Skip to main content
TechnologyApr 16, 2026· 3 min read

Windows Updates in April Force BitLocker Recovery: Affected Windows Server as Well

The release of April 2026's Patch Tuesday has brought an unexpected side effect for a specific group of Windows users. Microsoft has officially confirmed that the installation of the latest cumulative packages, particularly KB5083769 and KB5082052 for Windows 11, can trigger the request for the BitLocker recovery key upon the first system reboot. The issue is not limited to the latest version of the operating system (also affecting Windows 10 via patch KB5082200) but extends to the enterprise space impacting Windows Server 2022 and Windows Server 2025.

The criticality does not impact every installation indiscriminately; rather, it manifests exclusively on machines that exhibit a precise combination of technical factors and security configurations. According to an internal analysis from Redmond, the crux of the issue involves a non-recommended configuration of the Group Policies related to the TPM (Trusted Platform Module). Specifically, the conflict arises when the system attempts to validate the UEFI platform profile by including the PCR7 register in environments where its binding is marked as "Not Possible" within the system information (msinfo32.exe).

Microsoft confirms: the April updates force BitLocker recovery. For a device to be subjected to the recovery loop, five specific conditions must coexist. In addition to the obvious activation of BitLocker on the operating system drive, the machine must have the policy "Configure TPM Platform Validation Profile for native UEFI firmware configurations" active with PCR7 included in the validation profile. The crucial piece is the presence of the Windows UEFI CA 2023 certificate in the Secure Boot signature database (DB). This certificate qualifies the device for transition to the new Windows Boot Manager signed in 2023, but if the machine is not already running that version of the Boot Manager, the April update generates a discrepancy in security bindings that BitLocker interprets as a potential tampering, blocking access to the data.

Although Microsoft reassures that the recovery key needs to be entered only once to restore proper functionality, the impact on large corporate fleets can prove burdensome for IT departments. For this reason, a preventive mitigation procedure was released for those who have not yet deployed the updates.

The recommended solution to prevent locking involves modifying the policy configuration before proceeding with the download of the implicated KBs. Administrators must access the Local Group Policy Editor (gpedit.msc) or the Management Console and navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. In this section, the option related to the TPM platform validation profile must be set to "Not Configured".

Once the policy has been modified, it is necessary to force the update of the directives on the client via the command gpupdate /force executed with elevated privileges. The final step requires manually updating the BitLocker protectors to align them with the default PCR profile selected by Windows. As an alternative to the manual procedure, Microsoft has activated the Known Issue Rollback (KIR) mechanism, which allows for inhibiting the propagation of the bug on managed systems without requiring direct intervention on the individual machines that have already been updated, provided they have not yet entered recovery mode.