Microsoft rolled out the May 2026 Patch Tuesday update KB5087544 on May 12, 2026, for Windows 10 Enterprise LTSC 2021, Windows 10 IoT Enterprise LTSC 2021, and systems enrolled in the Extended Security Updates (ESU) program. This mandatory cumulative update addresses a range of security vulnerabilities and introduces several notable quality improvements, including a long-awaited fix for Remote Desktop Protocol (RDP) connectivity issues, a more transparent Secure Boot status reporting mechanism, and updated guidance around BitLocker recovery key prompts.

The update arrives as part of Microsoft's ongoing commitment to secure the Windows 10 platform for enterprise and IoT customers under long-term servicing, even as mainstream support has ended for most editions. With the May 2026 release, administrators gain critical tools to manage encryption and remote access more reliably.

Remote Desktop Protocol fixes take center stage

One of the most impactful changes in KB5087544 targets the Remote Desktop Protocol. For months, administrators managing fleets of Windows 10 LTSC machines reported intermittent RDP disconnects and authentication failures following the installation of certain security updates. The problem, traced to a miscommunication between the CredSSP provider and the RDP stack when FIPS 140-2 compliance was enforced, caused connections to drop with error 0x8009030e or simply fail to establish after waking from sleep or switching networks.

Microsoft's security response also addresses a critical vulnerability (CVE-2026-1873) in the Remote Desktop Services component that could allow an unauthenticated attacker to execute arbitrary code on the target system by sending specially crafted packets to a vulnerable RDP server. While exploitation was deemed less likely for LTSC systems running behind firewalls, the patch closes this remote code execution vector entirely by hardening the RDP listener and improving input validation.

Additionally, a memory leak in the Remote Desktop client (mstsc.exe) that gradually consumed system resources during prolonged sessions has been plugged. Quality assurance tests confirm that RDP sessions now remain stable even when connecting to locked-down shells and domain-joined endpoints, a relief for IT teams that rely on remote administration.

Secure Boot status reporting gets a clarity upgrade

KB5087544 introduces a new diagnostic capability for Secure Boot. Previously, determining the exact policy state and certificate keys loaded during boot required deep dives into UEFI logs. With this update, MSInfo32.exe (System Information) and the Event Viewer now display a comprehensive \"Secure Boot Status\" entry that indicates whether Secure Boot is:

  • Enforced – the system booted with trusted firmware and an unaltered boot chain.
  • Not Enforced – boot configuration policy allows untrusted code, such as when the platform is in Setup Mode or has invalid DB/DBX keys.
  • Off – Secure Boot is disabled entirely.

Event Viewer (under Applications and Services Logs > Microsoft > Windows > SecureBoot) logs detailed timestamps of each boot attempt, including the Secure Boot policy used, the status of the signature databases, and whether the boot manager encountered any verification failures. This information is gold for security auditors and system administrators who need to guarantee that devices have not been tampered with.

Critically, the update also fixes a false‑positive reporting bug in Windows Defender Application Control (WDAC) policies where Secure Boot was incorrectly reported as \"Off\" on some Dell and HP business laptops. The fix ensures that compliance dashboards relying on WMI queries now reflect the true state.

BitLocker recovery key prompts: less mystery, more guidance

BitLocker recovery key prompts can be alarming for end users, especially when they appear unexpectedly after routine firmware updates or docking station changes. KB5087544 aims to demystify these events. The update refines the detection logic that triggers the recovery key screen. Now, Windows more accurately distinguishes between a legitimate change in boot configuration (such as a BIOS update or a new peripheral) and a potential attack vector, reducing unnecessary prompts.

Moreover, when the recovery screen does appear, the message text now includes a clear explanation of why the key is required and, if the system is enrolled in Microsoft Intune or Azure Active Directory, provides a direct link to the organizational recovery portal (if configured). For standalone machines, the prompt explains how to locate the key in a Microsoft account or on a printed backup.

This change is a direct response to enterprise feedback that the previous generic message caused confusion and unnecessary help‑desk calls. The update does not alter BitLocker's encryption algorithms or recovery key storage, but it does enhance the audit log in the BitLocker-API events (event ID 846) to record the reason code for the recovery trigger, making post‑incident analysis faster.

Other security and quality improvements

Beyond the headline features, KB5087544 patches dozens of vulnerabilities across the Windows kernel, Graphics Component, NTFS, and the Print Spooler. Highlights include:

  • CVE-2026-2104 – Elevation of privilege flaw in the Windows Kernel that could allow a local authenticated attacker to gain SYSTEM privileges via a race condition in the job object management.
  • CVE-2026-1987 – Remote code execution vulnerability in the Microsoft Message Queuing (MSMQ) service, which could be exploited by sending a maliciously crafted MSMQ packet.
  • Print Spooler fix – A memory corruption issue that could be triggered when a client connects to a shared printer with a malformed driver package is now resolved, hardening the spooler against potential remote exploitation.
  • LSASS memory leak – The update patches a memory leak in the Local Security Authority Subsystem Service that occurred when processing NTLM authentication requests, a regression first reported after the March 2026 security update.

The servicing stack update bundled with this release also improves the reliability of Windows Update scans for ESU-licensed devices. Customers with Extended Security Updates now experience faster detection of available patches and fewer false‑positive “update failed” errors in the Windows Update log.

Known issues in KB5087544

As with any cumulative update, KB5087544 carries a handful of known issues. Microsoft’s documentation flags the following:

1. Intermittent errors with USB-connected printers

Some multifunction printers from Brother, Canon, and Ricoh may report error 0x0000011b when accessed via USB after installing this update. Microsoft is working on a resolution and recommends using a network connection as a temporary workaround.

2. Custom UI applications may not open

Applications that use the SetWindowLong API to subclass window procedures may fail to launch if they are not compiled with latest Windows SDK headers. This affects legacy line-of-business apps. A fix is expected in the next month’s optional update.

3. TPM attestation failures on Intel 11th Gen systems

On certain Dell Latitude and HP EliteBook models with Intel 11th Gen processors and TPM 2.0, the System Guard Secure Launch may report an abnormal attestation failure after the update. Microsoft and OEMs are investigating; users can safely ignore the one‑time error if the system boots normally.

How to install KB5087544

The update is available through the following channels:

  • Windows Update – Automatically downloaded on eligible LTSC and ESU systems that are configured to receive updates automatically.
  • Microsoft Update Catalog – Standalone .msu files for manual installation or deployment via WSUS and Configuration Manager. The direct download link is available at the Microsoft Update Catalog.
  • WSUS and Configuration Manager – The update will sync to on‑premises management tools in the “Critical Updates” classification.

Before installing, administrators should ensure that the latest servicing stack update (KB5081001) is applied, as it is a prerequisite. For ESU customers, an active ESU MAK key must be installed and the ESU licensing preparation package from the January 2026 patch cycle must be present.

A restart is required after installation.

The bigger picture

With the May 2026 security release, Microsoft reinforces its commitment to locking down Windows 10 for the long tail. The RDP fix alone will be a time‑saver for thousands of IT departments that manage remote desktops in healthcare, manufacturing, and government sectors where LTSC editions remain prevalent. Secure Boot transparency and BitLocker recovery refinements directly answer compliance demands from regulations like NIS2 and Cyber Resilience Act in the EU, which require demonstrable boot integrity and encryption key management.

As Windows 10 marches deeper into its extended support phase, updates like KB5087544 are more about hardening than adding features. That’s exactly what the enterprises relying on these LTSC and ESU skus need: predictable, bullet‑proof stability without surprises.