KB5087539: Overview with user sentiment and feedback
Last Updated May 18, 2026
Probability of successful installation and continued operation of the machine
Overview
KB5087539 is a cumulative security update for Windows Server 2025 released on May 12, 2026, addressing the latest security vulnerabilities and quality improvements. This update consolidates fixes from previous monthly releases (KB5082063 from April 14, 2026, and KB5091157 from April 19, 2026) into a single comprehensive package. The update is designed to maintain system security and stability through a controlled rollout mechanism that prioritizes device compatibility and successful update signals before deployment.
The update introduces significant infrastructure improvements, particularly around Secure Boot certificate management, which addresses an upcoming certificate expiration issue affecting most Windows devices starting in June 2026. Organizations receive automation tools and scripts to manage certificate updates across their device fleets, enabling proactive mitigation of potential boot failures. Additionally, the update enhances domain controller performance and connectivity reliability while introducing post-quantum cryptography support through Active Directory Certificate Services.
General Purpose
This cumulative update delivers multiple categories of improvements spanning security, performance, and infrastructure resilience. The primary focus addresses the critical Secure Boot certificate expiration challenge by expanding device eligibility for automatic certificate updates through enhanced targeting data and controlled phased rollout mechanisms. The update includes new automation scripts and tools within a SecureBoot folder for IT professionals managing large device fleets, enabling detection of certificate status and safe deployment via Active Directory environments.
Performance enhancements target domain controller environments, specifically reducing CPU and memory consumption when Microsoft Defender is enabled by optimizing the Local Security Authority Subsystem Service during Event Tracing for Windows operations. Connectivity improvements strengthen Simple Service Discovery Protocol reliability to prevent service unresponsiveness. The update introduces post-quantum cryptography support through Module-Lattice-Based Digital Signature Algorithm variants for Active Directory Certificate Services, allowing administrators to issue quantum-resistant certificates for code signing, TLS, and OCSP response signing. Additional refinements address Remote Desktop rendering issues in multi-monitor scenarios and expand daylight saving time support to include Egypt's 2023 DST changes.
General Sentiment
Community reception of KB5087539 reflects cautious optimism tempered by documented installation challenges on specific system configurations. The update is generally viewed favorably for its proactive approach to the Secure Boot certificate expiration crisis, with IT professionals appreciating the inclusion of automation tools and clear guidance documentation. The performance improvements for domain controllers running Microsoft Defender are recognized as beneficial for enterprise environments.
However, significant concerns emerge from reported installation failures affecting systems with specific BitLocker and Secure Boot configurations. Multiple users have encountered error 0x800736b3 (ERROR_SXS_ASSEMBLY_NOT_FOUND), indicating component store corruption that prevents successful installation even after standard remediation attempts. These failures appear concentrated on systems with unrecommended BitLocker Group Policy configurations involving PCR7 validation profiles, creating a scenario where the update may trigger BitLocker recovery key requirements on first restart. While Microsoft acknowledges these issues are limited to systems with specific configuration combinations unlikely on consumer devices, enterprise environments with customized BitLocker policies face material deployment risks. The WSUS error reporting functionality removal, implemented as a security measure against CVE-2025-59287, is viewed as a necessary trade-off but reduces visibility into synchronization issues during deployment.
Known Issues
BitLocker Recovery Key Requirement: Systems with unrecommended BitLocker Group Policy configurations (specifically those with TPM platform validation profile for native UEFI firmware configurations including PCR7) may require BitLocker recovery key entry on first restart after installation. This affects only systems meeting all specific conditions and is unlikely on personal devices not managed by IT departments. Recovery key entry is required only once; subsequent restarts will not trigger recovery screens if group policy remains unchanged.
WSUS Error Reporting Disabled: Windows Server Update Services no longer displays synchronization error details within error reporting after installing KB5070881 or later updates. This functionality was temporarily removed to address Remote Code Execution Vulnerability CVE-2025-59287, reducing visibility into update deployment issues.
Component Store Corruption Installation Failures: Some systems experience installation failure at approximately 93% completion with error 0x800736b3 (ERROR_SXS_ASSEMBLY_NOT_FOUND), indicating missing or corrupted side-by-side assemblies in the Windows component store. Standard remediation attempts including DISM /RestoreHealth and SFC /scannow may not resolve the issue, requiring advanced repair techniques using known-good local sources or in-place repair upgrades.
Disclaimer: We take measures to ensure that AI-generated content is of the highest possible quality, but we cannot guarantee its accuracy and recommend that users do their own independent research. Generated on 2026-05-18 01:01 AM
