As part of Patch Tuesday earlier this week, Microsoft also released a Windows 10 cumulative update: KB5094127. However, after installing this patch, some Windows 10 users are experiencing issues.
Microsoft warns that, under certain circumstances, update KB5094127 may result in users having to enter their BitLocker recovery key after restarting their PC, reports BetaNews. Astute readers will remember that this kind of thing has happened before, including back in May 2025 and November 2025. Somehow, it’s happening again.
This time around, Microsoft is saying that the problem may occur on computers with an “unrecommended” BitLocker Group Policy configuration. However, only a limited number of computers are believed to be affected. Microsoft describes the exact conditions that can lead to this problem on this support page:
Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update.
This issue only affects a limited number of systems in which ALL the following conditions are true. These conditions are unlikely to be found on personal devices not managed by IT departments.
- BitLocker is enabled on the OS drive.
- The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
- System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as “Not Possible“.
- The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
- The device is not already running the 2023-signed Windows Boot Manager.
In this scenario, the BitLocker recovery key only needs to be entered once—subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged. For help finding your BitLocker recovery key, see the article Find your BitLocker recovery key.
Microsoft emphasizes that “personal devices not managed by IT departments” are unlikely to be affected by this BitLocker issue. Entering the BitLocker recovery key after restarting your PC is therefore likely to be required only on enterprise and organizational Windows 10 computers that meet all the conditions above.
Even on affected computers, however, the problem is limited—entering the BitLocker recovery key just once is enough. The real problem for many users is likely to be that they don’t know their BitLocker recovery key, so won’t be able to enter it. Such users will then be locked out of their PCs until IT can provide BitLocker recovery keys.
Microsoft is currently working on a solution to this problem. Until a fix is released, IT administrators can work around the problem by removing the Group Policy configuration before installing the update. Instructions for that can be found on this support page.
Update KB5094127 is only available to Windows 10 users who are registered for the free Extended Security Updates (ESU) program, both for Windows 10 21H2 and 22H2. KB5094127 fixes numerous bugs, issues, and security vulnerabilities in the operating system.
