Microsoft confirmed on Tuesday that certain Windows Server 2025 devices are entering BitLocker recovery mode after installing the April 2026 KB5082063 security update, according to bleepingcomputer.com.
BitLocker is a security feature designed to encrypt storage drives to prevent unauthorized data access. The system typically triggers recovery mode when it detects hardware changes or updates to the Trusted Platform Module (TPM).
Microsoft noted that the issue specifically targets systems with certain unrecommended configurations. "Some devices with an unencoded BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," the company stated.
According to the report, the recovery key only needs to be entered once. Subsequent restarts should not trigger the recovery screen as long as the Group Policy settings remain the same.
Specific technical triggers
The bug only affects systems meeting five specific criteria. BitLocker must be enabled on the OS drive, and the 'Configure TPM platform validation profile for native UEFI firmware configurations' Group Policy must include PCR7 in the validation profile.
Additionally, the device's System Information must report that the Secure Boot State PCR7 Binding is 'Not Possible.' The device must also possess the Windows UEFI CA 2023 certificate in its Secure Boot Signature Database (DB) but must not yet be running the 2023-signed Windows Boot Manager.
Microsoft believes the issue is unlikely to impact personal computers. The company noted that these specific configurations are typically found on systems managed by enterprise IT teams.
Microsoft is currently working on a permanent solution. In the meantime, the company has shared temporary workarounds to allow administrators to install the monthly security updates.
System administrators are advised to remove the Group Policy configuration before deploying the KB5082063 update. They should also ensure that BitLocker bindings use the PCR7 profile.
For devices where the PCR7 group policy cannot be removed before installation, Microsoft suggests applying a Known Issue Rollback (KIR). This prevents the automatic switch to the 2023 Boot Manager and avoids the recovery prompt.
This is not the first time a Microsoft update has caused BitLocker disruptions. In May 2025, emergency updates were released to fix a similar issue affecting Windows 10. Similar recovery prompt bugs were also documented in August 2024 and August 2022.
