Microsoft’s April 2026 security updates are causing an unpleasant surprise for some organizations: certain Windows Server 2025 and Windows PCs are suddenly being pushed into BitLocker recovery after the first restart.
Microsoft confirmed the issue on April 15, 2026, after reports that the April 14 update for Windows Server 2025 (KB5082063) can trigger a BitLocker recovery prompt immediately after installation. The same behavior can also appear on Windows 11 systems with KB5083769 or KB5082052 installed under similar conditions. When this happens, the device won’t finish booting until the 48-digit BitLocker recovery key is entered—an especially disruptive scenario for administrators managing remote servers or large fleets.
The good news is that Microsoft says the recovery screen typically appears only once: on the first reboot after applying the update. After that, reboots should proceed normally, as long as no additional Group Policy changes are made.
Why it’s happening, and who is most likely affected
Microsoft doesn’t expect most home users to run into this. The issue is tied to a very specific enterprise-style configuration, and it generally occurs only when all of the following conditions are true:
1) BitLocker is enabled on the operating system drive
2) A Group Policy setting for TPM (Trusted Platform Module) platform validation is configured to include PCR7
3) The System Information tool (msinfo32.exe) reports “Secure Boot State PCR7 Binding” as “Not Possible”
4) The Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database
5) The device is not already using the 2023-signed Windows Boot Manager
In other words, this is largely an enterprise-managed Windows and Windows Server problem where Secure Boot and TPM validation policies are tightly controlled.
Recommended workarounds while Microsoft works on a permanent fix
Microsoft is advising IT admins to remove the PCR7 Group Policy configuration before rolling out KB5082063, and to confirm that BitLocker bindings are using the PCR7 profile. For organizations that can’t make those policy changes before deployment, Microsoft has also provided a Known Issue Rollback (KIR) through its business support channels.
The KIR is designed to prevent the automatic switch to the 2023 Boot Manager and stop the BitLocker recovery prompt from appearing. Microsoft says a permanent fix is being developed and will be delivered in a future Windows update.
Another April update problem: install failures on Windows Server 2025
Separately, Microsoft has acknowledged that some Windows Server 2025 systems may fail to install the April 2026 update entirely, showing error code 800F0983 during installation. The company says it is still investigating what’s causing that failure.
A familiar pattern with Patch Tuesday and BitLocker
This isn’t the first time a monthly Windows security release has unexpectedly triggered BitLocker recovery. Similar incidents have been seen multiple times over the last few years, including cases tied to updates released in August 2022, July 2024, and May 2025. For many IT teams, it’s become a recurring type of disruption that can quickly escalate into downtime if recovery keys aren’t readily accessible.
Still, Microsoft is not recommending that organizations skip the April 2026 security updates. The patch bundle addresses 167 vulnerabilities and includes fixes for two zero-day flaws, one of which was reportedly exploited before the update became available. For most environments, that security value means the updates remain important—just with extra caution, testing, and BitLocker recovery planning before deployment.
