Full Report
Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update. [...]
Analysis Summary
# Vulnerability: Windows Server 2025 Boot-to-BitLocker Recovery Issue
## CVE Details
- **CVE ID:** N/A (Functional Regression/Known Issue following security patch)
- **CVSS Score:** N/A (Availability Impact)
- **CWE:** CWE-755: Improper Handling of Exceptional Conditions
## Affected Systems
- **Products:** Windows Server 2025
- **Versions:** OS Build 26100.32690 (after installing KB5082063)
- **Configurations:** Systems meeting **all** the following criteria:
1. BitLocker enabled on the OS drive.
2. Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" includes **PCR7** in the validation profile.
3. System Information (`msinfo32.exe`) reports Secure Boot State PCR7 Binding as "**Not Possible**".
4. Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database (DB).
5. Device is not yet running the 2023-signed Windows Boot Manager.
## Vulnerability Description
Installing the April 2026 security update (KB5082063) triggers a change in the default Windows Boot Manager to the 2023-signed version. On systems with specific "unrecommended" Group Policy configurations where PCR7 binding is expected but not possible, this update alters the boot environment in a way that triggers a TPM validation failure. Consequently, BitLocker enters recovery mode to protect the encrypted data, requiring the manual entry of a recovery key.
## Exploitation
- **Status:** Not exploited (This is a reliability issue caused by a legitimate security patch).
- **Complexity:** N/A
- **Attack Vector:** Local (Triggered during the boot process following a system update).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Systems become unresponsive and stuck at a pre-boot prompt until a recovery key is manually entered by an administrator).
## Remediation
### Patches
- **KB5082063:** This is the update that triggers the issue; Microsoft is currently working on a permanent resolution.
### Workarounds
- **Option 1 (Pre-deployment):** Remove the "Configure TPM platform validation profile for native UEFI firmware configurations" Group Policy or ensure BitLocker bindings use a compatible PCR profile before installing the update.
- **Option 2 (Post-deployment):** Enter the BitLocker recovery key. This is only required once; subsequent restarts should function normally unless policy changes recur.
- **Option 3 (Admin Mitigation):** Apply the provided **Known Issue Rollback (KIR)** to affected enterprise managed devices to prevent the automatic switch to the 2023 Boot Manager.
## Detection
- **Indicators:** Verification of `msinfo32.exe` showing "PCR7 Binding: Not Possible" on Windows Server 2025 assets.
- **Detection Methods:** Audit Group Policy Objects (GPOs) for specific TPM validation profile settings (PCR7) on servers that do not support PCR7 binding.
## References
- **Vendor Advisory:** hxxps[://]support[.]microsoft[.]com/en-us/topic/april-14-2026-kb5082063-os-build-26100-32690-c57e289d-27c9-47cd-a183-72fabc62c5d7
- **BleepingComputer Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-some-windows-servers-ask-for-bitlocker-key-after-april-updates/