CybersecurityVulnerability Management

Microsoft Resolves BitLocker Recovery Bug in Windows Server 2025 Update

Analyst 207||Source: BleepingComputer
Technician in server room checking a blurred screen with daylight through large windows.

"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft said when it acknowledged the issue after the April 2026 Patch Tuesday.

Microsoft's fix in KB5094125 and KB5093998

Microsoft says it has resolved a known issue that could force some Windows Server 2025 devices into BitLocker recovery after installing the April 2026 security update. The company addressed the bug in two cumulative updates released during this month's Patch Tuesday: KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2). In updated advisories Microsoft explained the update "addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations."

The narrow technical chain that triggered BitLocker recovery

Microsoft emphasized that the problem only occurred for very specific configurations and listed the exact conditions that had to all be present for the recovery prompt to appear. Affected devices met every item on this list:

  • BitLocker was enabled on the OS drive.
  • The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" was configured, and PCR7 was included in the validation profile (or the equivalent registry key was set manually).
  • System Information (msinfo32.exe) reported the Secure Boot State PCR7 Binding as "Not Possible".
  • The Windows UEFI CA 2023 certificate was present in the device's Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
  • The device was not already running the 2023-signed Windows Boot Manager.

Microsoft also noted that when the prompt did appear it required the BitLocker recovery key only once: "subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged."

Who is affected: Windows Server 2025, Windows 11, and managed enterprise devices

While Microsoft acknowledged the issue could also affect some Windows 11 systems, the company said it is "unlikely to impact personal devices," because the affected Group Policy configurations are typically found only on enterprise systems managed by corporate IT teams. The June updates that resolve the issue include KB5094125 for Windows Server 2025 and KB5093998 for Windows 11 23H2.

Recommended mitigations for IT administrators

Microsoft provided several paths for IT teams that cannot immediately deploy the June fixes. Administrators who cannot yet install the updated cumulative patches are advised to remove the Group Policy configuration before installing KB5082063 and later updates, and to ensure that BitLocker bindings use the PCR7 profile. For environments where removing the group policy prior to deployment is not feasible, Microsoft recommended applying a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager that triggers the BitLocker recovery prompts.

The company also said that if a device was impacted administrators will see Event ID 1032 in the System event log when installing Windows updates; that indicator was noted in a service alert seen by BleepingComputer.

What this means for IT admins, enterprises, and end users

  • IT administrators: Expect to check for Event ID 1032 in System logs after update attempts, and prioritize deployment of KB5094125 or KB5093998 where applicable. If immediate deployment is impossible, either remove the incompatible group policy or apply the KIR to avoid triggering recovery prompts.
  • Affected enterprises: Systems with custom TPM/PCR7 group policy profiles should inventory which devices meet the five-condition set Microsoft outlined and decide whether to remediate policies before installing cumulative updates or apply KIRs to preserve uptime during patching.
  • End users on personal devices: Microsoft recommends little action; the company said affected configurations are "typically found only on enterprise systems managed by corporate IT teams" and are unlikely to impact personal devices.

Microsoft's June updates closed this particular loop two months after the issue was first confirmed, but the company has confronted similar BitLocker recovery behaviour before: an August 2024 fix followed July 2024 security updates that triggered recovery prompts, and emergency updates were issued in May 2025 for another, related event. For now, administrators have concrete steps—apply the June cumulative updates (KB5094125 or KB5093998), remove incompatible Group Policy settings ahead of patching, or use Known Issue Rollbacks—and a clear log indicator (Event ID 1032) to spot impacted systems.

Original reporting: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bitlocker-recovery-bug-on-windows-server-2025/

Emerging ThreatsMicrosoftPatch TuesdayWindows Server 2025BitlockerKB5093998KB5094125Windows 11 23H2Group Policy Configuration
Related Intelligence

Continue Reading

Office scene with computer and spreadsheet, natural light through window.

CEO's Password Practice Exposes Firm to Breach Risk

A CEO's outdated password policy left his 2,000-strong company vulnerable to a potential data breach, after he stored all employee usernames and passwords in a single Excel spreadsheet on his desktop. This alarming security risk was only resolved after months of persistence, when the IT team proved they could manage messages centrally without needing everyone's login details.

Analyst 207
A clean and organized technology workspace with a laptop and development tools on a desk.

GitHub Disrupts Supply Chain Attacks by Blocking npm Install Scripts

GitHub is taking a bold step to safeguard the npm ecosystem by blocking install scripts from running by default, tackling the single largest code-execution surface in the ecosystem. This move, part of npm 12's release, aims to prevent supply chain attacks by requiring explicit permission for scripts to run.

Analyst 207
Federal cybersecurity team in a bright, secure operations center with a large window.

CISA Overhauls Vulnerability Patching with Smarter Prioritization Directive

The Cybersecurity and Infrastructure Security Agency (CISA) has rolled out a game-changing directive that revolutionizes vulnerability patching with a smarter approach to prioritization, empowering federal agencies to tackle fixes more efficiently. By introducing clear guidelines and timelines, CISA is helping agencies focus on the most critical patches first, based on criteria like exposure, exploitability, and real-world threat activity.

Analyst 207
Developer workspace with laptop, terminal, and notes, hinting at software installation.

GitHub Bolsters npm Security to Thwart Supply-Chain Attacks

GitHub's upcoming npm v12 update is a game-changer for supply-chain security, as it will require explicit approval for automated actions like install scripts and dependency resolution that are often exploited by attackers. This move aims to shut down common code-execution paths and give developers, CI/CD pipelines, and security teams greater control over their code.

Analyst 207