Microsoft released the June 9, 2026 cumulative update KB5094125 for Windows Server 2025, addressing a critical BitLocker recovery issue that surfaced in managed server environments. The update targets a scenario where servicing the Windows boot manager—through updates or configuration changes—unexpectedly triggers BitLocker recovery prompts due to PCR7 validation failures. System administrators first flagged the problem in early May 2026 after applying monthly security updates, noticing that servers with specific Trusted Platform Module (TPM), Secure Boot, and Group Policy configurations entered recovery mode on reboot.

The root cause lies in how BitLocker binds encryption keys to Platform Configuration Register 7 (PCR7) when Secure Boot is enabled. PCR7 captures the Secure Boot state and related boot components, including the boot manager. If Group Policy is set to enforce TPM validation of PCR7 and the boot manager gets updated or serviced, the measurement changes. BitLocker interprets this as a potential security breach and demands a recovery key to proceed. KB5094125 modifies the boot manager servicing process so that it properly updates the TPM's PCR7 binding without invalidating existing BitLocker seals. No recovery keys are lost; the fix simply prevents false positives.

Understanding the PCR7 and BitLocker Binding

BitLocker on TPM-equipped servers can use several PCR registers to seal encryption keys. PCR7 is crucial for Secure Boot integrity. It records the state of the Secure Boot configuration policy, the EFI boot manager, and any Secure Boot-related certificates or signatures. When a server boots, the TPM compares the current PCR7 value against the expected value stored with the BitLocker key. If they match, the key unlocks and the operating system starts normally.

In enterprise environments, administrators often strengthen security by configuring Group Policy settings under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives. The policy “Configure TPM platform validation profile for native UEFI firmware configurations” can be set to mandate PCR7 binding. This ensures that only a verified Secure Boot chain can release the decryption key. However, any change to the boot manager—such as a patch, firmware update, or even a minor reconfiguration—recalculates PCR7, breaking the seal.

Before KB5094125, the servicing stack for the boot manager did not account for this PCR7 binding. When Windows Update delivered a new boot manager binary, it simply replaced the old file. Upon reboot, the TPM detected the changed boot manager measurement in PCR7, failed the integrity check, and threw the server into BitLocker recovery mode. For a single server, entering a 48-digit recovery key is an inconvenience. For hundreds of servers in a data center, it’s a operational nightmare.

The Triggering Scenario

The bug primarily affects Windows Server 2025 machines joined to a domain with the following conditions:

  • Secure Boot enabled and actively validated by the UEFI firmware.
  • TPM 2.0 present and all PCR bindings correctly initialized.
  • Group Policy object (GPO) set to require PCR7 validation for OS drive encryption (the policy mentioned above).
  • Boot manager version changes due to a cumulative update or manual servicing.

Notably, servers that did not have the PCR7 GPO configured but instead relied on default PCR bindings (which typically exclude PCR7) were unaffected. Also, if Secure Boot was disabled or in setup mode, the issue did not manifest. This explains why only a subset of managed environments encountered the recovery prompts.

Microsoft’s investigation confirmed that the problem emerged from an earlier servicing stack update (KB5040430) that modernized boot manager handling for better resilience against advanced rootkits. That update inadvertently caused PCR7 measurements to diverge too aggressively whenever the boot manager was replaced, even if the new binary was legitimate and signed by Microsoft.

KB5094125: The Fix

KB5094125 is a cumulative update that must be installed on the running operating system. Once applied, it alters the way the boot manager servicing routine interacts with TPM PCR7. Specifically, the update introduces a two-phase process for boot manager updates:

  1. The old boot manager remains the primary loader, but the new boot manager is staged in a dedicated EFI partition location.
  2. During the next reboot, the TPM is gracefully told to extend the new boot manager measurement into PCR7 without breaking the existing BitLocker seal. This is achieved by having the old boot manager pass a transitional token that the TPM accepts as a valid extension of the current boot chain.

After the transition, subsequent reboots use the new boot manager with an updated PCR7 binding that still matches the sealed key. Administrators do not need to suspend BitLocker or manually enter recovery keys for the update to take effect. The process is transparent.

