May 2026 Patch Tuesday: admin deployment notes and checks

The May 2026 Patch Tuesday Microsoft security updates are live. This briefing covers the Windows 11 and Windows Server KB targets, Microsoft-confirmed known issues including the BitLocker PCR7 recovery prompt and the WSUS error-detail regression, Intune Autopatch hotpatch changes, Secure Boot certificate readiness, and the deployment checks needed before moving from pilot to broad deployment.

This is an admin-to-admin briefing for sysadmins, Intune admins, WSUS and ConfigMgr operators, and Windows Server admins. It covers only what Microsoft has confirmed in its own sources. Read it alongside the patch management hub, the Intune hub, the SCCM and MECM hub, the Windows Server hub, and the endpoint security hub. Keep the Microsoft source pages open alongside this article; release health and known issue pages can change during the first week after release.

Quick admin summary

• KB5089549 is the May 2026 Patch Tuesday update for Windows 11 versions 25H2 and 24H2, targeting build 26200.8457 (25H2) and 26100.8457 (24H2). Verify this build in Intune, WSUS, or ConfigMgr reports before approving broad deployment.
• BitLocker recovery prompts are a Microsoft-confirmed known issue on a specific device pattern: BitLocker on the OS drive, TPM validation explicitly including PCR7, PCR7 Binding reported as "Not Possible" by msinfo32.exe, the Windows UEFI CA 2023 certificate present in the Secure Boot database, and the device not already running the 2023-signed Windows Boot Manager. Audit BitLocker policies before deploying broadly.
• WSUS on Windows Server 2022 and Server 23H2 has a confirmed issue where synchronisation error details do not display. Microsoft says this was temporarily removed to address CVE-2025-59287. Sync itself is not blocked; error detail visibility is affected.
• Windows Autopatch is enabling hotpatch security updates by default from May 2026 for eligible Intune-managed devices. Check Autopatch reporting to confirm which devices receive hotpatch and which will restart normally.
• Secure Boot certificate expiration messaging appears across several May 2026 KB pages. Certificates used by most Windows devices start expiring in June 2026. Review readiness now, particularly for older hardware, virtual machines, recovery media, and server fleets.
• Windows Server 2025 WUSA issue: a mitigated known issue where WUSA installations can fail when an update is installed from a network share containing multiple .msu files. The issue does not occur with a single .msu or when the file is stored locally.
• Windows 11 version 26H1 and the 25H2/24H2 KB currently carry no Microsoft-confirmed active known issues. That status can change; re-check the KB pages before each broad approval.

What changed in May 2026 Patch Tuesday

The May 2026 Security Update Guide release note is live. Microsoft has published May 12, 2026 cumulative update KB articles for all supported Windows 11 versions, Windows 10 ESU and LTSC, and Windows Server versions.

Secure Boot certificate expiration: Several Windows 11 and Windows Server KB pages include certificate expiration messaging. Microsoft says certificates used by most Windows devices start expiring in June 2026 and asks admins to review Secure Boot CA 2023 readiness guidance. This applies to client device fleets, server estates, recovery media, and cloud-managed Windows environments. Review the Secure Boot CA 2023 rollout enterprise readiness guide for the preparation steps before June arrives.

Autopatch hotpatch default: The Windows message centre confirms that Windows Autopatch is enabling hotpatch security updates by default from May 2026 for eligible Intune-managed devices. Hotpatch-eligible devices receive the security update without the restart that accompanies the standard cumulative update path. Check eligibility and Autopatch reporting before assuming restart behaviour across your estate.

BitLocker PCR7 issue on a subset of devices: Microsoft has confirmed a BitLocker recovery prompt issue affecting Windows 11 23H2, Windows 11 25H2 and 24H2 (KB5089549), and Windows Server 2025. The issue affects a specific and limited device configuration. A permanent resolution is planned in a future update.

WSUS error-detail regression on Server 2022 and Server 23H2: Microsoft says synchronisation error details were temporarily removed from WSUS on these server versions to address CVE-2025-59287. Error detail visibility is affected; WSUS sync is not blocked.

