Microsoft has confirmed that its June 10 Windows 10 Extended Security Update (KB5094127) can cause some PCs to boot directly into the BitLocker recovery screen, locking users out of Windows until they enter their 48-digit recovery key. The bug is narrow but painful — if you don't have your recovery key saved, you can't get back into your computer.
What Microsoft confirmed
On June 10, Microsoft released the June 2026 Patch Tuesday updates for Windows 11 and Windows 10, and while the company confirmed that the Windows 11 patch doesn't trigger the issue, it warned the Windows 10 ESU update KB5094127 may cause certain Windows devices to boot directly into a BitLocker recovery screen after installing the update. Microsoft confirms in the changelog that the issue forces users to enter their recovery key before accessing Windows, and says the issue is limited — but for affected organizations, it could create a frustrating support rush if administrators aren't prepared.
The update itself is significant: KB5094127 fixes June 2026 Patch Tuesday vulnerabilities and adds new functionality to monitor the rollout of updated Secure Boot certificates that replace those expiring this month, and addressed 200 vulnerabilities including three publicly disclosed zero-day flaws. Skipping it isn't a good option.
Who is actually affected
Most home users will not see this problem. Most home users are unlikely to encounter the problem, and according to Microsoft, the issue only affects devices that meet a very specific combination of requirements.
The device has to meet all of the following: BitLocker is enabled on the OS drive; the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" (or the equivalent registry key) is set and explicitly includes PCR7; msinfo32.exe shows Secure Boot State PCR7 Binding as "Not Possible"; and the Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database.
In plain English: this hits managed business PCs and some desktops with discrete graphics cards more than typical home laptops. If your tower has an add-in GPU, that can cause the "PCR7 Binding: Not Possible" state Microsoft is flagging — something we see often when we work on encrypted business desktops.
The temporary workaround
Microsoft has not shipped a permanent fix yet. As a temporary workaround, Microsoft advises removing the Group Policy setting and then suspending and resuming BitLocker to regenerate the default PCR bindings while the company works on a permanent fix. This updates the BitLocker bindings to use the Windows-selected default PCR profile, and as of now the company hasn't shared a permanent fix for the issue but says it is actively working on one.
The good news for anyone who does get hit: this is a one-time recovery event — after entering the BitLocker recovery key, future restarts should boot normally into Windows. The bad news: if you never wrote down or backed up that 48-digit key, you are locked out of your own drive, and at that point you're looking at professional data recovery rather than a quick fix.
Find your BitLocker recovery key now — before you install the update
If your PC has BitLocker turned on, your recovery key is almost always saved to your Microsoft account. Go to account.microsoft.com/devices/recoverykey from a phone or a second computer and sign in with the Microsoft account tied to the PC. Print it or save it to your phone before you reboot.
Business PCs joined to a company domain or Azure AD will have the key stored by an IT administrator — not the user. If you run a small office in York and aren't sure who has the keys for your fleet, this is the week to find out. A locked-out workstation with a missing recovery key can mean wiping the drive, which is exactly the kind of avoidable disaster our walk-in repair bench sees every time Microsoft pushes a Secure Boot-related change.
What This Means for York, PA
If your York-area home or business PC is on Windows 10 ESU and you see a blue screen asking for a 48-digit BitLocker key after this week's update, don't guess — stop and locate the key first. If you can't find it, bring the machine to York Computer Repair at 2069 Carlisle Rd and we'll work through recovery options before anything gets wiped.