Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update.
The BitLocker security feature encrypts storage drives to prevent data theft and will typically force Windows computers to enter recovery mode after hardware changes or events, such as TPM (Trusted Platform Module) updates, to allow regaining access to protected drives that have not been unlocked via the default unlock mechanism.
“Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update,” Microsoft said when it acknowledged this issue after the April 2026 Patch Tuesday.
“In this scenario, the BitLocker recovery key only needs to be entered once — subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged.”
While this issue may also affect some systems running Windows 11, Microsoft says it’s unlikely to impact personal devices, as affected configurations are typically found only on enterprise systems managed by corporate IT teams.
As Microsoft explained at the time, this only happens for very specific configurations, on devices where all the following conditions are met:
- BitLocker is enabled on the OS drive.
- The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
- System Information (msinfo32.exe) reports that the Secure Boot State PCR7 Binding is “Not Possible“.
- The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
- The device is not already running the 2023-signed Windows Boot Manager.
During this month’s Patch Tuesday, two months after confirming the issue, Microsoft resolved this bug in the KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2) cumulative updates.
“This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations,” Microsoft said in updated advisories.
“To prevent the unexpected BitLocker recovery key prompt, devices with this incompatible group policy configuration are prevented from installing the 2023-signed Windows Boot Manager. If your device was impacted, you will see Event ID 1032 in the System event log when installing Windows updates,” it added in a service alert seen by BleepingComputer.
IT admins who can’t yet deploy this month’s updates to fix the issue are advised to remove the Group Policy configuration before installing KB5082063 and later updates, and to ensure that BitLocker bindings use the PCR7 profile.
Those who can’t remove the group policy before deployment can also apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager, which triggers the BitLocker recovery prompts.
In August 2024, Microsoft addressed another known issue that triggered BitLocker recovery prompts across all supported Windows versions after installing the July 2024 security updates
More recently, in May 2025, Microsoft released emergency updates to address a similar issue causing Windows 10 systems to enter BitLocker recovery after installing the May 2025 security updates.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
