Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update.
BitLocker is a Windows security feature that encrypts storage drives to prevent data theft. Windows computers typically enter BitLocker recovery mode after hardware changes or events such as TPM (Trusted Platform Module) updates, to regain access to protected drives that have not been unlocked via the default unlock mechanism.
“Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update,” Microsoft said.
“In this scenario, the BitLocker recovery key only needs to be entered once — subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged.”
However, as the company explained, this only happens for very specific configurations, on systems where all the following conditions are met:
BitLocker is enabled on the OS drive.
The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
System Information (msinfo32.exe) reports that the Secure Boot State PCR7 Binding is “Not Possible“.
The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
The device is not already running the 2023-signed Windows Boot Manager.
Microsoft added that this known issue is unlikely to affect personal devices, as impacted configurations are typically found on systems managed by enterprise IT teams.
The company is now working on a solution to this issue and has shared temporary workarounds that allow installation of this month’s security updates.
Admins are advised to remove the Group Policy configuration before deploying the KB5082063 update, and to ensure that BitLocker bindings use the PCR7 profile by following these steps.
Those who can’t remove the PCR7 group policy before installing can apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager and to avoid triggering BitLocker recovery.
In May 2025, Microsoft released emergency updates to address a similar issue that was causing Windows 10 systems to boot into BitLocker recovery after installing the May 2025 security updates.
One year earlier, in August 2024, Microsoft fixed another known issue triggering BitLocker recovery prompts across all supported Windows versions after installing the July 2024 Windows security updates.
In August 2022, Windows devices also became stuck at a BitLocker recovery prompt after installing the KB5012170 security update.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
