Microsoft confirmed on Tuesday that some Windows Server 2025 devices will start receiving BitLocker after installing the April 2026 KB5082063 Windows security update.
BitLocker is a Windows security feature that encrypts storage drives to prevent data theft. Windows computers often enter BitLocker recovery mode after hardware changes or events such as TPM (Trusted Platform Module) updates, to regain access to protected drives that are not unlocked by default.
“Some devices with non-recommended BitLocker Group Policy settings may be required to enter their BitLocker recovery key on the first reboot after installing this update,” Microsoft said.
“In this case, the BitLocker recovery key only needs to be entered once — the next reboot will not trigger the BitLocker recovery screen, as long as the group policy settings remain unchanged.”
However, as the company explained, this only happens in specific configurations, in systems where all of the following conditions are met:
- BitLocker is enabled on the OS drive.
- Group Policy”Configure the TPM platform authentication profile for the native UEFI firmware configuration” is fixed, and PCR7 is included in the authentication profile (or an equivalent registry key is set manually).
- System Information (msinfo32.exe) reports that the Secure Boot State PCR7 Binding is “It’s impossible“.
- The Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database (DB), making the device eligible for Windows Boot Manager signed 2023 to be made default.
- The device is not yet running Windows Boot Manager signed in 2023.
Microsoft added that this known issue is unlikely to affect personal devices, as the affected settings are typically found on systems managed by corporate IT teams.
The company is now working on a solution to this issue and has shared temporary workarounds that allow for the installation of this month’s security updates.
Administrators are advised to remove the Group Policy configuration before applying the KB5082063 update, and ensure that the BitLocker binding uses the PCR7 profile by following these steps.
Those who cannot remove PCR7 group policy before installation can use Known Issue Rollback (KIR) on affected devices to prevent switching to 2023 Boot Manager and avoid triggering BitLocker recovery.
In May 2025, Microsoft released emergency updates to address a similar issue that was causing Windows 10 systems to start receiving BitLocker after installing the May 2025 security updates.
One year earlier, in August 2024, Microsoft fixed another known issue that caused BitLocker detection warnings in all supported versions of Windows after installing the July 2024 Windows security updates.
In August 2022, Windows devices were also put on BitLocker detection notice after installing the KB5012170 security update.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
