Microsoft: April updates trigger BitLocker key prompts on some servers
Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update.
BitLocker is a Windows security feature that encrypts storage drives to prevent data theft. Windows computers typically enter BitLocker recovery mode after hardware changes or events such as TPM (Trusted Platform Module) updates, to regain access to protected drives that have not been unlocked via the default unlock mechanism.
"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft .
"In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged."
However, as the company explained, this only happens for very specific configurations, on systems where all the following conditions are met:
$1
$1
$1
$1
$1
Microsoft added that this known issue is unlikely to affect personal devices, as impacted configurations are typically found on systems managed by enterprise IT teams.
BitLocker recovery screen (Microsoft)
The company is now working on a solution to this issue and has shared temporary workarounds that allow installation of this month's security updates.
Admins are advised to remove the Group Policy configuration before deploying the KB5082063 update, and to ensure that BitLocker bindings use the PCR7 profile by following .
Those who can't remove the PCR7 group policy before installing can apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager and to avoid triggering BitLocker recovery.
In May 2025, Microsoft to address a similar issue that was causing Windows 10 systems to boot into BitLocker recovery after installing the May 2025 security updates.
One year earlier, in August 2024, Microsoft triggering BitLocker recovery prompts across all supported Windows versions after .
In August 2022, Windows devices after installing the .
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
