Microsoft has fixed a known issue that caused some Windows Server 2025 devices to boot into BitLocker recovery mode after installing the April 2026 security update.
BitLocker is a Windows security feature that encrypts storage drives to help protect data from theft. In some cases, Windows may ask users to enter a BitLocker recovery key after hardware or security-related changes, such as updates involving the Trusted Platform Module, also known as TPM.
Microsoft first confirmed the issue after the April 2026 Patch Tuesday update. The company said some devices with an unrecommended BitLocker Group Policy configuration could be asked to enter the BitLocker recovery key during the first restart after installing the update.
According to Microsoft, the recovery key only needed to be entered once. After that, later restarts would not show the BitLocker recovery screen again, as long as the Group Policy settings remained unchanged.
The issue could also affect some Windows 11 systems, but Microsoft said it was unlikely to impact personal devices. The affected configuration is usually found on enterprise systems managed by corporate IT teams.
Microsoft explained that the problem only appeared on devices with very specific settings. These included systems where BitLocker was enabled on the operating system drive, PCR7 was included in the TPM validation profile, Secure Boot PCR7 Binding was reported as “Not Possible,” and the device was eligible to use the 2023-signed Windows Boot Manager but was not already running it.
The company has now resolved the bug through this month’s Patch Tuesday updates. The fix is included in KB5094125 for Windows Server 2025 and KB5093998 for Windows 11 version 23H2.
Microsoft said the update addresses an issue where some devices could enter BitLocker recovery after updating boot files on systems with certain TPM validation settings, including invalid PCR7 configurations.
To prevent unexpected BitLocker recovery prompts, Microsoft is now blocking devices with the incompatible Group Policy configuration from installing the 2023-signed Windows Boot Manager. If a device was affected, administrators may see Event ID 1032 in the System event log when installing Windows updates.
IT administrators who cannot deploy the latest updates immediately are advised to remove the affected Group Policy configuration before installing KB5082063 and later updates. Microsoft also recommends making sure that BitLocker bindings use the PCR7 profile.
For organizations that cannot remove the Group Policy setting before deployment, Microsoft has also provided a Known Issue Rollback to prevent the automatic switch to the 2023 Boot Manager, which triggered the BitLocker recovery prompts.
This is not the first time Microsoft has dealt with BitLocker recovery problems after Windows updates. In August 2024, the company fixed a similar issue affecting supported Windows versions after the July 2024 security updates. In May 2025, Microsoft also released emergency updates to resolve a BitLocker recovery problem on Windows 10 systems after the May 2025 security updates.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
