BitLocker recovery prompts triggered on Windows Server 2025 after KB5082063 update
Summary
Hide ▲
Show ▼
Microsoft has confirmed that the April 2026 KB5082063 security update for Windows Server 2025 is causing two distinct issues: BitLocker recovery prompts on first reboot for systems with PCR7-bound Group Policy configurations, and installation failures marked by 0x800F0983 errors on some devices. Both issues primarily impact enterprise-managed systems and require administrative intervention—either key entry for BitLocker recovery or troubleshooting update installation. Microsoft is investigating both problems and has provided temporary workarounds, including Known Issue Rollback (KIR) for BitLocker recovery and diagnostic reviews for update installation failures. Home users are unlikely to be affected by either issue. On May 13, 2026, Microsoft released KB5089549 to address the BitLocker recovery issue specifically for Windows 11 25H2 systems, though Windows 10 and Windows Server remain without a permanent resolution. The issue stems from invalid PCR7 configurations in TPM validation settings, and admins are advised to remove the 'Configure TPM platform validation profile for native UEFI firmware configurations' Group Policy before deploying April 2026 updates until a broader fix is available.
Timeline
-
15.04.2026 14:41 3 articles · 29d ago
BitLocker recovery prompts triggered on Windows Server 2025 after KB5082063 deployment
Microsoft confirmed on April 15, 2026, that the April 2026 KB5082063 Windows Server 2025 security update triggers BitLocker recovery prompts on systems with PCR7-bound Group Policy configurations. Admins must either remove the PCR7 Group Policy before update deployment or apply a Known Issue Rollback (KIR) to prevent automatic switching to the 2023-signed Windows Boot Manager. A new issue emerged where the same update fails to install on some systems, displaying 0x800F0983 errors. Microsoft is investigating the root cause of the installation failures and has acknowledged both problems in a service alert. On May 13, 2026, Microsoft released KB5089549 to address the BitLocker recovery issue specifically for Windows 11 25H2 systems, though Windows 10 and Windows Server remain without a permanent resolution. The issue stems from invalid PCR7 configurations in TPM validation settings, and admins are advised to remove the 'Configure TPM platform validation profile for native UEFI firmware configurations' Group Policy before deploying April 2026 updates until a broader fix is available.
Show sources
- Microsoft: April updates trigger BitLocker key prompts on some servers — www.bleepingcomputer.com — 15.04.2026 14:41
- Microsoft: April Windows Server 2025 update may fail to install — www.bleepingcomputer.com — 16.04.2026 10:37
- Microsoft fixes BitLocker recovery issue only for Windows 11 users — www.bleepingcomputer.com — 13.05.2026 18:42
Information Snippets
-
The issue is triggered by installing KB5082063 on Windows Server 2025 systems where BitLocker is enabled on the OS drive and the Group Policy 'Configure TPM platform validation profile for native UEFI firmware configurations' includes PCR7 in the validation profile.
First reported: 15.04.2026 14:411 source, 2 articlesShow sources
- Microsoft: April updates trigger BitLocker key prompts on some servers — www.bleepingcomputer.com — 15.04.2026 14:41
- Microsoft: April Windows Server 2025 update may fail to install — www.bleepingcomputer.com — 16.04.2026 10:37
-
Systems must also report 'Secure Boot State PCR7 Binding: Not Possible' in msinfo32.exe and have the Windows UEFI CA 2023 certificate present in the Secure Boot Signature Database, but not be running the 2023-signed Windows Boot Manager.
First reported: 15.04.2026 14:411 source, 1 articleShow sources
- Microsoft: April updates trigger BitLocker key prompts on some servers — www.bleepingcomputer.com — 15.04.2026 14:41
-
The BitLocker recovery screen appears only on the first restart after update installation and requires key entry once; subsequent restarts proceed normally if Group Policy remains unchanged.
First reported: 15.04.2026 14:411 source, 2 articlesShow sources
- Microsoft: April updates trigger BitLocker key prompts on some servers — www.bleepingcomputer.com — 15.04.2026 14:41
- Microsoft: April Windows Server 2025 update may fail to install — www.bleepingcomputer.com — 16.04.2026 10:37
-
Microsoft states the issue is unlikely to affect personal devices, as impacted configurations are typically enterprise-managed.
First reported: 15.04.2026 14:411 source, 2 articlesShow sources
- Microsoft: April updates trigger BitLocker key prompts on some servers — www.bleepingcomputer.com — 15.04.2026 14:41
- Microsoft: April Windows Server 2025 update may fail to install — www.bleepingcomputer.com — 16.04.2026 10:37
-
Microsoft is developing a fix and has provided temporary workarounds, including removing the PCR7 Group Policy before deploying KB5082063 or applying a Known Issue Rollback (KIR) on affected devices.
