How to Apply Microsoft's May 2026 Patch Tuesday Updates: A Step-by-Step IT Admin Guide

By • min read

Introduction

Microsoft’s May 2026 Patch Tuesday delivers 139 updates across Windows, Office, .NET, and SQL Server. While no zero-day vulnerabilities were reported, the lack of immediate exploits doesn't mean you can slow down. Three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira/Confluence) and four Word Preview Pane RCEs demand urgent attention. This guide walks IT administrators through a structured deployment process—starting with internet-facing services, domain controllers, and Office endpoints—to minimize risk.

How to Apply Microsoft's May 2026 Patch Tuesday Updates: A Step-by-Step IT Admin Guide — Source: www.computerworld.com

What You Need

System access: Administrative privileges on domain controllers, servers, and endpoints.
Update inventory: List of all Windows 10 22H2, Windows 11 24H2/23H2, Windows Server 2025/2019/2016, Office 365 (click-to-run) and Office 2021/2019 installations.
Testing environment: A lab replicating production configurations, especially BitLocker and Group Policy settings.
Patch management tools: WSUS, SCCM, or Microsoft Endpoint Manager (Intune) for controlled rollouts.
Backup and recovery: Full system backups and BitLocker recovery keys (for the ongoing recovery condition).
Documentation: The May Assurance Security Dashboard and KB articles for each product family.

Step-by-Step How-To

Step 1: Assess the Risk Profile

Start with the May Assurance Security Dashboard to map updates by product family. Prioritize deployments:

Internet-facing services (DNS, Netlogon, SSO Plugin for Atlassian)
Domain controllers (Netlogon RCEs)
Office endpoints (Word Preview Pane RCEs)
TCP/IP stack (large vulnerability cluster)

Remember: The BitLocker recovery condition from April persists on Windows 10 and Windows Server devices where Group Policy sets an invalid PCR7 profile.

Step 2: Prepare Your Testing Environment

Before applying updates broadly, reproduce production configurations in a sandbox:

Enable BitLocker with custom TPM validation profile (Group Policy: Configure TPM platform validation profile for native UEFI firmware configurations).
Install the April 2026 problematic update (KB5089549) if not already present—observe the recovery prompt.
Set up Windows 10/Server devices with invalid PCR7 to confirm the condition.
Test Word Preview Pane by opening a malicious .docx via Outlook and File Explorer to verify that mitigation blocks it.

If your test environment triggers BitLocker recovery, proceed to Step 3 before deploying the May update.

Step 3: Apply the May 2026 Windows Updates

Deploy the following updates to resolve known issues and close vulnerabilities:

KB5089549 for Windows 11 25H2 and 24H2: Resolves the April PCR7/BitLocker recovery condition. Improves Boot Manager servicing to prevent future recovery loops.
Secure Boot certificate updates: Adds automation scripts in C:\Windows\SecureBoot to help IT teams deploy the new Windows UEFI CA 2023 key (CVE-2023-24932). This prepares for the expiration of the 2011 certificates between June and October 2026.
SSDP service improvement: Prevents unresponsiveness under sustained network load. Important for networks using UPnP device discovery.

Note: Microsoft Exchange Server has no updates this month, but no zero-days means no emergency patch is required for it.

Step 4: Mitigate Word Preview Pane RCEs

Four critical RCEs affect Microsoft Word’s Preview Pane (CVE-2026-40361, 40364, 40366, 40367; CVSS 8.4). Two are marked “Exploitation More Likely.” The attack vector is simply viewing a malicious document in Outlook or File Explorer Preview Pane. To mitigate:

Install the Microsoft Office update that addresses these CVEs. For Office 365, check for version 2405 build 16.0.17628.20000 or later.
Temporarily disable the Preview Pane in Outlook (File > Options > Preview Pane) and in File Explorer (View > Preview pane) until all endpoints are patched.
Restrict macro execution and disable dynamic content in previews via Group Policy.

Step 5: Address the BitLocker Carry-Over Condition

If your organization uses Group Policy with a custom PCR7 profile on Windows 10 or Windows Server, the May update does not directly fix it—only the Windows 11 24H2/25H2 KB5089549 does. For Windows 10 22H2 and Windows Server 2025, check the Microsoft Support page for a future fix. In the meantime:

Save BitLocker recovery keys in Active Directory or a secure location.
Update the TPM PCR7 profile to a valid configuration to avoid recovery prompts.
Deploy a script to verify the PCR7 value before rebooting after patching.

Step 6: Handle Graphics Driver Downgrades

Microsoft acknowledged that Windows Update may replace manually-installed graphics drivers with older OEM versions. This happens because Windows Update ranks drivers by Hardware ID length (four-part) rather than version numbers. To prevent downgrades:

Pause driver updates via Group Policy (Computer Configuration > Administrative Templates > Windows Components > Windows Update > “Do not include drivers with Windows Updates”).
Use Windows Update for Business to control driver deployment.
Manually approve drivers in WSUS or SCCM.

Step 7: Roll Out to Production in Phases

Now that testing is complete, deploy updates in stages:

Phase 1: Internet-facing servers (DNS, domain controllers, SSO plugin for Jira/Confluence). Monitor for BitLocker recovery and driver issues.
Phase 2: Office endpoints (especially Outlook users). After patching, confirm Word Preview Pane RCEs are blocked.
Phase 3: Internal servers and remaining clients.

Use patch management tools to push updates and schedule reboots outside business hours.

Step 8: Validate After Deployment

After reboots, verify:

BitLocker does not prompt for recovery on Windows 11 24H2/25H2. For Windows 10/Server, check Event Viewer for PCR7 errors.
Word Preview Pane opens safe documents without crashing or triggering exploitation.
Secure Boot status confirms new UEFI CA 2023 key is present (run Confirm-SecureBootUEFI in PowerShell).
Graphics drivers remain at the expected version.
SSDP service responds reliably to UPnP discovery requests.

Tips and Final Advice

Test before you trust: Even without zero-days, the sheer volume (139 updates) increases odds of conflicts. Isolate your lab network.
Document everything: Record which systems received updates and any recovery events. Use the new C:\Windows\SecureBoot scripts for certificate management.
Plan for the October 2026 certificate expiry: The Secure Boot certificate updates now may save you a scramble later.
Prioritize the Preview Pane mitigations: These are the most easily exploitable in day-to-day operations. Disable previews until all Office patches are applied.
Be aware of the driver downgrade issue: If you manage display drivers manually, use Group Policy to exclude driver updates from Windows Update.
Stay informed: Monitor the Microsoft Security Response Center for any post-release changes or additional known issues.