On Tuesday, Microsoft announced that certain Windows Server 2025 devices may encounter a BitLocker recovery prompt following the installation of the April 2026 KB5082063 Windows security update. BitLocker, a robust security feature within Windows, is designed to encrypt storage drives, safeguarding sensitive data against potential theft. Typically, systems enter BitLocker recovery mode due to hardware modifications or updates to the Trusted Platform Module (TPM), necessitating the entry of a recovery key to access encrypted drives.
Specific Conditions for Recovery Mode
According to Microsoft, the need to input the BitLocker recovery key will arise only under specific configurations. The company elaborated that the following conditions must be met for a device to trigger this recovery mode:
- BitLocker must be enabled on the operating system drive.
- The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” should be configured, with PCR7 included in the validation profile (or the equivalent registry key set manually).
- System Information (msinfo32.exe) must indicate that the Secure Boot State PCR7 Binding is “Not Possible“.
- The Windows UEFI CA 2023 certificate should be present in the device’s Secure Boot Signature Database (DB), allowing the 2023-signed Windows Boot Manager to be set as the default.
- The device should not already be operating with the 2023-signed Windows Boot Manager.
Microsoft reassured users that this issue is unlikely to impact personal devices, as the affected configurations are predominantly found in systems managed by enterprise IT departments.
In response to this known issue, Microsoft is actively working on a resolution and has provided temporary workarounds to facilitate the installation of this month’s security updates. Administrators are encouraged to remove the Group Policy configuration prior to deploying the KB5082063 update. Additionally, they should ensure that BitLocker bindings utilize the PCR7 profile by adhering to the recommended steps.
For those unable to remove the PCR7 group policy before installation, applying a Known Issue Rollback (KIR) on affected devices is advised to prevent the automatic transition to the 2023 Boot Manager and to avoid triggering the BitLocker recovery prompt.
This is not the first time Microsoft has faced challenges related to BitLocker recovery prompts. In May 2025, emergency updates were released to address a similar issue affecting Windows 10 systems after the installation of the May 2025 security updates. Furthermore, in August 2024, another known issue was resolved that had been causing BitLocker recovery prompts across all supported Windows versions following the July 2024 security updates. Even earlier, in August 2022, devices encountered BitLocker recovery prompts after the installation of the KB5012170 security update.
