Microsoft has acknowledged a regression in the October security update KB5066835 that causes wired USB keyboards and mice to stop working in Windows Recovery Environment (WinRE)
WinRE USB Input Broken After KB5066835: What Changed
WinRE is a lightweight, offline Windows environment that provides tools for startup repair, update rollback, bootloader fixes, and incident response. After installing KB5066835, users cannot interact with WinRE menus or tools using wired USB mice and keyboards. The problem is limited to the recovery context and does not affect normal OS sessions, which suggests the issue is tied to the WinRE USB stack or driver initialization order.
Affected Builds: Windows 11 24H2/25H2 and Windows Server 2025
Microsoft lists the issue for client editions of Windows 11 24H2 and 25H2 and for Windows Server 2025. An official fix is not yet available at the time of writing. Microsoft indicates a remediation will ship “soon” through the regular servicing pipeline, which typically means either an out-of-band hotfix or inclusion in the next cumulative update, as noted on the company’s Release Health channels.
Why This Matters for Security and Operations
The inability to provide input in WinRE elevates operational risk: administrators may be unable to roll back failed updates, repair boot issues, or complete secure recovery workflows. The impact is most acute where BitLocker is enabled, since entering the recovery key often occurs in WinRE when TPM attestation or device state checks fail. In server environments, longer recovery times directly affect RTO/RPO commitments and SLA compliance, especially for workloads without redundant failover.
Real-World Risk Scenarios
Common scenarios include: entering a BitLocker recovery key after a firmware change; removing a problematic driver update that prevents normal boot; or performing offline malware remediation. In each case, the inability to use a wired USB keyboard within WinRE can halt recovery until an alternative input method is available.
Verified Workarounds to Regain Control of WinRE
Microsoft recommends input methods not dependent on the affected USB stack in WinRE: Bluetooth keyboards and mice and legacy PS/2 devices. Organizations should validate Bluetooth adapter compatibility with device firmware and security policies, and maintain a small inventory of PS/2 peripherals for critical systems and administrator workstations.
Immediate Admin Checklist
– Confirm alternate access paths: out-of-band management (OOB/KVM), IPMI/iDRAC/iLO, and hypervisor consoles. Test whether vendor remote consoles preserve input in WinRE for your hardware.
– Stage Bluetooth and PS/2 keyboards/mice for high-priority servers and admin endpoints. Document device pairing and security procedures ahead of time.
– Avoid uninstalling KB5066835 unless business-critical, as removal reduces your security posture. Prefer the workarounds and await Microsoft’s fix.
– Ensure BitLocker recovery keys are accessible offline (AD DS, Azure AD, escrow systems). Update on-call runbooks to reflect this known issue and the approved workaround paths.
Context: Not the Only October Regression
The issue follows a separate Windows 11 problem in October where HTTP/2 connections to localhost (127.0.0.1) could fail, which Microsoft has already addressed. The sequence underscores the importance of ring-based deployment, robust pre-production testing, and strict change windows for security updates in production environments.
What’s Next: Monitoring and Patch Expectations
Microsoft indicates a fix is imminent via the standard servicing mechanism. Historically, WinRE-related regressions are resolved in out-of-band updates or the next cumulative release cycle. Administrators should monitor Microsoft Release Health, the relevant KB pages, and update management systems such as WSUS, Microsoft Configuration Manager (ConfigMgr), and Intune for the patch’s availability and known issues.
For now, maintain operational readiness by staging Bluetooth/PS/2 input, validating remote console access, and keeping recovery keys at hand. Avoid rolling back October security content without compelling risk justification. With measured workarounds and disciplined deployment practices, organizations can minimize downtime while preserving critical security coverage until Microsoft’s fix lands.