May 2026 KBs and builds to verify

Use these as verification targets alongside your update management reports. Match every OS version in your estate to its expected KB and build before approving broad deployment.

| Platform | May 2026 KB | Build to verify | | --- | --- | --- | | Windows 11, version 26H1 | KB5089548 | 28000.2113 | | Windows 11, versions 25H2 and 24H2 | KB5089549 | 26200.8457 (25H2) / 26100.8457 (24H2) | | Windows 11, version 23H2 | KB5087420 | 22631.7079 | | Windows 10 ESU, version 22H2 | KB5087544 | 19045.7291 | | Windows 10 Enterprise LTSC 2021 and IoT Enterprise LTSC 2021 | KB5087544 | 19044.7291 | | Windows Server 2025 | KB5087539 | 26100.32860 | | Windows Server, version 23H2 | KB5087541 | 25398.2330 | | Windows Server 2022 | KB5087545 | 20348.5139 | | Windows Server 2019 | KB5087538 | 17763.8755 | | Windows Server 2016 | KB5087537 | 14393.9140 |

If your estate includes Windows Server 2025 hotpatching, also check the separate May 12, 2026 hotpatch KB5087423 path for applicable devices.

For standalone packages, verify the KB in the Microsoft Update Catalog. Each KB article states which channels carry the update: Windows Update, Windows Update for Business, Microsoft Update Catalog, and WSUS where applicable.

Known issues before broad deployment

Read the known issue section in each Microsoft KB for the OS versions in your estate before moving from pilot to broad rings.

BitLocker recovery prompt (Windows 11 23H2, 25H2, 24H2, and Windows Server 2025)

KB5087420, KB5089549, and KB5087539 all list this issue. The affected device pattern is: BitLocker enabled on the OS drive; TPM platform validation policy explicitly includes PCR7; msinfo32.exe reports Secure Boot State PCR7 Binding as "Not Possible"; the Windows UEFI CA 2023 certificate is present in the Secure Boot database; and the device is not already running the 2023-signed Windows Boot Manager.

Microsoft advises auditing BitLocker group policies for explicit PCR7 inclusion and checking PCR7 binding status before installing this update on devices that match the affected configuration. A permanent resolution is planned in a future Windows update.

If you are already managing BitLocker recovery prompts caused by a previous update in your environment, the April 2026 BitLocker recovery loop troubleshooting guide covers the recovery pattern for PCR7 and Secure Boot-related recovery loops and is a useful reference for the same root cause.

WSUS synchronisation error details (Windows Server 2022 and Server 23H2)

KB5087545 and KB5087541 both list this issue. WSUS synchronisation error details do not display on these server versions after specified previous updates. Microsoft says this functionality was temporarily removed to address CVE-2025-59287. Sync itself is not blocked; error detail visibility is the affected behaviour.

WUSA network share installation failure (Windows Server 2025)

This issue is listed as mitigated. WUSA installations can fail when an update is installed from a network share containing multiple .msu files. The issue does not affect installations with a single .msu or when the file is stored locally.

No current known issues confirmed for:

Microsoft states no current known issues for Windows 11 version 26H1 (KB5089548) or the 25H2 and 24H2 versions covered by KB5089549. The Windows release health pages for Windows 10 version 22H2, Windows Server 2019, and Windows Server 2016 also showed no active known issues at time of checking. These statuses can change; verify the KB pages and release health pages again before each broad approval decision.

Priority actions for admins

1. Export the May 2026 view from the Microsoft Security Update Guide for the products you manage, and retain it with your change record.
2. Map every supported Windows version in your estate to the KB and build table above. Do not approve broad deployment until every managed OS version has a verified target build.
3. Read the known issue section in each KB before moving from pilot to broad rings. Some KBs state no current issues; others list the BitLocker PCR7 or WSUS issues covered above.
4. Audit BitLocker group policies for explicit PCR7 inclusion and check PCR7 binding status via msinfo32.exe on pilot devices before broad deployment. Confirm key escrow is current before deploying to devices that match the affected pattern.
5. Review Secure Boot certificate readiness across your client, server, and recovery media estate. Certificates begin expiring in June 2026. The Secure Boot CA 2023 rollout enterprise readiness guide covers preparation and remediation.
6. Confirm whether Windows Autopatch hotpatch applies to eligible Intune devices in your estate and review Autopatch reporting before drawing conclusions about expected restart behaviour.
7. Open Microsoft 365 admin centre Service health before escalating any Teams, Exchange Online, SharePoint, Intune, or identity symptoms observed during the patch window.

Intune, Windows Update for Business and Autopatch

Use these checks for cloud-managed update rings. The Intune hub has broader operational guidance for Autopatch, update ring configuration, policy targeting, and Intune Patch Tuesday deployment checks.