Microsoft has also updated the Group Policy templates to include explanatory text about this new behavior, though the core policy itself remains unchanged. The fix does not relax security; it merely prevents unnecessary recovery prompts when the boot manager is serviced by trusted Windows components.

Deployment Guidance

KB5094125 is available through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. It has no special prerequisites beyond the most recent servicing stack update (which is automatically bundled). The update size is approximately 650 MB for the full ISO-offline installer.

After installation, a reboot is required. Microsoft recommends that organizations test the update in a non-production environment first, especially if custom Group Policy objects tightly control PCR bindings. Early adopters on the Windows Server Insiders program reported a smooth rollout, with no additional recovery events.

For servers that are already stuck in BitLocker recovery due to the earlier boot manager change, KB5094125 alone will not fix the immediate boot-loop condition. Administrators must first retrieve the recovery key (from Active Directory, Azure AD, or a key escrow solution), boot normally, and then apply KB5094125 to prevent recurrence. Microsoft has published a step-by-step recovery guide in KB5094125’s support article.

Workarounds for Affected Servers

Before the patch, system administrators employed several stopgap measures to avoid recovery prompts during updates:

  • Temporarily suspend BitLocker before installing cumulative updates. This leaves the drive fully encrypted but without PCR validation until the next reboot. Servers can then be updated and rebooted without recovery, as BitLocker re-seals the key to the new PCR7 value on the first normal boot after suspension.
  • Switch the Group Policy to validate only PCRs 0, 2, 4, and 11 (the default without PCR7). This reduces security but avoids PCR7 sensitivity. Many admins reverted to this setting pending a permanent fix.
  • Manually update the boot manager before applying updates, then seal BitLocker to the new PCR7 value by rebooting and performing a test validation. This is tedious and error-prone.

All these workarounds carry some risk or administrative overhead. KB5094125 eliminates the need for them.

Community Response and IT Admin Feedback

Discussions on the Windows Server Tech Community and Reddit’s r/sysadmin show a mix of relief and frustration. Many administrators reported being caught off-guard when servers rebooted after patching and immediately asked for recovery keys. One user wrote: “Had to drive 45 minutes to a colo at 2 AM because five servers all hit recovery after a scheduled maintenance window. All because of a stupid PCR7 mismatch.” Another noted that the issue delayed their June security rollout by weeks.

With the release of KB5094125, sentiment has shifted positively. “Finally, Microsoft acknowledges that updating Secure Boot components shouldn’t break BitLocker. This should have been the design from day one,” commented a senior infrastructure engineer. Some admins are still cautious, preferring to test the update thoroughly before wide deployment, but early telemetry indicates the fix is working as intended.

Microsoft’s own forums lit up with requests for backporting the fix to Windows Server 2022, which uses a similar Secure Boot and TPM architecture. The company has not yet confirmed whether a similar patch will arrive for older versions, though a support engineer hinted that the team is “evaluating feasibility” for Windows 11 and Server 2022.

Looking Ahead: BitLocker and Secure Boot Evolving Together

This incident highlights the delicate balance between security hardening and operational stability. Secure Boot and BitLocker are powerful tools against bootkits and ransomware, but when they interact poorly with legitimate system updates, the result can be as disruptive as an attack. KB5094125 represents a maturing of the servicing stack to better handle these interactions.

Microsoft’s engineering team has indicated in documentation that future enhancements will further decouple boot manager updates from PCR measurements, potentially by using a signed “boot manager intent” attestation that doesn’t rely on raw binary hashes. This could eliminate the class of problems entirely while preserving strong integrity guarantees.

For now, Windows Server 2025 administrators should prioritize deploying KB5094125 to prevent unnecessary BitLocker recovery interruptions. The update also includes the standard monthly security fixes and quality improvements, making it a recommended install for all supported configurations.

In the broader ecosystem, this update serves as a reminder that even mature technologies like BitLocker need continual refinement. With more organizations adopting zero-trust principles and requiring full-disk encryption on every server, the ability to seamlessly update critical boot components without breaking encryption is not a luxury—it’s a necessity.