Microsoft released cumulative update KB5087420 for Windows 11, version 23H2 (2023 Update) as part of the May 2026 Patch Tuesday. The cumulative update package KB5087420 (Build 22631.7079) is intended for Windows 11, version 23H2 (Windows 11 2023 Update) on x64 (amd64) and ARM64 processors for Enterprise and Education editions. This update includes quality improvements; no new system features are introduced.
- Expansion of Secure Boot targeting data. Microsoft expanded the targeting data composition in Windows quality updates, increasing the scope of devices ready to automatically receive new Secure Boot certificates. Certificates are delivered only after sustained signals of successful update installation — ensuring controlled phased rollout ahead of certificate expirations starting June 2026.
- COSA profile update. Country and Operator Settings Asset (COSA) profiles have been updated, improving support for mobile operator settings on compatible devices.
- Support for daylight saving time changes in Egypt. Added support for the 2023 daylight saving time rule changes in the Arab Republic of Egypt.
- Enterprise State Roaming management via Windows Backup for Organizations. Management of the Enterprise State Roaming (ESR) feature is now possible through Windows Backup for Organizations policies, simplifying device configuration setup and management in organizations. Microsoft transitioned ESR management into Windows Backup for Organizations starting May 2026.
- Microsoft Defender SmartScreen improvement. Microsoft Defender SmartScreen can now send hash values of unsigned files from the shell to improve application reputation checks using modern security models.
- Servicing stack quality improvements (SSU). The update includes servicing stack quality improvements — the component responsible for installing Windows updates.
Known issue: BitLocker. On devices with a non-recommended BitLocker group policy configuration, after the first reboot following the update installation, a BitLocker recovery key may be required. The issue affects a limited set of systems where all conditions are met simultaneously: BitLocker is enabled on the system drive; the Configure TPM platform validation profile for native UEFI firmware configurations group policy is set, and PCR7 is included in the validation profile (or the corresponding registry parameter is manually set). On personal devices not managed by corporate IT, these conditions are unlikely.
Cumulative update 5087420 for PCs installs automatically via Windows Update for Enterprise and Education editions. To check, go to Settings > Windows Update and click Check for updates.
How the new features work:
Expansion of Secure Boot targeting data: The principle relies on telemetry analysis of successful update installations. Microsoft expanded the signal set from devices to determine readiness for new Secure Boot certificates. Certificates are delivered only after sustained confirmation of correct previous updates. This prevents mass failures during certificate rotation expiring June 2026.
COSA profile update: COSA (Country and Operator Settings Asset) are XML files with cellular operator parameters: APN, MMS, roaming, etc. The update replaces these files in the system. When the device registers on the network, Windows reads the current profile, ensuring correct connection setup without manual entry.
Support for daylight saving time changes in Egypt: The update modifies the system time zone database (registry and tzres.dll). Windows receives new daylight saving transition rules for Egypt: dates and offsets. Task Scheduler and system clock use this data to automatically adjust time, avoiding discrepancies with local legislation.
Enterprise State Roaming management via Windows Backup for Organizations: ESR synced settings (Wi-Fi passwords, themes, language) across corporate devices via Azure AD. Starting May 2026, management is moved to Windows Backup for Organizations policies. Backup now acts as the central orchestrator: the device restores settings from the cloud rather than via direct ESR channel, simplifying administration.
Microsoft Defender SmartScreen improvement: Previously, SmartScreen sent full hashes only for signed files. Now, for unsigned files, the browser or Windows shell computes their hash (SHA-256) and sends it to the Defender cloud service. The hash is checked against the reputation database. Risk of substitution is minimal — only the hash is transmitted, not the file itself.
Servicing stack quality improvements (SSU): SSU is the component that installs Windows updates themselves. Quality improvement means fixing bugs in CAB file processing code, unpacker, and transaction queues. Without a reliable SSU, other patches cannot be correctly applied. This update makes installation more resilient to power failures and metadata corruption.
Known issue: BitLocker: With a non-recommended group policy (Configure TPM platform validation profile with PCR7 enabled), the system expects a certain set of integrity measurements. After the update, the bootloader changes, PCR7 yields a different hash, and TPM does not release protection. The recovery key is requested. On home PCs with default settings, the issue does not occur.
Official announcement on the Microsoft website.
The last 10 Windows updates:
| Update | Build | Version | Windows | Channel | Date |
|---|---|---|---|---|---|
| KB5089570 | 28000.2173 | 26H1 | Windows 11 | Preview | 2026-05-14 |
| KB5089573 | 26200.8514 | 25H2 | Windows 11 | Preview | 2026-05-14 |
| KB5087420 | 22631.7079 | 23H2 | Windows 11 | Stable | 2026-05-12 |
| KB5089548 | 28000.2113 | 26H1 | Windows 11 | Stable | 2026-05-12 |
| KB5087544 | 19045.7291 | 22H2 (ESU) | Windows 10 | Stable | 2026-05-12 |
| KB5089549 | 26200.8457 | 24H2/25H2 | Windows 11 | Stable | 2026-05-12 |
| KB5089417 | 26220.8370 | 25H2 | Windows 11 | Beta | 2026-05-08 |
| KB5089414 | 26300.8376 | 25H2 | Windows 11 | Experimental | 2026-05-08 |
| KB5089416 | 28020.2075 | 26H1 | Windows 11 | Experimental | 2026-05-08 |
| KB5083810 | 26220.8340 | 25H2 | Windows 11 | Beta | 2026-05-01 |