Full Report
Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update. [...]
Analysis Summary
# Vulnerability: Windows Server 2025 BitLocker Recovery Boot Cycle
## CVE Details
- **CVE ID**: Not Applicable (This is a functional bug/known issue resulting from a security update, rather than a vulnerability with a CVE identifier).
- **CVSS Score**: N/A
- **CWE**: CWE-1282 (Assumed: Improper Management of Verification of Configuration – though no specific CWE is assigned by the vendor).
## Affected Systems
- **Products**: Windows Server 2025, Windows 11 (Versions 23H1/23H2).
- **Versions**: Build 26100.32690 (April 2026 security updates).
- **Configurations**: Devices meeting all the following criteria:
1. BitLocker enabled on the OS drive.
2. Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" includes PCR7 validation.
3. Secure Boot State PCR7 Binding is reported as "Not Possible."
4. Windows UEFI CA 2023 certificate is present in the Secure Boot DB.
5. Device is not yet running the 2023-signed Windows Boot Manager.
## Vulnerability Description
Installing the April 2026 security updates causes an update to boot files (specifically transitioning to the 2023-signed Windows Boot Manager). On systems with "unrecommended" BitLocker Group Policy configurations regarding PCR7 (Platform Configuration Register 7) validation, this boot file change triggers a security posture mismatch. The TPM detects the change in the boot sequence but cannot satisfy the specific PCR7 binding policy, forcing the system into BitLocker Recovery mode to ensure data integrity.
## Exploitation
- **Status**: Not exploited (This is a functional defect caused by a software update).
- **Complexity**: N/A
- **Attack Vector**: Local (Triggered by system update and reboot).
## Impact
- **Confidentiality**: None
- **Integrity**: None
- **Availability**: **High** (Systems become inaccessible until a recovery key is manually entered by an administrator).
## Remediation
### Patches
Microsoft resolved this in the June 2026 Patch Tuesday cumulative updates. These updates prevent the installation of the 2023-signed Boot Manager on devices with incompatible configurations.
- **Windows Server 2025**: KB5094125 (OS Build 26100.32995)
- **Windows 11 23H2**: KB5093998
### Workarounds
- **Manual Intervention**: Enter the BitLocker recovery key once; subsequent restarts will function normally unless the policy is changed.
- **Policy Adjustment**: Remove the specific PCR7 Group Policy configuration before installing security updates.
- **KIR**: Deploy a Known Issue Rollback (KIR) to prevent the automatic transition to the 2023 Boot Manager.
## Detection
- **Event Logs**: Look for **Event ID 1032** in the System event log during update installation.
- **Manual Check**: Run `msinfo32.exe` and check **Secure Boot State PCR7 Binding**. If it says "Not Possible," the device is at risk.
## References
- **Microsoft Support**: hxxps://support.microsoft[.]com/help/5094125
- **Microsoft Support**: hxxps://support.microsoft[.]com/help/5093998
- **Vendor Advisory**: hxxps://admin.cloud.microsoft/Adminportal/Home#/windowsreleasehealth/:/issue/WI1280139