Confirm quality update ring assignments, exclusions, deadlines, grace periods, restart settings, and safeguard hold behaviour before the May 2026 rollout reaches broad rings. Verify that pilot devices have recently synced before using their compliance status as deployment evidence.

Check that feature update policies are not moving devices to a new Windows version at the same time as this quality update. Concurrent servicing changes complicate fault isolation in the first 24 hours after release.

For Autopatch-managed devices, May 2026 marks the point at which hotpatch is enabled by default for eligible Intune-managed devices. Review which devices in your Autopatch estate are eligible, confirm reporting reflects expected behaviour, and review restart assumptions for the next deployment ring.

If devices are failing to respect update ring deferral settings, see the WUfB deferral not respected troubleshooting guide for the diagnostic steps.

WSUS and Configuration Manager

Use this section for on-premises and co-managed estates. The SCCM and MECM hub covers wider ConfigMgr workflows, maintenance windows, collections, and software update point checks.

WSUS checks

Sync after Microsoft metadata is available, then verify that products and classifications match the platforms in scope. Confirm the Security Updates classification is selected where the KB requires it.

Watch WSUS synchronisation health during the first few days, but account for the Microsoft-confirmed issue on Windows Server 2022 and Server 23H2 where synchronisation error details do not display. This affects error detail visibility, not sync success.

For standalone packages, use the Microsoft Update Catalog and record the exact KB, architecture, and package source in your change record.

Configuration Manager checks

Confirm the software update point has synced the May 2026 metadata, including KB5089549 for Windows 11 25H2 and 24H2 environments, before running automatic deployment rule evaluations.

Review automatic deployment rules before they evaluate against the new May 2026 updates. Validate pilot collections, maintenance windows, content distribution status, and restart settings before moving to broader rings.

Use compliance state by error pattern rather than raw failed install counts when reviewing the May 2026 WSUS May 2026 updates deployment in the console.

Windows Server

For role-aware maintenance planning, use the Windows Server hub alongside the release notes for each server KB.

Patch domain controllers, file servers, Hyper-V hosts, RDS hosts, management servers, and application servers through their normal maintenance windows. Stagger server maintenance where possible to preserve role redundancy during the patch window.

Before applying any May 2026 Windows Server update, check backup and restore ownership, confirm free disk space and servicing stack prerequisites are met, and clear any pending reboot state from a previous update or configuration change.

For Windows Server 2025, determine whether the standard cumulative update path or the hotpatch path applies to each server in scope. The two paths have different applicability and restart behaviour.

If deploying via standalone .msu files, avoid installing from a network share that contains multiple .msu files until the WUSA issue listed in the known issues section above is confirmed fully resolved for your server build.

Endpoint security and monitoring

The endpoint security hub contains runbooks for Secure Boot certificate readiness, BitLocker recovery key escrow, and Defender for Endpoint deployment checks.

For May 2026 specifically, verify the following before moving to broad rings:

• Confirm BitLocker recovery key escrow is current for all managed endpoints before deploying to devices that match the PCR7 affected pattern.
• Verify that Defender for Endpoint sensors and any third-party endpoint detection and response agents report correctly on pilot devices after the May 2026 update is applied.
• Check Secure Boot certificate readiness for servers and devices with custom UEFI configurations. Certificate expiration begins in June 2026.
• Review agent health for backup agents, management agents, VPN clients, and print services on pilot devices before moving to broad rings.

If you need a consolidated view of installed and missing updates across your estate, the Get patch compliance report script provides a per-device summary suitable for use as change record evidence.

Microsoft 365 service health checks

Not every service symptom observed during a Patch Tuesday window is caused by the Windows update itself. Microsoft 365 platform incidents can coincide with patch activity and produce symptoms that resemble endpoint failures.

Check Microsoft 365 admin centre Service health for Exchange Online, Teams, SharePoint Online, Intune, Microsoft Entra, and admin portal issues before escalating a Windows patch rollback. Record any tenant-level incidents separately from endpoint and server patch incidents so the next shift has a clear picture of which evidence came from Microsoft 365 and which came from device telemetry.

