Windows Server 2025 April update forces BitLocker recovery on misconfigured TPM policies

Microsoft’s KB5082063 update for Windows Server 2025 is kicking some machines into BitLocker recovery on first reboot after install. The trigger is narrow: BitLocker must be enabled on the OS drive, Group Policy must pin PCR7 into the TPM validation profile, Secure Boot PCR7 Binding must report ‘Not Possible’ in msinfo32, the Windows UEFI CA 2023 certificate must be present in the Secure Boot DB, and the device must not already be running the 2023-signed Boot Manager. When all five line up, the update swaps to the 2023 Boot Manager and the TPM measurements no longer match, forcing a one-time recovery key prompt.

The blast radius is limited to enterprise-managed fleets — consumer Windows 11 installs almost never hit this configuration. Remediation paths: strip the PCR7 group policy and rebind BitLocker before deploying, or apply a Known Issue Rollback to block the automatic Boot Manager switch. A permanent fix is still in progress.

This is the fourth BitLocker-recovery regression Microsoft has shipped in roughly four years (KB5012170 in 2022, July 2024 updates, May 2025 emergency fix, now April 2026). The recurring pattern points to fragile coupling between TPM measurement policy and signed-boot-chain transitions — every time Microsoft rotates boot components, configurations pinning specific PCR values break, and admins without recovery keys staged get locked out.