Microsoft has confirmed that certain Windows Server 2025 devices may prompt for BitLocker recovery keys after installing the April 2026 KB5082063 security update. The issue occurs only on systems meeting specific configuration criteria, including enabled BitLocker on the OS drive, a particular Group Policy setting involving PCR7 in the TPM validation profile, Secure Boot State PCR7 Binding reported as “Not Possible” via msinfo32.exe, and the presence of the Windows UEFI CA 2023 certificate in the Secure Boot Signature Database.
The company clarified that affected devices will only require the recovery key on the first reboot after the update, with subsequent restarts proceeding normally as long as the Group Policy configuration remains unchanged. This behavior stems from an unintended interaction between the update and certain BitLocker Group Policy settings, particularly those involving TPM platform validation for native UEFI firmware.
Similar BitLocker recovery prompts have also been reported in connection with recent Windows 11 and Windows 10 updates, including KB5083769 and KB5082052, which Microsoft acknowledged can trigger recovery screens on some systems due to incorrect validation profile handling.
While the issue affects a limited subset of devices, Microsoft advises administrators to verify their BitLocker and TPM configurations and to have recovery keys available before deploying the April updates. The company emphasized that the recovery prompt is a one-time requirement under the specified conditions and does not indicate a broader security flaw in BitLocker itself.
