Microsoft fixes BitLocker recovery bug on Windows Server 2025
Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update. [...]
AI Analysis
Technical Summary
Microsoft identified and resolved a BitLocker recovery bug affecting Windows Server 2025 devices after the April 2026 Patch Tuesday update. The issue arises on systems where BitLocker is enabled on the OS drive and a specific Group Policy setting "Configure TPM platform validation profile for native UEFI firmware configurations" includes PCR7 in the validation profile, combined with certain Secure Boot and Windows Boot Manager states. This causes affected devices to prompt for the BitLocker recovery key once after the update due to invalid PCR7 configurations. The fix, delivered in KB5094125, prevents installation of the 2023-signed Windows Boot Manager on incompatible devices, avoiding the recovery prompt. Microsoft also advises IT administrators to remove the problematic Group Policy before applying updates or use a Known Issue Rollback (KIR) if immediate patching is not possible.
Potential Impact
Affected Windows Server 2025 devices with the specific Group Policy configuration may unexpectedly enter BitLocker recovery mode after installing the April 2026 update, requiring manual entry of the BitLocker recovery key once. This can cause temporary disruption in system availability and requires administrator intervention to regain access. There is no indication of data loss or security compromise beyond the recovery prompt. The issue is limited to enterprise-managed systems with the specific TPM and PCR7 configuration and does not generally affect personal devices.
Mitigation Recommendations
Microsoft has released an official fix in the KB5094125 cumulative update for Windows Server 2025 that resolves this BitLocker recovery issue. Administrators should apply this update to affected systems. If immediate deployment is not possible, IT teams are advised to remove the problematic Group Policy setting before installing updates starting with KB5082063 or later. Alternatively, applying the Known Issue Rollback (KIR) can prevent the automatic switch to the 2023 Boot Manager that triggers the recovery prompt. Following these steps will prevent unexpected BitLocker recovery prompts related to this issue.
Microsoft fixes BitLocker recovery bug on Windows Server 2025
Description
Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update. [...]
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microsoft identified and resolved a BitLocker recovery bug affecting Windows Server 2025 devices after the April 2026 Patch Tuesday update. The issue arises on systems where BitLocker is enabled on the OS drive and a specific Group Policy setting "Configure TPM platform validation profile for native UEFI firmware configurations" includes PCR7 in the validation profile, combined with certain Secure Boot and Windows Boot Manager states. This causes affected devices to prompt for the BitLocker recovery key once after the update due to invalid PCR7 configurations. The fix, delivered in KB5094125, prevents installation of the 2023-signed Windows Boot Manager on incompatible devices, avoiding the recovery prompt. Microsoft also advises IT administrators to remove the problematic Group Policy before applying updates or use a Known Issue Rollback (KIR) if immediate patching is not possible.
Potential Impact
Affected Windows Server 2025 devices with the specific Group Policy configuration may unexpectedly enter BitLocker recovery mode after installing the April 2026 update, requiring manual entry of the BitLocker recovery key once. This can cause temporary disruption in system availability and requires administrator intervention to regain access. There is no indication of data loss or security compromise beyond the recovery prompt. The issue is limited to enterprise-managed systems with the specific TPM and PCR7 configuration and does not generally affect personal devices.
Mitigation Recommendations
Microsoft has released an official fix in the KB5094125 cumulative update for Windows Server 2025 that resolves this BitLocker recovery issue. Administrators should apply this update to affected systems. If immediate deployment is not possible, IT teams are advised to remove the problematic Group Policy setting before installing updates starting with KB5082063 or later. Alternatively, applying the Known Issue Rollback (KIR) can prevent the automatic switch to the 2023 Boot Manager that triggers the recovery prompt. Following these steps will prevent unexpected BitLocker recovery prompts related to this issue.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bitlocker-recovery-bug-on-windows-server-2025/","fetched":true,"fetchedAt":"2026-06-11T08:57:32.575Z","wordCount":856}
Threat ID: 6a2a787c9e049e7b7ee60963
Added to database: 6/11/2026, 8:57:32 AM
Last enriched: 6/11/2026, 8:57:40 AM
Last updated: 6/11/2026, 5:33:33 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.