Back

Microsoft Resolves BitLocker Recovery Bug in Windows Server 2025

Severity: Low (Score: 27.9)

Sources: Bleepingcomputer, Feeds.4Sysops

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: bitlocker, windows, microsoft, recovery, server, into, issue

Severity indicators: issue

Summary

Microsoft has fixed a bug affecting Windows Server 2025 and Windows 11 systems that caused them to enter BitLocker recovery mode after installing security updates. The issue was linked to specific Group Policy configurations involving Trusted Platform Module (TPM) validation profiles, particularly with PCR7 settings. Affected devices prompted users for a recovery key immediately following the installation of updates that modified boot files. Microsoft acknowledged the issue after the April 2026 Patch Tuesday and released cumulative updates to address it. The updates were included in KB5094125 for Windows Server 2025 and KB5093998 for Windows 11 23H2. IT administrators were advised to adjust Group Policy settings or apply a Known Issue Rollback if they could not deploy the updates immediately. The bug primarily impacted enterprise systems rather than personal devices. The resolution aims to prevent unexpected recovery prompts during system restarts. Key Points: • Microsoft resolved a BitLocker recovery issue affecting Windows Server 2025 and Windows 11. • The bug was triggered by specific Group Policy configurations involving TPM and PCR7. • Cumulative updates KB5094125 and KB5093998 were released to fix the issue.

Detailed Analysis

**Impact** Enterprise systems running Windows Server 2025 and some Windows 11 devices with specific BitLocker Group Policy configurations were affected, primarily in corporate IT environments. The bug caused affected devices to enter BitLocker recovery mode after installing security updates, potentially disrupting operations by requiring manual recovery key entry on first reboot. No direct data breaches were reported, but operational downtime and access delays could impact business continuity, especially in sectors relying on encrypted storage and secure boot processes. **Technical Details** The issue was triggered by updates modifying boot files combined with incompatible TPM validation settings, specifically involving invalid PCR7 configurations in Group Policy. This caused systems to prompt for BitLocker recovery keys immediately after patch installation. Microsoft addressed the problem with cumulative updates KB5094125 for Windows Server 2025 and KB5093998 for Windows 11 23H2. No malware, CVEs, or attacker infrastructure were involved; this was a configuration and update compatibility issue. **Recommended Response** Apply the June 2026 cumulative updates KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2) immediately to resolve the recovery prompt issue. IT administrators unable to deploy updates should remove the incompatible BitLocker Group Policy settings before patching or apply the Known Issue Rollback (KIR) to prevent automatic boot manager changes triggering recovery mode. Monitor Event ID 1032 in the System event log for related update installation issues.

Source articles (2)

  • Microsoft fixes BitLocker recovery bug on Windows Server 2025 — Bleepingcomputer · 2026-06-11
    Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update. The BitLocker security feature encrypts s…
  • Microsoft resolves BitLocker recovery loops in Windows Server 2025 — Feeds.4Sysops · 2026-06-11
    Microsoft has released cumulative updates to resolve a persistent bug that forced Windows Server 2025 and Windows 11 systems into BitLocker recovery mode. The issue was triggered by specific Group Pol…

Timeline

  • 2026-04-11 — Issue acknowledged after April 2026 Patch Tuesday: Microsoft confirmed that some Windows Server 2025 devices entered BitLocker recovery after installing updates.
  • 2026-06-11 — Cumulative updates released to resolve BitLocker recovery bug: Microsoft released KB5094125 and KB5093998 to address the BitLocker recovery issue on affected systems.

Related entities

  • Windows 11 (Platform)
  • Windows Server 2025 (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed