11.06.2026
3 min
26
Microsoft has resolved a known issue that caused some Windows Server 2025 devices to boot into BitLocker recovery mode after installing the April 2026 security update.
The BitLocker security feature encrypts drives to protect data from theft and normally causes Windows devices to enter recovery mode after hardware changes or events such as Trusted Platform Module (TPM) updates. This mechanism helps restore access to protected drives that cannot be unlocked using the default authentication method.
“Some devices with a non-default BitLocker Group Policy configuration may require entering a BitLocker recovery key upon the first restart after installing this update,” Microsoft said when it acknowledged the issue following the release of the April 2026 security update.
In this scenario, the BitLocker recovery key only needs to be entered once. Subsequent restarts will not trigger the BitLocker recovery screen as long as the Group Policy configuration remains unchanged.
While the issue could also affect some Windows 11 systems, Microsoft said it is unlikely to impact consumer devices because the affected configurations are typically found only in enterprise environments managed by corporate IT teams.
As Microsoft explained at the time, the issue occurs only under very specific conditions where all of the following requirements are met:
BitLocker is enabled on the operating system drive.
The “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy setting is enabled and PCR7 is included in the validation profile (or the equivalent registry setting has been configured manually).
The System Information utility (msinfo32.exe) reports that PCR7 binding to Secure Boot is “Not Possible.”
The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot signature database (DB), making the device eligible to use the Windows Boot Manager signed with the 2023 certificate by default.
The device has not yet booted using the Windows Boot Manager signed with the 2023 certificate.
During this month’s Patch Tuesday, two months after acknowledging the issue, Microsoft fixed the bug in the cumulative updates KB5094125 for Windows Server 2025 and KB5093998 for Windows 11 version 23H2.
“This update addresses an issue that could cause some devices to enter BitLocker recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations,” Microsoft said in its updated advisory.
“To prevent an unexpected BitLocker recovery key prompt, devices with this incompatible Group Policy configuration are blocked from installing the Windows Boot Manager signed with the 2023 certificate. If your device is affected, you will see Event ID 1032 in the System Event Log during the installation of Windows updates,” the company added in a service notification.
IT administrators who are not yet able to deploy this month’s updates are advised to remove the affected Group Policy configuration before installing KB5082063 and later updates, and to ensure that BitLocker protectors use the PCR7 profile.
Organizations that cannot remove the Group Policy configuration before deployment can also apply a Known Issue Rollback (KIR) on affected devices. This prevents systems from automatically switching to the 2023-signed Windows Boot Manager, which triggers BitLocker recovery prompts.
