Microsoft confirmed that installing the April 2026 KB5082063 security update can force some Windows Server 2025 devices into BitLocker recovery on first restart when an unrecommended BitLocker Group Policy configuration is present. The issue is limited to specific PCR7-based TPM and Secure Boot configurations on enterprise-managed systems, and Microsoft advises removing the Group Policy or applying a Known Issue Rollback until a permanent fix is released. #BitLocker #KB5082063
Keypoints
- Installing KB5082063 may trigger a one-time BitLocker recovery prompt on affected devices after the first reboot.
- The issue occurs only when BitLocker is enabled, PCR7 is included in the TPM validation profile, Secure Boot reports PCR7 Binding as βNot Possibleβ, the Windows UEFI CA 2023 certificate is present in the DB, and the device is not already running the 2023-signed Windows Boot Manager.
- The BitLocker recovery key needs to be entered only once if the group policy configuration remains unchanged.
- Administrators should remove the PCR7 Group Policy before deploying KB5082063 or apply a Known Issue Rollback on devices that cannot have the policy removed.
- Impacted configurations are typically found on enterprise-managed systems, and Microsoft is developing a permanent solution while providing temporary workarounds.