Microsoft fixes BitLocker recovery bug on Windows Server 2025
Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update.
Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update. The bug forced affected systems to prompt for the BitLocker recovery key on every restart, disrupting enterprise operations. The fix is included in the June 9, 2026 optional update (KB5067622) and addresses a patch-related encryption state mismatch.
The BitLocker security feature encrypts storage drives to prevent data theft and will typically force Windows computers to enter recovery mode after hardware changes or events, such as TPM (Trusted Platform Module) updates, to allow regaining access to protected drives that have not been unlocked via the default unlock mechanism. The issue specifically affected devices with an unrecommended BitLocker Group Policy configuration, where the TPM validation profile included PCR7 (Platform Configuration Register 7) but the system's Secure Boot State PCR7 Binding was reported as "Not Possible."
"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft said when it acknowledged this issue after the April 2026 Patch Tuesday. "In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged."
While this issue may also affect some systems running Windows 11, Microsoft says it's unlikely to impact personal devices, as affected configurations are typically found only on enterprise systems managed by corporate IT teams. The conditions included BitLocker enabled on the OS drive, the Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" configured with PCR7 included, and the presence of the Windows UEFI CA 2023 certificate in the device's Secure Boot Signature Database.
During this month's Patch Tuesday, two months after confirming the issue, Microsoft resolved this bug in the KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2) cumulative updates. "This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations," Microsoft said in updated advisories.
IT admins who can't yet deploy this month's updates to fix the issue are advised to remove the Group Policy configuration before installing KB5082063 and later updates, and to ensure that BitLocker bindings use the PCR7 profile. Those who can't remove the group policy before deployment can also apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager, which triggers the BitLocker recovery prompts.
In August 2024, Microsoft addressed another known issue that triggered BitLocker recovery prompts across all supported Windows versions after installing the July 2024 security updates. More recently, in May 2025, Microsoft released emergency updates to address a similar issue causing Windows 10 systems to enter BitLocker recovery after installing the May 2025 security updates. This latest fix underscores the ongoing challenge of maintaining BitLocker stability across Windows Server and client platforms, particularly as Microsoft updates boot managers and TPM validation profiles.