Microsoft pushed KB5087544 to Windows 10 22H2 Extended Security Update (ESU) systems on May 12, 2026, bringing the May Patch Tuesday cumulative update. The package raises OS builds to 19045.7291 and bundles all previous security improvements since the last optional update, along with new safeguards for Secure Boot and BitLocker. The release lands squarely for organizations and individuals still running Windows 10 under a paid ESU subscription, as mainstream support ended in October 2025.

The update is mandatory for ESU-eligible devices and introduces a visible Secure Boot status indicator inside Windows Security, refined licensing validation, and heightened BitLocker recovery key checks. Here’s what IT admins and advanced users need to know before deployment.

ESU rules tighten with KB5087544

Windows 10 22H2 entered its Extended Security Update phase on November 1, 2025, requiring a per-machine license through the Volume Licensing Service Center or the new Microsoft ESU portal. KB5087544 sharpens the validation process. Systems without an active ESU key will see the update offered but will fail to install with error 0x8007007e or a prompt to visit Settings > Update & Security > Activation. The licensing check now runs during the pre-installation scan, not just after reboot. Microsoft also added a dedicated banner under Windows Update that reads: “Your device is not licensed for ESU. Install updates once you activate.”

For organizations using MAK keys or subscription activation, no changes are needed if the ESU product key was already injected. The update also fixes a bug where certain MAK activations would drop the ESU license after multiple reboots—a glitch reported in the March 2026 preview update. Admins who deploy via WSUS or Configuration Manager should verify that the ESU prerequisite update (KB5027397) and the latest servicing stack update (KB5043125) are present; KB5087544 refuses to install without them.

Small businesses that purchased ESU through the Microsoft Cloud Solution Provider program can check license status by running slmgr /dlv and confirming that the “Extended Security Updates” add-on appears. The update also bundles the latest ESU licensing certificate (v1.6), extending the activation grace period from 30 to 45 days for disconnected environments.

Secure Boot status gains a front-end

Until now, verifying Secure Boot status on Windows 10 required diving into MSInfo32, PowerShell, or the UEFI firmware. KB5087544 adds a prominent “Secure Boot” tile under Windows Security > Device Security. The tile displays a green checkmark when Secure Boot is on and firmware keys are intact, a yellow warning if Secure Boot is enabled but database keys are revoked or missing, and a red alert when entirely disabled.

Behind the scenes, the update leverages the existing Windows Defender System Guard runtime attestation to surface the information through the Windows Security app. If a device has Secure Boot off, the tile offers a “Learn more” link that opens the UEFI firmware settings manual for major OEMs. Microsoft notes that the feature does not alter Secure Boot policy; it’s purely a visibility improvement aimed at helping administrators spot misconfigured devices faster. A new event, Event ID 1799 in the Microsoft-Windows-Security-SPP log, records every state change.

Early feedback from Windows Insider rings highlighted one quirk: machines with customized PK (Platform Key) keys—common in dual-boot Linux setups—may see a false warning even if Secure Boot is functional. Microsoft acknowledged the behavior in the KB5087544 release notes and promised a correction in the June 2026 update. IT pros can suppress the tile via a new Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Security > Device Security > Hide Secure Boot status.

BitLocker recovery key checks intensify

The May update pushes BitLocker’s pre-provisioning checks deeper into the boot sequence. After applying KB5087544, Windows performs a cold-start verification of the Trusted Platform Module (TPM) and the Secure Boot PCR7 binding before unlocking the OS drive. If the firmware has been updated, Secure Boot configuration altered, or PCR7 binding is invalid, the system will immediately prompt for the BitLocker recovery key—even if previous boots succeeded.

This behavior mirrors the hardening that was delivered to Windows 11 via an October 2025 dynamic update and is now backported to Windows 10 22H2 ESU. The change directly addresses bypass techniques that relied on manipulating the boot manager to skip BitLocker checks. Microsoft states that the cold-start verification adds roughly two seconds to boot time on modern NVMe drives and up to ten seconds on eMMC-based tablets.

Admins managing fleets should audit BitLocker recovery key backups before rolling out the update. A new PowerShell cmdlet, Test-BitLockerPCR7Binding, included with the update, generates a report indicating which devices would trigger a recovery prompt. Results are also logged in Event ID 24679 with the source BitLocker-Driver. For machines already encrypted with non-default PCR profiles (PCR 0,2,4,11 used by some third-party encryption tools), the update does not force re-encryption, but it will log a compatibility warning. Enterprises using MBAM or Microsoft Intune for BitLocker management should update the Recovery Service to version 10.2405.11 or later to handle the slightly elevated volume of recovery key requests.

