KB5087544: [Remote Desktop security warnings (known issue)] Fixed

May 12, 2026—KB5087544 (OS Builds 19045.7291 and 19044.7291)

This security update includes fixes and quality improvements that are part of the following updates:

• April 14, 2026—KB5082200 (OS Builds 19045.7184 and 19044.7184)

The following is a summary of the issues that this update addresses when you install this update. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change we are documenting.

[Remote Desktop security warnings (known issue)] Fixed: The Remote Desktop Connection security warning dialog might render incorrectly in multi-monitor configurations with different display scaling settings. This issue might occur after installing the Windows security update released on April 14, 2026 (KB5082200).

[Secure Boot]

• This update enables dynamic status reporting for Secure Boot states in Windows Security App.
• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
• [Daylight Savings Time] Update for Arab Republic of Egypt to support the government DST change order in 2023.

If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.

Known issues in this update
- ​​​​​​​Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key

Symptoms​​​​​

Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update.

This issue only affects a limited number of systems in which ALL the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments.

1. BitLocker is enabled on the OS drive.
2. The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
3. System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".

1. The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.

1. The device is not already running the 2023-signed Windows Boot Manager.

In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key.

Enterprises are recommended to audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing this update.

Resolution

We are working on a resolution and will provide more information when it is available.

To temporarily work around this issue, remove the Group Policy configuration before installing the update (Recommended)

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
2. Navigate to: Computer Configuration>Administrative Templates>Windows Components> BitLocker Drive Encryption>Operating System Drives.
3. Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".
4. Run the following command on affected devices to propagate the policy change: gpupdate /force
5. Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:
6. Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:
7. ​​​​​​​This updates the BitLocker bindings to use the Windows-selected default PCR profile.