Microsoft has resolved a known issue that causes some Windows Server 2025 devices to start detecting BitLocker after applying the April 2026 security update.
BitLocker’s security feature encrypts storage drives to prevent data theft and will often force Windows computers to enter recovery mode after hardware changes or events, such as TPM (Trusted Platform Module) updates, to allow regaining access to protected drives not unlocked by default.
“Some devices with a non-recommended setting of BitLocker Group Policy may be required to enter their BitLocker recovery key on restart after installing this update,” Microsoft said when it acknowledged the issue after the April 2026 Patch Tuesday.
“In this case, the BitLocker recovery key only needs to be entered once — the next reboot will not trigger the BitLocker recovery screen, as long as the group policy settings remain unchanged.”
Although the issue may also affect certain systems running Windows 11, Microsoft says it is unlikely to affect personal devices, as the affected configurations are mostly found on business systems managed by corporate IT teams.
As Microsoft explained at the time, this only happens by default, on devices where all of the following conditions are met:
- BitLocker is enabled on the OS drive.
- Group Policy”Configure the TPM platform authentication profile for the native UEFI firmware configuration” is fixed, and PCR7 is included in the authentication profile (or an equivalent registry key is set manually).
- System Information (msinfo32.exe) reports that the Secure Boot State PCR7 Binding is “It’s impossible“.
- The Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database (DB), making the device eligible for Windows Boot Manager signed 2023 to be made default.
- The device is not yet running Windows Boot Manager signed in 2023.
During this month’s Patch Tuesday, two months after confirming the issue, Microsoft resolved this bug in KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2) cumulative updates.
“This update addresses an issue where some devices may install BitLocker Recovery after updating the boot files on systems with certain Trusted Platform Module (TPM) authentication settings, including an invalid PCR7 (Platform Configuration Register 7) configuration,” Microsoft said in the updated advisory.
“To prevent unexpected notification of a BitLocker recovery key, devices with this incompatible group policy setting are prevented from installing Windows Boot Manager signed in 2023. If your device has been affected, you will see event ID 1032 in the System event log when you install Windows updates,” added a service note seen by BleepingComputer.
IT administrators who have not been able to deploy this month’s updates to fix the problem are advised to remove the Group Policy configuration before installing KB5082063 and the latest updates, and ensure that the BitLocker binding uses the PCR7 profile.
Those who cannot remove group policy before deployment can use Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to Boot Manager 2023, which triggers the BitLocker detection notification.
In August 2024, Microsoft addressed another known issue that caused BitLocker to be added to all supported versions of Windows after installing the July 2024 security updates.
Recently, in May 2025, Microsoft released emergency updates to address the same problem that causes Windows 10 programs to install BitLocker recovery after installing the May 2025 security updates.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