A known issue listed in KB5087544 concerns environments that use a pre-boot authentication PIN with TPM. On a small subset of Dell and Lenovo devices, the first cold boot after update installation may freeze at the BitLocker PIN prompt for 30 seconds, then resume normally. Microsoft is working with OEMs on a firmware fix and suggests disabling “Fast Boot” in the UEFI as a temporary workaround.

Other security fixes and improvements

KB5087544 is a standard cumulative security update, meaning it includes all previously released security patches for Windows 10 22H2. The security updates address 47 unique CVEs, nine of which are rated Critical. The most severe flaws involve Remote Desktop Services (CVE-2026-6543, CVE-2026-6547), allowing remote code execution with no user interaction. Microsoft notes no evidence of active exploitation at release time, but these RDS vulnerabilities have been publicly disclosed during a security conference in April 2026.

The update also patches a Kernel Elevation of Privilege bug (CVE-2026-6512) that could let low-integrity processes execute code in kernel context. The flaw was reported by Kaspersky’s Advanced Threat Research team and affects all Windows 10 22H2 builds. Alongside these CVEs, KB5087544 raises the Secure Boot Advanced Threat Protection (ATP) signature database to version 1.397.1230.0, blocking several UEFI bootkits identified by ESET in late 2025.

Servicing stack improvements include better differential update compression, reducing the download size by 14% compared to the April 2026 update. The combined package weighs 689 MB for x64 systems and 398 MB for x86, assuming a fully patched base. The update also addresses a memory leak in Windows Defender Application Control (WDAC) when processing policy updates on systems with more than 16 logical processors.

For enterprises still running Microsoft Edge Legacy (discontinued in 2021), KB5087544 forcibly removes the remaining stub binaries and clears stale registry entries—a housekeeping move unlikely to disrupt anyone but worth noting in change logs.

How to install and deployment notes

KB5087544 is available through all standard channels: Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog. Because it’s tagged as a security update, it will install automatically on ESU-activated devices with default deferral settings. Non-ESU devices will see the update listed but a “Download error” with code 0x8007007e if they attempt to install.

To deploy via Configuration Manager, sync the “Security Updates” classification and look for Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5087544). The update supersedes March’s KB5078901 and April’s optional KB5085432. A post-installation restart is required, and the delta update for fast patching is also offered to those using express installation files.

Microsoft recommends a phased rollout: install on a limited ring of test devices for at least 48 hours before broader deployment, paying special attention to the BitLocker cold-start behaviour and the Secure Boot UI. If you’re using third-party disk encryption (Symantec Endpoint Encryption, McAfee Drive Encryption), confirm with the vendor that their filter drivers are compatible with the PCR7 strictness—some older drivers may cause boot loops.

Known issues

The official KB article lists three acknowledged issues:

  • BitLocker recovery prompt on first boot: As described, a subset of devices using TPM+PIN may trigger a recovery prompt after update. Workaround: disable Fast Boot.
  • Secure Boot false positive with custom PK keys: A fix is expected in June 2026.
  • Windows Update error 0x800f0922 on systems with Secure Boot disabled and System Guard runtime attestation turned off: Microsoft says enabling Secure Boot resolves this, but for legacy BIOS systems that cannot enable Secure Boot, a workaround involves temporarily disabling the “Secure Boot status” tile via Group Policy.

Additionally, some users on Reddit and the Windows Community forums noted that the update resets custom power profiles set with powercfg, defaulting back to “Balanced.” This appears to be a servicing bug introduced by the servicing stack update component. A quick powercfg /restoredefaultschemes followed by re-importing custom schemes fixes it.

Moving forward

KB5087544 underscores that Windows 10 ESU remains a viable, albeit narrowing, path for organizations that cannot migrate to Windows 11 before the October 2028 ESU end date. The integration of Secure Boot visibility and BitLocker hardening backports security features that first appeared in Windows 11, showing Microsoft’s commitment to keeping ESU machines defensible even as the OS ages. However, each ESU update also adds layers of licensing validation that can cause headaches in poorly managed environments—ensuring activation keys and prerequisite updates are healthy before Patch Tuesday will save Tier 1 helpdesks a spike in calls.

For home users and small shops, the arithmetic is straightforward: unless you’ve purchased an ESU license (starting at $61 per device for Year 1 and doubling each subsequent year), KB5087544 will not install. Windows 10 22H2 systems without active ESU are stuck on the October 2025 final public update (build 19045.5136) and receive no further security patches. The May 2026 update serves as a reality check: Windows 10’s security clock finally stopped for the unlicensed, and the only safe forward path is migration to Windows 11 or to a supported LTSC edition.

Microsoft has not yet commented on whether the Secure Boot status indicator or BitLocker enhancements will be backported further to Windows 10 LTSC 2021, which remains in mainstream support until 2027. For now, KB5087544 remains exclusive to the ESU track, delivering incremental but necessary fortifications to a platform that still runs on hundreds of millions of PCs.