account sign-in: Resolves an issue introduced on or after March 10, 2026, where a false "no Internet" error blocked sign-in to apps using a Microsoft account, preventing access to services such as Microsoft Teams.
• Remote Desktop Connection dialog (known issue fix): Corrects an incorrect rendering of the Remote Desktop Connection security warning dialog in multi-monitor configurations with different scaling settings, first seen after installing the April 2026 update (KB5082142).
• Servicing stack update included: A bundled servicing stack update (KB5089140, version 20348.5120) improves the reliability of the component responsible for installing Windows updates.

Known issues

BitLocker recovery key prompted after update on certain configurations

Symptom: Some devices with a specific, unrecommended BitLocker Group Policy configuration may be required to enter their BitLocker recovery key on the first restart after installing this update. This affects only devices where all of the following conditions are true: BitLocker is enabled on the OS drive; the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is set with PCR7 included; System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible"; the Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database; and the device is not already running the 2023-signed Windows Boot Manager. The recovery key is only required once - subsequent restarts will not trigger the recovery screen as long as the Group Policy configuration remains unchanged.

Workaround: Microsoft recommends removing the Group Policy configuration before installing the update. Steps: open Group Policy Editor (gpedit.msc) or Group Policy Management Console; navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives; set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured"; run gpupdate /force to propagate the change; run manage-bde -protectors -disable C: to suspend BitLocker; then run manage-bde -protectors -enable C: to resume it. This updates the BitLocker bindings to use the Windows-selected default PCR profile. A permanent fix is planned in a future Windows update.

WSUS does not display synchronization error details

Symptom: After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting.

Workaround: This functionality was temporarily removed to address the Remote Code Execution Vulnerability CVE-2025-59287. No additional workaround is documented at this time.

How to get this update

Microsoft now bundles the latest servicing stack update (SSU) with the latest cumulative update (LCU) in a single package. Before servicing an offline OS image, confirm the image includes KB5030216 (released September 12, 2023) or a later LCU; without it, the SSU version will be below 20348.1960, which can cause error 0x800f0823 during installation.

This update is available through the following channels:

• Windows Update / Microsoft Update: Downloads and installs automatically.
• Windows Update for Business: Deploys automatically in accordance with configured policies.
• Microsoft Update Catalog: Standalone package available for manual download.
• Windows Server Update Services (WSUS): Syncs automatically when Products is set to "Microsoft Server operating system-21H2" and Classification is set to "Security Updates".

To remove only the LCU after installing the combined SSU+LCU package, use the DISM /Remove-Package command with the LCU package name as the argument. Running wusa.exe /uninstall on the combined package will not work because it contains the SSU, which cannot be removed after installation.

Frequently asked questions

Is the servicing stack update separate from KB5087545?

No. Microsoft now combines the servicing stack update with the cumulative update in one package. The servicing stack update included here is KB5089140, version 20348.5120. You do not need to download or install it separately when applying this cumulative update through the standard channels.

What should administrators do about the Secure Boot certificate expiration notices?

Microsoft states that devices that have not yet received the newer Secure Boot certificates will continue to start and operate normally, and standard Windows updates will continue to install. IT administrators should consult the Secure Boot Playbook for Windows Server and monitor deployment status using the new scripts placed in C:\Windows\SecureBoot on eligible devices.

Do all devices affected by the BitLocker known issue need to enter the recovery key every restart?

No. According to Microsoft, the BitLocker recovery key is only required on the first restart following the update installation. Subsequent restarts will not trigger the recovery screen, provided the Group Policy configuration has not changed. Enterprises are advised to audit BitLocker Group Policies and check PCR7 binding status in msinfo32.exe before deploying this update.

What fixes are included from previous releases?

This update includes all fixes and quality improvements from KB5082142 (released April 14, 2026) and KB5091575 (released April 19, 2026). Devices that already have those updates installed will download and install only the new content added in this package.