1. The April 2026 update (KB5082063) causes BitLocker recovery prompts on some Windows Server 2025 and Windows 11 devices when specific enterprise configurations are present.
2. The issue is limited to devices with particular Group Policy and Secure Boot settings, primarily affecting enterprise-managed systems.
3. Microsoft recommends pre-emptively removing the PCR7 Group Policy setting before updating and provides workarounds, including a Known Issue Rollback (KIR).
4. A permanent fix is in development, and despite the issue, Microsoft advises not to skip the update due to the security vulnerabilities it addresses.
Important Update for Windows Server 2025 Users
On April 15, 2026, Microsoft officially acknowledged a problem affecting certain Windows Server 2025 machines. After installing the recent security update KB5082063, these servers might automatically switch to BitLocker recovery mode. This switch causes the system to ask for a special recovery key during the first reboot. The same problem also affects some Windows 11 devices with updates KB5083769 and KB5082052, and it only happens under specific conditions.
What Causes the Issue?
This is a complicated bug that mostly happens on enterprise systems, not typical personal machines. It essentialy requires all five of these conditions to be true: BitLocker encryption is active on the drive, the Group Policy setting for TPM validation includes PCR7, the system info reports that Secure Boot State PCR7 Binding is “Not Possible,” the Windows UEFI CA 2023 certificate is present, and the device isn’t already using the 2023-signed Windows Boot Manager. When all these are met, the system may forcibly prompt for a recovery key upon reboot, which is a disruption for admins and users. Usually, after the initial reboot, no further prompts will occur unless Policy changes happen again.”
Microsoft’s Recommendations and Workarounds
To avoid this problem, system administrators are advised to disable the PCR7 Group Policy before installing the update. They should also double-check if BitLocker is using the PCR7 profile, which is necessary to ensure proper operation. For those unable to do this prior to the update, Microsoft has provided a workaround called the Known Issue Rollback (KIR). This tool can prevent automatic switches to the 2023 Boot Manager and stop the recovery prompt from emerging. It’s available through business support channels, and Microsoft is working on a permanent fix that will be included in future updates.
Additional Problems and Microsoft’s Stance
- The update has caused failures during installation on some servers, marked by error code 800F0983. Microsoft said they are investigating this issue.
- This isn’t the first time such an issue has happened. In past years, similar BitLocker prompts appeared after Patch Tuesday updates, including in August 2022, July 2024, and May 2025 on various Windows versions.
- Despite these issues, Microsoft recommends that admins still deploy the April 2026 update because it fixes 167 vulnerabilities, including two zero-day exploits that were being actively abused before the patch was released.
In conclusion, while the update brings essential security fixes, the BitLocker recovery bug requires careful attention. Admins should follow Microsoft’s guidance for workarounds and stay tuned for a future complete fix in upcoming Windows updates.
Leave a Reply