 |
| Microsoft's April 2026 Windows update has triggered unexpected BitLocker recovery prompts on some Windows Server 2025 and Windows devices |
A routine security update has turned into an IT admin’s worst nightmare. Microsoft confirms that the April 2026 Patch Tuesday update is forcing some Windows Server 2025 and Windows 11 devices into BitLocker recovery mode, demanding a 48-digit recovery key just to boot.
Published: April 19, 2026
It’s a scenario that keeps every system administrator awake at night: you push a critical security update, reboot the server, and instead of a login screen, you’re met with a dreaded BitLocker recovery prompt. For a growing number of Windows Server 2025 users who installed KB5082063 – the April 2026 security update released on April 14 – that nightmare became a reality.
Microsoft confirmed the issue on April 15, 2026, acknowledging that under a specific set of conditions, the update triggers an unexpected BitLocker recovery mode on the first reboot after installation. The problem also extends to Windows 11 systems that received updates KB5083769 and KB5082052 under the same circumstances.
When a device enters BitLocker recovery, the operating system halts its boot sequence and refuses to continue until an administrator enters a 48-digit recovery key. For many organizations, that key is stored in Active Directory, Azure AD, or printed and locked in a safe – but finding and typing it correctly under pressure is no one’s idea of a good time.
The good news? Microsoft says the recovery prompt only appears on the very first restart after the update. Subsequent reboots should proceed normally – as long as no further Group Policy changes are made. But for admins managing hundreds or thousands of servers, that “first reboot” can still mean a cascade of helpdesk tickets and late-night firefighting.
Who Is Affected? (And Why Your Home PC Is Probably Safe)
Microsoft has been careful to note that this is not a widespread consumer issue. The BitLocker recovery trigger only occurs when all five of the following conditions are met simultaneously:
- BitLocker is enabled on the operating system drive.
- The Group Policy setting for TPM (Trusted Platform Module) platform validation is configured to include PCR7.
- The system information tool
msinfo32.exereports Secure Boot State PCR7 Binding as “Not Possible.” - The Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database.
- The device is not already running the 2023-signed Windows Boot Manager.
These configurations are almost exclusively found on enterprise-managed systems with customized Secure Boot and TPM policies. In other words, your home gaming PC or small business server is unlikely to be affected. But for IT departments running Windows Server 2025 with strict BitLocker and Secure Boot settings, this has become an immediate operational headache.
For a deeper technical dive into BitLocker Group Policy settings and TPM validation, Microsoft’s official documentation is an essential resource: Microsoft Learn – BitLocker documentation.
Microsoft’s Recommended Workarounds (Before You Install)
Microsoft isn’t waiting for a permanent fix – they’ve issued clear guidance and a rollback mechanism for those who haven’t yet installed the update, as well as for those already stuck.
If you haven’t installed KB5082063 yet:
Microsoft strongly recommends removing the PCR7 Group Policy configuration before deploying the April update. Admins should also verify that BitLocker bindings use the PCR7 profile. Once the policy is removed, you can install KB5082063 safely, then reapply the PCR7 settings after a successful reboot.
If you’ve already installed the update and hit the recovery screen:
For organizations that cannot remove the policy before installing, Microsoft has made a Known Issue Rollback (KIR) available through its business support channels. The KIR prevents the automatic switch to the 2023-signed Boot Manager – the root cause of the recovery trigger – and stops the BitLocker screen from appearing.
A permanent fix is in development and will be delivered in a future Windows update. Microsoft has not yet announced a specific timeline, but given the severity, an out-of-band patch is possible.
Another Update Failing: Error 800F0983
As if BitLocker recovery wasn’t enough, Microsoft separately flagged that some Windows Server 2025 devices are failing to install the April update entirely. Affected systems return error code 800F0983 during installation, with the update rolling back without applying.
Microsoft says it is actively investigating the root cause of this separate installation failure. In the meantime, admins experiencing the 800F0983 error are advised to check Windows Update logs and temporarily disable non-Microsoft security software – though no guaranteed fix has been provided yet.
You can follow Microsoft’s official support channels for updates on both issues at Microsoft.com.
A Recurring Problem: Fourth BitLocker Recovery Incident in Four Years
For long-time Windows admins, this news carries an uncomfortable sense of déjà vu. This marks the fourth time in four years that a Patch Tuesday update has triggered unexpected BitLocker recovery prompts:
- August 2022 – KB5012170 (Secure Boot DBX update) caused BitLocker recovery on multiple Windows versions.
- July 2024 – A Patch Tuesday update triggered recovery prompts across all supported Windows versions, including Windows 11 and Windows Server 2022.
- May 2025 – Windows 10 systems were hit with nearly identical BitLocker recovery behavior after a cumulative update.
Each time, Microsoft has apologized, issued workarounds, and promised to improve testing. Yet the pattern persists, raising questions about whether the company’s Secure Boot and TPM validation testing pipelines adequately simulate the complex Group Policy and certificate configurations found in real-world enterprise environments.
Should You Skip the April Update? Microsoft Says No.
Despite the known BitLocker issues, Microsoft is not advising admins to skip the April 2026 security update – and for good reason. KB5082068 (correction: KB5082063) addresses a massive 167 vulnerabilities, including:
- Two zero-day flaws, one of which was actively exploited in the wild before the patch was available.
- Multiple remote code execution (RCE) vulnerabilities in Windows Core Networking and the Windows Hyper-V hypervisor.
- Elevation of privilege flaws in the Windows Common Log File System (CLFS) driver.
Skipping the update would leave servers exposed to known, weaponized exploits. Microsoft’s official stance is to apply the update but use the PCR7 policy removal or KIR workarounds to avoid the BitLocker recovery trigger.
For organizations that have already deployed the update and are now locked out, the KIR is available through Microsoft Support. For those planning to deploy, the extra step of auditing Group Policy for PCR7 settings is a small price to pay compared to the alternative of leaving 167 security holes unpatched.
Bottom Line for IT Admins
- Check your Group Policy for PCR7 TPM validation settings before deploying KB5082063 (Windows Server 2025) or KB5083769/KB5082052 (Windows 11).
- If PCR7 is configured, either remove it temporarily or contact Microsoft Support for the Known Issue Rollback.
- Already hit the recovery screen? Use your BitLocker recovery key to boot once, then subsequent reboots will be fine. Apply the KIR to prevent future triggers.
- Error 800F0983? Microsoft is investigating – watch official channels for updates.
- Don’t skip the April update – the security fixes (including an actively exploited zero-day) far outweigh the temporary inconvenience of a single recovery prompt.
As one Reddit admin put it over the weekend: “Fourth time in four years. At this point, I have a dedicated ‘BitLocker recovery key’ folder and a therapy fund.”
Let’s hope the permanent fix arrives before the fifth.
Sources: Microsoft Learn, Microsoft Support, official Microsoft advisory published April 15, 2026.