May 2026 Patch Tuesday: What KB5089549 Fixes, What It Doesn't, and What to Do Before You Update

Microsoft's May 2026 Patch Tuesday landed at 1 PM ET on May 12. Here's exactly what shipped, what it fixes from April, and the three things every Windows user should know tonight.

What shipped today

KB5089549 is the May cumulative update for Windows 11 24H2 and 25H2. It brings your system to build 26100.8457 or 26200.8457 and patches approximately 137 security vulnerabilities.

Windows 11 23H2 users get KB5087420 (build 22631.7079). Windows 10 ESU users get KB5087544 (build 19045.7291).

The April BitLocker fix is confirmed

The biggest news: Microsoft explicitly fixed the BitLocker recovery prompt that KB5083769 caused in April. The release notes state the update addresses an issue where devices entered BitLocker Recovery after updating boot files on systems with certain TPM validation settings, including invalid PCR7 configurations.

If you held off on April's update because of the BitLocker reports, KB5089549 resolves that specific trigger.

What is NOT fixed

The boot loop and mosaic BSOD pattern reported on some HP and Dell PCs (particularly AMD Ryzen systems with older NVIDIA drivers) was never officially acknowledged by Microsoft. The May update does not specifically target this issue. If you experienced this pattern, update your GPU drivers before installing KB5089549.

VSS and backup software failures from April are by design, not a bug. KB5083769 added drivers to the Microsoft Vulnerable Driver Blocklist. Backup tools that depend on those drivers (Acronis, Macrium, NinjaOne Backup) need updated versions from their vendors. Microsoft will not roll back the blocklist.

Three things to do tonight

1. Install KB5089549. For most users, this update is safe to install. Early reports show clean installs with no widespread issues. Microsoft says they are not currently aware of any problems with this update.

2. Check your Secure Boot status. The original 2011 Secure Boot certificates expire on June 26, 2026. That is 45 days away. Today's update continues the staged rollout of 2023 certificates. Devices that miss the rollout may enter a degraded security state.

To check your status, open PowerShell and run: Confirm-SecureBootUEFI

If it returns True, Secure Boot is active. For certificate status, check Windows Security under Device Security.

3. Verify your backups work. If you use Acronis, Macrium, or NinjaOne Backup, verify that your backup jobs complete successfully after installing today's update. The vulnerable driver blocklist from April carries forward.

Other fixes in this update

KB5089549 also rolls in the April 30 preview fixes: Remote Desktop dialog scaling on multi-monitor setups, explorer.exe zombie processes, Delivery Optimization memory leak, Microsoft Store error codes, and Windows Hello fingerprint persistence after major upgrades.

Should you install today?

Yes, for consumers and small businesses. The Secure Boot deadline makes waiting the riskier choice this month. For enterprises, pilot this afternoon and deploy broadly after overnight feedback stabilizes.

What SimpleFixAI detects

SimpleFixAI v1.7.3 detects recent problematic Windows updates, identifies faulting drivers after a BSOD, and creates a snapshot before every repair with one-click undo. It runs offline on your machine with no cloud connection and no Microsoft Account required.

Free during beta at simplefixai.com.