Microsoft confirms BitLocker recovery prompts on Windows Server 2025 and Windows 11 devices after installing April 2026 security updates, marking the fourth such incident in four years.
Microsoft has confirmed a new BitLocker bug affecting enterprise Windows Server 2025 and Windows 11 devices following the installation of April 2026 security updates. The issue, which triggers BitLocker recovery mode requiring a 48-digit recovery key on first reboot, marks the fourth time in four years that a Patch Tuesday update has caused unexpected BitLocker recovery prompts.
The Scope of the Problem
The issue specifically affects devices running Windows Server 2025 after installing KB5082063, as well as Windows 11 systems that have installed updates KB5083769 and KB5082052. Microsoft reports that the recovery prompt appears only once—on the first restart after the update—and does not recur on subsequent reboots unless Group Policy changes are made.
According to Microsoft, the bug requires a very specific set of conditions to manifest:
- BitLocker must be enabled on the operating system drive
- The Group Policy setting for TPM (Trusted Platform Module) platform validation must include PCR7
- The system information tool msinfo32.exe must report Secure Boot State PCR7 Binding as "Not Possible"
- The Windows UEFI CA 2023 certificate must be present in the Secure Boot Signature Database
- The device must not already be running the 2023-signed Windows Boot Manager
These configurations are typically found only on enterprise-managed systems, making personal devices unlikely to be affected.
Microsoft's Response and Workarounds
Microsoft has issued several recommendations for administrators facing this issue. The primary workaround involves removing the PCR7 Group Policy configuration before deploying the KB5082063 update. Administrators should also confirm that BitLocker bindings use the PCR7 profile.
For organizations unable to remove the policy before installation, Microsoft has made a Known Issue Rollback (KIR) available through its business support channels. The KIR prevents the automatic switch to the 2023 Boot Manager and stops the BitLocker recovery screen from triggering.
A permanent fix is currently in development and will be delivered through a future Windows update. Microsoft has also acknowledged a separate issue where some Windows Server 2025 devices fail to install the April update entirely, displaying error code 800F0983 during installation.
Historical Context: A Recurring Issue
This incident marks the fourth occurrence in four years where a Windows update has triggered unexpected BitLocker recovery prompts:
- August 2022: KB5012170 caused similar issues
- July 2024: The problem affected all supported Windows versions
- May 2025: Windows 10 systems experienced the same behavior
Despite this recurring problem, Microsoft is not advising administrators to skip the April 2026 update. The release addresses 167 vulnerabilities, including two zero-day flaws, one of which was actively exploited before the patch became available.
Impact on Enterprise Environments
The timing of this bug is particularly challenging for enterprise IT departments, as it comes during a critical security update cycle. Organizations with strict BitLocker policies and TPM configurations are most at risk, potentially facing significant disruption if devices enter recovery mode en masse.
Administrators are advised to test the update in non-production environments before widespread deployment, particularly in organizations with the specific configuration combinations that trigger the issue. The Known Issue Rollback provides a safety net for those who have already deployed the update and are experiencing recovery prompts.
Looking Forward
Microsoft's acknowledgment of this issue and provision of workarounds demonstrates the company's awareness of the impact on enterprise customers. However, the recurrence of BitLocker-related problems in security updates raises questions about testing procedures for enterprise-critical features.
The development of a permanent fix suggests Microsoft recognizes this as a systemic issue rather than an isolated incident. Enterprise customers will be watching closely for the follow-up update that addresses the root cause rather than just the symptoms.
For now, organizations must balance the critical security fixes included in the April 2026 update against the potential disruption from BitLocker recovery prompts. Those with affected configurations should implement Microsoft's recommended workarounds before or immediately after deployment to minimize impact on their operations.
Comments
Please log in or register to join the discussion