First reported: 15.04.2026 14:411 source, 2 articlesShow sources
- Microsoft: April updates trigger BitLocker key prompts on some servers — www.bleepingcomputer.com — 15.04.2026 14:41
- Microsoft: April Windows Server 2025 update may fail to install — www.bleepingcomputer.com — 16.04.2026 10:37
-
Microsoft is investigating an issue causing the KB5082063 security update to fail to install on some Windows Server 2025 systems, with users reporting 0x800F0983 install errors.
First reported: 16.04.2026 10:371 source, 1 articleShow sources
- Microsoft: April Windows Server 2025 update may fail to install — www.bleepingcomputer.com — 16.04.2026 10:37
-
The update installation failure occurs alongside the previously reported BitLocker recovery prompts issue on Windows Server 2025 devices.
First reported: 16.04.2026 10:371 source, 1 articleShow sources
- Microsoft: April Windows Server 2025 update may fail to install — www.bleepingcomputer.com — 16.04.2026 10:37
-
Microsoft released KB5089549 cumulative update on May 13, 2026, addressing the BitLocker recovery issue on Windows 11 25H2 systems only
First reported: 13.05.2026 18:421 source, 1 articleShow sources
- Microsoft fixes BitLocker recovery issue only for Windows 11 users — www.bleepingcomputer.com — 13.05.2026 18:42
Similar Happenings
Microsoft resolves Windows Server upgrade bug enabling unintended 2025 upgrades
Microsoft has resolved a previously reported bug that caused systems running Windows Server 2019 and 2022 to automatically upgrade to Windows Server 2025 without explicit user action or licensing. The issue, first acknowledged in September 2024, led to unexpected overnight upgrades across multiple enterprise environments, prompting investigations into the root cause and mitigation steps. Microsoft attributed the problem to misconfigured third-party update management tools, though affected vendors disputed this and cited procedural errors on Microsoft’s side. The bug’s resolution restores the intended upgrade workflow via Windows Update settings, allowing administrators to control upgrade eligibility and timing. The fix follows a prolonged period of disruption and reactive out-of-band patches addressing related installation failures and authentication issues.
Microsoft March and April 2026 Patch Tuesdays Address Multiple Zero-Days and Critical Flaws
Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. Threat actors have also been observed chaining these flaws with other vulnerabilities to achieve full endpoint control. Microsoft issued out-of-band emergency patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw enables unauthenticated attackers to gain SYSTEM privileges by forging authentication cookies, stemming from a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 packages. Microsoft recommends updating to version 10.0.7 and rotating the DataProtection key ring to fully remediate. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).
Microsoft Introduces Hardware-Accelerated BitLocker in Windows 11
Microsoft has rolled out hardware-accelerated BitLocker in Windows 11 to enhance performance and security. This update leverages system-on-a-chip (SoC) and CPU capabilities to offload cryptographic operations, reducing CPU usage and improving overall system performance. The new BitLocker utilizes hardware-protected keys, minimizing exposure to cyberattacks and enhancing security alongside Trusted Platform Module (TPM)–based key protection. This feature is available in Windows 11 24H2 and 25H2, with initial support for Intel vPro systems using Intel Core Ultra Series 3 processors.
October 2025 Windows Updates Trigger BitLocker Recovery on Intel Devices
Microsoft's October 2025 Windows security updates cause some Intel devices to boot into BitLocker recovery mode. The issue affects systems with Connected Standby support, requiring users to enter their recovery key once. The problem impacts Windows 11 24H2 and 25H2, and Windows 10 22H2. Microsoft has provided a Known Issue Rollback (KIR) mitigation for IT administrators and advises affected customers to contact Microsoft Support for further assistance. The bug primarily impacts Intel devices with Connected Standby support, which allows PCs to remain connected to the network while in low-power mode. Affected devices will boot into the BitLocker recovery screen after the update, necessitating the entry of the recovery key once. Subsequent restarts will proceed normally without further BitLocker prompts.
Active Directory Sync Issues in Windows Server 2025
Microsoft has released a fix for Active Directory synchronization issues affecting Windows Server 2025 systems. The problem occurs after installing security updates released since September 2025. It impacts synchronization for large Active Directory security groups exceeding 10,000 members, particularly when using Microsoft Entra Connect Sync. The issue affects applications relying on the Active Directory directory synchronization (DirSync) control. Microsoft has provided a Known Issue Rollback (KIR) Group Policy for managed devices and a registry key workaround for non-managed devices and home users. A separate bug causing Windows update failures on Windows 11 24H2 and Windows Server 2025 devices is also being addressed. Guidance has been issued for smart card authentication issues across all supported Windows versions.