Microsoft fixes BitLocker recovery bug on Windows Server 2025

Microsoft has successfully addressed a significant issue affecting certain Windows Server 2025 devices, which were unexpectedly booting into BitLocker recovery mode following the installation of the April 2026 security update. This situation arose due to the intricacies of the BitLocker security feature, designed to encrypt storage drives and safeguard against data theft.

Understanding the BitLocker Recovery Trigger

Typically, BitLocker necessitates that Windows computers enter recovery mode after hardware modifications or events, such as updates to the Trusted Platform Module (TPM). This process allows users to regain access to encrypted drives that have not been unlocked through the standard mechanisms. Microsoft acknowledged the issue shortly after the April 2026 Patch Tuesday, noting that some devices with non-standard BitLocker Group Policy configurations might require users to input their BitLocker recovery key upon the first restart post-update.

However, Microsoft clarified that this recovery key would only need to be entered once; subsequent restarts would not invoke the BitLocker recovery screen, provided the group policy configuration remained unchanged. While this issue could potentially affect some Windows 11 systems, Microsoft reassured users that personal devices are unlikely to be impacted, as the problematic configurations are generally confined to enterprise systems overseen by corporate IT departments.

Specific Conditions for the Issue

Microsoft detailed that the issue occurs under very specific conditions, which include:

  1. BitLocker is enabled on the operating system drive.
  2. The Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” is set, with PCR7 included in the validation profile (or the equivalent registry key manually configured).
  3. System Information (msinfo32.exe) indicates that the Secure Boot State PCR7 Binding is “Not Possible“.
  4. The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database, allowing the 2023-signed Windows Boot Manager to be designated as the default.
  5. The device is not already operating with the 2023-signed Windows Boot Manager.
BitLocker recovery screen (Microsoft)

In response to this issue, Microsoft rolled out fixes during this month’s Patch Tuesday, two months after the initial acknowledgment. The resolutions were included in the KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2) cumulative updates. Microsoft stated that these updates rectify the problem where certain devices might enter BitLocker Recovery after updating boot files on systems with specific TPM validation settings, including invalid PCR7 configurations.

To mitigate the unexpected BitLocker recovery key prompt, devices with incompatible group policy configurations will be prevented from installing the 2023-signed Windows Boot Manager. For those affected, Event ID 1032 will appear in the System event log when Windows updates are installed, serving as an indicator of the issue.

Guidance for IT Administrators

For IT administrators who are unable to deploy the latest updates immediately, it is recommended to remove the Group Policy configuration prior to installing KB5082063 and subsequent updates. Additionally, ensuring that BitLocker bindings utilize the PCR7 profile is crucial. If removing the group policy is not feasible before deployment, administrators can implement a Known Issue Rollback (KIR) on affected devices to prevent the automatic transition to the 2023 Boot Manager, which triggers the BitLocker recovery prompts.

In August 2024, Microsoft addressed another issue that caused BitLocker recovery prompts across all supported Windows versions after the installation of the July 2024 security updates. More recently, in May 2025, emergency updates were released to tackle a similar concern that led Windows 10 systems to enter BitLocker recovery following the May 2025 security updates.

Winsage
Microsoft fixes BitLocker recovery bug on Windows Server 2025