Windows 10 KB5094127 May Trigger BitLocker Recovery Key Prompt, Microsoft Shares Temporary Fix

Yesterday, Microsoft released June 2026 Patch Tuesday updates for Windows 11 and Windows 10. While the company has confirmed that Windows 11 patch doesn’t trigger issue, it has warned the Window 10 ESU update KB5094127 may cause certain Windows devices to boot directly into a BitLocker recovery screen after installing a recent update.

In the changelog for the update, Microsoft confirms that the issue forces users to enter their recovery key before accessing Windows. The company says the issue is limited, but for affected organizations, it could create a frustrating support rush if administrators aren’t prepared. The good news? Most home users are unlikely to encounter the problem.

According to Microsoft, the issue only affects devices that meet a very specific combination of requirements. BitLocker must be enabled on the operating system drive, a particular Group Policy related to TPM validation must be configured to include PCR7, Secure Boot PCR7 binding must show as “Not Possible” in System Information, and the device must be eligible for Microsoft’s newer Windows UEFI CA 2023 boot certificate transition.

When those conditions line up, installing the update can cause Windows to request the BitLocker recovery key on the first reboot. That being said, Microsoft notes that the recovery prompt should only appear once. After the key is entered and the system boots successfully, future restarts should proceed normally unless the underlying policy configuration changes.

Microsoft shares temporary workaround

Microsoft recommends removing the Group Policy configuration before installing the update:

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3. Set “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured“.
4. Run the following command on affected devices to propagate the policy change: gpupdate /force
5. Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: 
6. Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: 
7. ​​​​​​​This updates the BitLocker bindings to use the Windows-selected default PCR profile.

As of now the company hasn’t shared permanent fix for the issue but says it is actively working on one, which should be available in future updates. Not to forget, Microsoft has also patched 200 vulnerabilities in June 2026 Patch Tuesday, including 3 public zero-days.