First 24 hours checklist

1. Pull the Microsoft Security Update Guide May 2026 export and retain it with the change record.
2. Map every managed Windows version in your estate to the KB and build table in this briefing.
3. Read the known issue section in each KB for the OS versions you are approving before moving any ring from pilot to broad.
4. Audit BitLocker PCR7 binding status via msinfo32.exe and confirm recovery key escrow is current for devices matching the affected pattern.
5. Review Secure Boot certificate readiness using the Secure Boot CA 2023 rollout enterprise readiness guide.
6. Sync WSUS and ConfigMgr software update points, validate May 2026 metadata, and confirm content distribution is complete before evaluating automatic deployment rules.
7. Confirm Intune update ring assignments, Autopatch hotpatch eligibility reporting, and WUfB policy targeting for pilot devices.
8. Install on pilot devices and servers, then check sign-in, VPN, Defender, line of business applications, printing, backup agents, and management agents.
9. Check Microsoft 365 admin centre Service health for any concurrent platform incidents.
10. Document the decision to hold, expand, or adjust rings, with the evidence from pilot devices attached to the change record.

First 7 days checklist

1. Review the Microsoft Security Update Guide for revisions and check Windows release health pages daily. Known issue pages can be updated at any point after release.
2. Promote from pilot to broader rings only when restart, recovery, and application evidence from the previous ring is clean.
3. Track devices that have not checked in since before the May 13 release date. Stale devices create compliance reporting gaps that can mask deployment failures.
4. Run the Get patch compliance report script to cross-check Intune, ConfigMgr, Defender, and WSUS reporting for drift across the estate.
5. Review open incidents by Windows version, KB, hardware model, driver version, VPN client, security tool version, and server role. A pattern concentrated on the same hardware or driver combination points to a compatibility issue rather than a broad update problem.
6. For the BitLocker PCR7 issue, confirm whether any additional devices in broader rings match the affected configuration. If recovery prompts appear after the May 2026 update, apply the April 2026 BitLocker recovery loop troubleshooting guide.
7. Close the cycle with a brief note covering what was approved, what was held, and what needs monitoring before the June 2026 Patch Tuesday window.

What not to assume

• Do not assume a CVE total, critical severity total, exploited status, or public disclosure status unless you have verified it directly in the Microsoft Security Update Guide. Third-party summaries can introduce inaccuracies.
• Do not assume "no known issues" applies to every OS version. Some May 2026 KBs state no current issues; others list the BitLocker PCR7 or WSUS issues described in this briefing.
• Do not assume every Windows Server 2025 device should follow the same servicing path. Standard cumulative update and hotpatch have different applicability, eligibility, and restart behaviour.
• Do not assume Autopatch devices will restart as expected without checking hotpatch eligibility. The May 2026 default change to hotpatch means restart behaviour will differ from previous months for eligible Intune-managed devices.
• Do not assume Microsoft 365 is healthy based on public status pages alone. Tenant Service health in the admin centre is the authoritative source for your tenant's incident state.
• Do not assume the Microsoft Update Catalog has every architecture you need until you search the exact KB and architecture combination.
• Do not assume WSUS synchronisation has failed simply because error details are not displaying on Windows Server 2022 or Server 23H2. The display regression is a separate issue from sync success.

Related AdminSignal resources

• Patch management hub for deployment workflows, ring strategies, and update governance.
• Intune hub for Autopatch, update ring configuration, and Intune Patch Tuesday deployment checks.
• SCCM and MECM hub for ConfigMgr software update point, ADR, and deployment collection checks.
• Windows Server hub for role-aware server maintenance planning.
• Endpoint security hub for BitLocker, Secure Boot, and Defender deployment checks.
• Secure Boot CA 2023 rollout enterprise readiness guide for certificate preparation and recovery media checks ahead of June 2026 expiration.
• April 2026 BitLocker recovery loop troubleshooting guide for recovery patterns when PCR7 or Secure Boot changes trigger BitLocker prompts.
• WUfB deferral not respected troubleshooting guide for when cloud-managed devices ignore update ring timing.
• Get patch compliance report script for a consolidated per-device view of installed and missing updates.

Official sources

• Microsoft Security Update Guide
• May 2026 Security Update Guide release note
• Windows release health
• Windows message centre
• Windows 11 release information
• Windows 10 release information
• Windows Server release information
• Windows 11 KB5089548
• Windows 11 KB5089549
• Windows 11 KB5087420
• Windows 10 KB5087544
• Windows Server 2025 KB5087539
• Windows Server version 23H2 KB5087541
• Windows Server 2022 KB5087545
• Windows Server 2019 KB5087538
• Windows Server 2016 KB5087537
• May 12, 2026 hotpatch KB5087423
• Microsoft Update Catalog
• How to check Microsoft 365 service health