Windows 10 KB5087544: May 2026 ESU Update Explained

On Tuesday, May 12, 2026, Microsoft released the May 2026 ESU update for Windows 10. Labeled KB5087544, let’s take a look at the changes included in this new update.

• Windows 11 KB5089549: discover what’s new in the May 2026 update

Reminder: the May 2026 Patch Tuesday fixes 120 vulnerabilities across Microsoft products, including Windows. This update therefore addresses security issues in addition to the changes mentioned below.

In the release notes associated with this KB, Microsoft highlights a few changes, but they are very limited. Here are the details.

👉 Remote Desktop

Microsoft has fixed a known issue related to the new warnings introduced in April 2026 when opening RDP shortcuts. In some cases, the warning window might not display correctly (for example, inaccessible buttons) on multi-monitor setups with different scaling values. This issue is now resolved by this update.

👉 Secure Boot

This update enhances the Windows Security app to display the Secure Boot status, particularly with regard to the certificate update for Secure Boot. This new indicator makes it possible to check whether your device has received the 2023 Secure Boot certificates. Microsoft also says that certificate deployment is still ongoing.

This new ESU update is now available through Windows Update.

A known issue with KB5087544

One issue that was already present last month is still present this month: "Devices whose BitLocker Group Policy configuration is not compliant may be prompted to enter their BitLocker recovery key.", Microsoft says.

This is a limited issue that affects only machines for which all of the following conditions are met:

• The device is not already running the Windows Boot Manager signed with the 2023 certificate.
• BitLocker is enabled on the operating system drive.
• The Group Policy Object (GPO) "Configure the TPM platform validation profile for native UEFI firmware configurations" is configured, and the PCR7 component is included in the validation profile (or the equivalent Registry key is configured manually).
• The System Information utility (msinfo32.exe) shows that the PCR7 binding status is "Impossible".
• The Windows UEFI CA 2023 certificate is present in the Secure Boot signature database (DB) of the device, making it eligible for the 2023-signed Windows Boot Manager to be set as the default.

If you have a GPO to configure BitLocker on Windows 10, it may be worth checking! Full details are provided on this page.

List of Windows 10 ESU updates

Below is the list of Windows 10 ESU updates released to date.

Florian Burnel Co-founder of IT-Connect

Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

See Full Bio