Flexis May 2026 Patch Recommendation

Improvements 

This security update contains fixes and quality improvements from KB5082142 ​​​​​​​(released April 14, 2026) and KB5091575 (released April 19, 2026). The following summary outlines key issues addressed by this update. Also, included are available new features. The bold text within the brackets indicates the item or area of the change. 

• [Secure Boot]  
• With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.​​​​​​​ 

• This update adds a new SecureBoot folder under C:\Windows on eligible devices. The folder contains example scripts intended for organizations with IT professionals who actively manage updates across their device fleet. These scripts can be used to detect Secure Boot certificate update status and automate deployment via a safe rollout mechanism in an Active Directory environment. For more information, see Sample Secure Boot E2E Automation Guide. 

• [App] This update improves the accuracy and reliability of calculations used by apps and system components. Users and developers should see more consistent results, especially when working with very small values. 

• [Daylight saving time (DST)] This update supports the 2023 DST change for the Arab Republic of Egypt. 

• [Desktop] This update improves how the Windows Server interface responds during everyday use. Users should notice smoother interactions and fewer instances where windows stop responding. 

• [Sign-In] After you install the Windows update released on or after March 10, 2026, some users might experience an issue signing in to apps with a Microsoft account. Even when the device has a working Internet connection, a “no Internet” error appears during sign in and prevents access to Microsoft services and apps such as Microsoft Teams. 

• [Remote Desktop (known issue)] Fixed: This update addresses an issue that affects the Remote Desktop Connection security warning dialog. The dialog could render incorrectly in multi-monitor scenario when the monitors had different scaling set. This might occur after installing the April 2026 (KB5082142) security update. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files. 

Known issues in this update 

Devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery Key 

Symptom 

Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update. 

This issue only affects a limited number of systems in which ALL of the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments. 

1. BitLocker is enabled on the OS drive. 
2. The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually). 
3. System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as “Not Possible”. 
4. The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default. 
5. The device is not already running the 2023-signed Windows Boot Manager. 

In this scenario, the BitLocker recovery key only needs to be entered once — subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article, Find your BitLocker recovery key. 

Enterprises are recommended to audit their BitLocker group policies for explicit PCR7 inclusion and check msinfo32.exe for their PCR7 binding status before installing this update. (See the Workaround below.) 

Workaround  

Remove the Group Policy configuration before installing the update (Recommended)  

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console. 
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. 
3. Set “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured”. 
4. Run the following command on affected devices to propagate the policy change: gpupdate /force 
5. Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: 
6. Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: 
7. ​​​​These updates the BitLocker bindings to use the Windows-selected default PCR profile. 

A permanent resolution for this issue is planned in a future Windows update. More information will be provided when it is available. 

Windows Server Update Services (WSUS) does not display error details 

After installing KB5070884 or later updates, Windows Server Update Services (WSUS) does not display synchronization error details within its error reporting. This functionality is temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.