Microsoft rushed out an out-of-band cumulative update, KB5070773, on October 20, 2025, just six days after the previous month’s Patch Tuesday release. The reason: a devastating regression introduced by security update KB5066835 that breaks USB input in the Windows Recovery Environment (WinRE) on all editions of Windows Server 2025. Without immediate intervention, the bug could leave administrators locked out of their own systems during BitLocker recovery, making it one of the most urgent patches in recent memory.

If your Windows Server 2025 machine received the October 14, 2025 security update KB5066835, USB keyboards and mice fail to function when the system boots into WinRE. The recovery environment becomes a digital dead end—on‑screen prompts appear, but there is no way to interact with them. That is catastrophic for any server that relies on BitLocker encryption, because the recovery environment is the only path to enter a recovery key if the TPM unlock fails.

The bug: a silent bricking machine

KB5066835, released as part of the regular Patch Tuesday cycle, introduced critical security fixes but also included a low‑level change that affects the USB stack in the pre‑boot environment. Specifically, the WinRE image bundled with the update does not properly load the USB host controller drivers, leaving connected HID devices unresponsive. This is not a driver issue within the full OS—once Windows boots normally, everything works. The problem is strictly confined to the recovery environment.

Microsoft has not publicly detailed the root cause, but the symptoms are consistent across all hardware platforms. Servers with legacy PS/2 ports are unaffected, as PS/2 input remains functional in WinRE. However, the vast majority of modern server hardware—including all major OEMs—has eliminated PS/2 in favor of USB. As a result, the bug effectively cripples the recovery environment on almost every current‑generation server.

The timing of the bug is especially dangerous. Security update KB5066835 was classified as “critical” and many organizations deploy such patches automatically. A server that has already booted normally with KB5066835 installed may operate fine for weeks. The nightmare scenario unfolds only when the machine is forced into WinRE—for example, after three failed boot attempts, during a scheduled repair, or most critically, when BitLocker trips its recovery mode due to a firmware change, BIOS update, or TPM failure.

BitLocker recovery: a key you can’t type

BitLocker Drive Encryption is a cornerstone of Windows Server security, used to protect data at rest. When the BitLocker pre‑boot authentication fails—often after a hardware change—the system automatically enters the recovery environment and prompts for a 48‑digit numerical recovery key. An administrator must physically type that key using a keyboard, or in the case of network unlock, have a properly configured infrastructure.

With a broken USB stack in WinRE, there is no way to input the recovery key. Remote console solutions, like iDRAC or iLO, typically emulate a USB HID, so they too become non‑functional in the recovery environment. Even injecting the recovery key via a script or automation is impossible because the recovery environment provides no fallback to other input methods when USB is down. The server is effectively bricked until someone can attach a PS/2 keyboard—an increasingly rare piece of hardware.

For organizations running critical workloads on Windows Server 2025, this scenario could cascade into prolonged downtime while IT staff scramble for an alternative. The only workaround is to boot from a Windows Server 2025 installation media, open a command prompt, and manually unlock the drive using manage‑bde from the command line—but that requires physical access and bypasses the recovery environment entirely. Even then, you must recall the recovery key from a secure vault, a process that itself introduces risk.

The fix: KB5070773

On October 20, 2025, Microsoft released KB5070773, an out‑of‑band cumulative update that replaces the defective WinRE image with a corrected one. The patch does not alter the installed operating system’s USB drivers; it only updates the recovery files stored on the system partition. After installing KB5070773, the next reboot will refresh the recovery environment, and USB input will be restored.

KB5070773 also includes all the security fixes from KB5066835, so there is no regression in protection. Administrators who already deployed KB5066835 and are concerned about the bug can apply KB5070773 directly, as it supersedes the earlier update. The new cumulative update carries a “critical” rating and is available through all standard channels:

  • Windows Update: Check for updates in Settings, or for managed servers, synchronize with WSUS or Microsoft Endpoint Configuration Manager.
  • Microsoft Update Catalog: Download the standalone .msu file for offline installation.
  • Windows Server Update Services (WSUS): Import the update into your local repository.

