Microsoft's June 9, 2026 Patch Tuesday updates deliver a critical fix for Windows Server 2025 systems that were getting thrown into BitLocker recovery mode after booting. The root cause traces back to an April 2026 security update that inadvertently changed the Boot Configuration Data (BCD) validation process, causing a mismatch with the Trusted Platform Module (TPM) measurements stored in PCR7. The result? Servers with tight Secure Boot and BitLocker policies started demanding recovery keys after every restart, blindsiding admins who had configured their systems exactly as prescribed.

The June cumulative update, KB5094125, resolves the bug by restoring compatibility with the pre-April BCD measurement logic. This isn't just a cosmetic patch—for affected enterprises, it eliminates the frantic scramble for recovery keys that has plagued datacenters since April's Patch Tuesday. Microsoft's advisory clarifies that the fix applies to all editions of Windows Server 2025, including Core and Datacenter, and comes bundled with the month's security patches.

The April 2026 update (KB5087654) modified how the Windows boot manager hashes critical boot components into TPM PCR7, which is used by BitLocker to validate the boot chain. While the change was intended to harden against advanced bootkit attacks that manipulate BCD entries, it inadvertently reordered the hashing sequence. On systems where Secure Boot was enforced and BitLocker used the "Secure Boot for integrity validation" group policy, the shifted measurements made the TPM think the boot environment had been tampered with. The outcome was a forced BitLocker recovery screen, even though no actual compromise had occurred.

This wasn't a universal problem—most consumer Windows 11 PCs and even many Windows Server 2025 boxes never saw the issue. It specifically triggered on servers where the following conditions were simultaneously true: TPM 2.0 present and active, Secure Boot enabled and not in audit mode, BitLocker configured with PCR7 binding (the default for OS drives), and the "Allow Secure Boot for integrity validation" group policy set to "Enabled" (which is common in regulated industries). Additionally, VMs running on Hyper-V or VMware that forwarded virtual TPMs with Secure Boot enabled were also susceptible if they met the criteria.

Admins first reported the glitch in late April 2026, with the problem spiking after the May Patch Tuesday updates—which included the same faulty BCD measurement change. Microsoft initially downplayed it as a configuration issue, advising customers to temporarily suspend BitLocker or disable PCR7 binding via the "Configure TPM platform validation profile for native UEFI firmware configurations" policy. That workaround was clunky and introduced security risk, but it kept servers online. The real fix, KB5094125, lands now, nearly two months after the initial break.

From a technical standpoint, the patch reverts the BCD hashing logic to the pre-April behavior unless a specific registry flag is set. Microsoft indicates that future updates will reintroduce the hardened BCD validation in a more compatible manner, but for now, the priority is stability. This regression demonstrates the delicate dance between security and reliability: a well-intentioned defense against bootkits can inadvertently lock out legitimate users.

Affected organizations that have already suspended BitLocker or altered PCR policies should apply the June update and then revert any workarounds. The cumulative update itself does not automatically re-enable BitLocker or reset policies; it simply ensures that systems configured with the original, secure defaults won't be penalized. Microsoft recommends the following steps: first, install KB5094125 on all Windows Server 2025 machines. Second, if you used the PCR7 binding workaround, restore the default PCR profile via Group Policy. Third, if you suspended BitLocker, use the Manage-bde -protectors -enable C: command to reapply protectors after reboot.

The update also includes the standard June 2026 security fixes for remote code execution vulnerabilities in the Windows Kernel, Hyper-V, and the DNS Server role. The BitLocker fix is listed under the "Known issues and improvements" section, not as a security CVE, because it addresses a non-security regression. That distinction matters for organizations that prioritize security-only updates: this fix is only in the cumulative update, not a security-only package.

Reaction from the community has been a mix of relief and frustration. "Two months of manually entering 48-digit recovery keys on reboot cycles is insane," wrote one admin on the Windows Server forums. "Glad it's fixed, but the communication from Microsoft was terrible." Others expressed concern about the rapid re-introduction of the hardened BCD, wondering if they'll need to test extensively before future updates. Microsoft's security response center has since published a blog post detailing the timeline and affirming that the revert is temporary; a revised version of the April bootkit protection will ship in a preview update later this quarter.

For IT professionals managing Windows Server 2025 fleets, the June update is mandatory. The BitLocker bug was particularly painful because recovery key management at scale requires robust procedures. Some shops with BitLocker Network Unlock configured side-stepped the issue, but that feature requires additional infrastructure. Others had automated recovery key retrieval via Microsoft Intune or third-party solutions, softening the blow. Still, the incident underscores the importance of testing cumulative updates in staging environments—even when they don't initially seem relevant to your configuration.

Looking ahead, Microsoft has indicated it will release a new group policy template to control the BCD measurement behavior independently. This would allow security-conscious organizations to opt into the stricter validation after evaluating compatibility, rather than having it forced in a monthly patch. No timeline is given, but it's expected before the next Windows Server 2026 feature update (codenamed Helium).

In the wider context, this isn't the first time BitLocker recovery hassles have stemmed from update-induced boot measurement changes. Windows 10 and 11 have each had similar episodes, often tied to firmware updates or changes in the Secure Boot DBX. The Windows Server 2025 case stands out because it affected server workloads in production, where downtime is measured in dollars per minute. It also highlights the growing complexity of the TPM-based trust chain and the need for more granular controls.

For now, admins should grab KB5094125 from Windows Update, WSUS, or the Microsoft Update Catalog. The standalone package is about 750 MB for x64 systems. A reboot is required, but the update does not re-trigger BitLocker recovery on patched systems. If you're still seeing recovery prompts after the update, Microsoft advises checking that Secure Boot is enabled and that the TPM is functioning correctly—the fix doesn't retroactively repair TPM health, it only aligns measurements.

This June 2026 Patch Tuesday is lighter on critical CVEs than previous months, with only three zero-days—none publicly exploited at scale. The BitLocker fix is unquestionably the headline item for anyone running Windows Server 2025. The lesson for Microsoft: when modifying the boot chain, even with the best security intentions, compatibility testing must extend beyond generic consumer PCs to the myriad server configurations out there.

In the meantime, enterprises that forged ahead with the workarounds should revisit their BitLocker recovery key distribution. Too often, keys are stored in spreadsheets or on USB drives that aren't accessible when a server is stuck at the recovery screen. A centralized, redundant key management solution—coupled with BitLocker Network Unlock where feasible—can turn a crisis into a minor annoyance. The June update fixes the bug, but the next bootkit defense won't be the last time the trust chain gets shaken.