Microsoft has confirmed that some Windows Server 2025 systems may boot into BitLocker recovery mode after installing the April 2026 security update (KB5082063). If your organisation runs Windows Server 2025 with BitLocker enabled on the OS drive, this one needs your attention before you patch.

The issue affects a specific combination of conditions: BitLocker enabled on the OS drive, a Group Policy that includes PCR7 in the TPM validation profile, Secure Boot PCR7 binding reported as “Not Possible,” and the Windows UEFI CA 2023 certificate present in the device’s Secure Boot Signature Database. When all four conditions are met, the server will demand a BitLocker recovery key on the first restart after patching — which, if you don’t have the key handy, means downtime, as reported by BleepingComputer.

The good news: it only triggers once. After entering the recovery key, subsequent restarts are fine. But the smarter move is to check your Group Policy configuration before deploying the update. Microsoft recommends removing the PCR7 validation profile from your BitLocker policy, or applying the Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager. Full details are in Microsoft’s KB5082063 support article.

If you’re not sure whether your servers are affected, talk to your IT provider before rolling out the April patch across your fleet. At All IT Services, we pre-test cumulative updates in staging environments before deploying to production — exactly for situations like this. Get in touch if you’d like us to review your patching process.