For servers that have not yet installed KB5066835, the safest path is to bypass it entirely and go straight to KB5070773. If you have already installed the problematic update and your server has not yet entered WinRE, prioritize applying the fix. For servers currently stuck in BitLocker recovery, you must use the boot media workaround first, then apply KB5070773 once Windows boots normally.

Verifying your update status

To determine whether a Windows Server 2025 machine has the vulnerable update, run the following PowerShell command as an administrator:

Get-HotFix -Id KB5066835

If the patch is listed, the system is at risk. You can also check for the fix:

Get-HotFix -Id KB5070773

A safer approach is to ensure your server is at or above OS Build 26100.xxxx (the exact build number shipped with KB5070773). You can query the build number with winver or Get-ComputerInfo -Property OsBuildNumber.

The industry’s response

System administrators across various online forums reported the bug almost immediately after the October 14 release. Early reaction on Reddit’s r/sysadmin and Microsoft Tech Community painted a grim picture, with several users discovering the issue only when a routine BIOS update triggered BitLocker recovery on a dozen servers. One admin wrote, “We had a fleet of 15 servers enter recovery mode after a scheduled firmware update. Nobody could input the keys. Had to break out PS/2 keyboards from storage—good thing we kept them.”

Hardware compatibility proved not to be a factor. The bug affected Dell PowerEdge, HPE ProLiant, Lenovo ThinkSystem, and custom‑built servers alike. Some administrators temporarily mitigated the risk by disabling BitLocker on non‑critical volumes until a fix was available, but that was a risky stopgap.

Microsoft acknowledged the issue within 72 hours of the initial reports and promised an out‑of‑band patch. The swift turnaround impressed many, though it also highlighted the slim margins for error in critical enterprise software.

Why this matters beyond a single update

This incident underscores several painful truths about modern server management:

  1. The fragility of recovery tools – WinRE is a black box for most administrators. It is updated silently alongside cumulative updates, and its integrity is rarely tested until disaster strikes. Organizations should consider simulating recovery scenarios after every major update cycle.

  2. The enduring value of PS/2 – In an ironic twist, the ancient interface saved several admins from certain disaster. While we shouldn’t design for 20‑year‑old ports, it raises the question of whether servers should retain a fallback input mechanism.

  3. Patch testing must evolve – For many, staging updates in a lab isn’t enough; testing must include forced recovery boot scenarios. This requires dedicated hardware or, more practically, the use of nested virtualization to simulate firmware changes.

  4. BitLocker recovery keys must be immediately accessible – When the recovery environment fails, having the recovery key stored in a secure but manually retrievable manner is the only escape hatch.

What to do right now

If you manage any Windows Server 2025 systems, take these steps immediately:

  • Audit: Run the PowerShell check on every server to see if KB5066835 is installed.
  • Prioritize: Apply KB5070773 to all affected servers, starting with those that hold encrypted volumes and are exposed to potential hardware changes (firmware updates, driver changes, TPM reconfiguration).
  • Test: After deployment, force one non‑critical server into recovery mode (e.g., by repeatedly interrupting the boot sequence) and verify that USB input works.
  • Review your BitLocker recovery process: Ensure that recovery keys are backed up to Azure AD, Active Directory, or a secure password manager, and that at least one person knows how to use management tools like Repair‑bde in a pinch.
  • Disconnect PS/2 emergency stock: If your organization still has PS/2 keyboards in a dusty closet, keep one on hand—but treat it as a temporary crutch, not a solution.

The bottom line

KB5070773 is not just another cumulative update; it is an essential patch that prevents a catastrophic lockout scenario on Windows Server 2025. The regression introduced by KB5066835 demonstrates how a single change in the recovery environment can cascade into a system‑wide failure. Administrators must act now to roll out the fix before a routine BitLocker recovery event turns into a high‑pressure incident that could cost hours, or even days, of downtime.