Microsoft has confirmed that the April 2026 security update, identified as KB5082063, can cause some servers with Windows Server 2025 to start in BitLocker's recovery mode after installing the patch. This is not a widespread failure: the company points to a very concrete interaction between the BitLocker configuration, certain settings of the Trusted Platform Module (TPM) and the UEFI safe start chain.
BitLocker numbers disks to protect data in case of theft or unauthorized access, and its recovery mechanism is activated when Windows detects changes that could compromise the integrity of the boot. For example, TPM updates or modifications to the boot manager can make the machine ask for the recovery key to ensure that anyone trying to access the system is legitimate. If you want to review how BitLocker works, Microsoft keeps an online technical guide: official documentation of BitLocker.
In this particular case, Microsoft explains that the start-up in recovery mode occurs only when there are several conditions at the same time: BitLocker is activated in the operating system unit; there is a group directive that sets up the TPM platform validation profile for native UEFI firmware and that profile includes the PCR7; the system information tool (msinfo32.exe) reports that the PCR7 link for Secure Boot is not possible; and in addition the certificate "Windows UEFI CA 2023" is present in the base of signatures of Secure Boot, which makes the device no longer eligible for the device to be used as the default manager, provided that it is not the default. These conditions usually occur in corporate environments with advanced security policies, and are not common in personal equipment.
Microsoft points out that, in the affected equipment, the recovery key would only have to be introduced once in the first reboot after the update; subsequent restarts should not be rerequested until the directive setting does not change. You can read the official note about this problem and its recommendations in the update health notice: KB5082063 - Known issues.
The house has also published temporary measures to avoid interruptions in mass deployments. Among the options recommended to administrators is to remove the group directive that forces the PCR7 profile before installing the update, and to verify that BitLocker links use the PCR7 profile correctly. If it is not possible to remove that directive before updating, Microsoft suggests applying a Known Issue Rollback (KIR) to prevent the system from automatically changing to the boot manager signed in 2023 and thus preventing BitLocker recovery from being triggered. More information on known problem-back mechanisms and their use is available on the Windows health page: Known Issue Rollback (KIR) - Windows.
This type of incompatibilities is not new in the recent history of Windows updates. Microsoft had to issue emergency patches and temporary solutions in previous incidents that also caused BitLocker recovery mode starts, such as the events related to the updates of May 2025 and July 2024. A previous case, with the KB5012170 update, also left equipment stuck on the recovery screen and left a print on technical forums and reports; you can check the support input on that update to see how it was resolved: KB5012170 - support.
If you manage servers or equipment in a corporate network, it is now reasonable to review the policies of BitLocker and TPM before deploying KB5082063 on a massive basis. Test a small controlled group and prepare a recovery plan (including have the BitLocker keys safely accessible) can avoid surprises in production. For those who manage TPM platform policies and want to deepen how PCR records behave, TPM PCR documentation can serve as technical support: PCRs and TPM - Microsoft Docs.
In short, the April 2026 update can lead to a single request for the recovery key in very specific business configurations; Microsoft has published mitigation instructions and procedures and is already working on a final solution. Maintaining communication with security teams and deployment managers, in addition to following official guides, remains the best practice to minimize risks when applying critical patches.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...