Microsoft’s April security update is creating extra work for IT administrators. Alguns Windows systems prompt for the BitLocker recovery key on the first reboot after installing the patch. The company confirmed the behavior and reported that it only occurs in specific configurations.
The issue affects versions of Windows 10, Windows 11 and Windows Server 2022 and 2025. The key request appears only once. Reinicializações following do not repeat the screen as long as the group policy setting remains the same.
Configurações that trigger key request
Várias conditions must occur at the same time for BitLocker to require the recovery key. BitLocker must be enabled on the operating system drive. The group policy “Configure TPM platform validation profile for native UEFI firmware configurations” needs to be set with PCR7 included in the validation profile. Ou equivalent value must have been manually configured in the registry.
msinfo32.exe should report that linking PCR7 from the secure boot state appears as “Not Possible”. The Windows UEFI CA 2023 certificate must be in the Secure Boot signature database. And the device must not yet be running Gerenciador of Inicialização of Windows signed in 2023.
Essas combined conditions cause the system to detect a change in platform integrity after the update. The April patch enables the switch to Gerenciador from Inicialização signed in 2023 on eligible devices. Quando PCR7 is explicitly included in the policy, even if binding is not possible, BitLocker interprets the change as a risk and asks for the key.
Microsoft notes that this group policy setting is not recommended by the company. The default behavior of Windows automatically chooses a validation profile suitable for the hardware and avoids the problem.
Impacto main in corporate environments
The incident mainly affects devices managed by IT departments. Manual or custom BitLocker Configurações are more common in enterprises. Domestic Usuários with default settings rarely encounters the request.
The screen only appears on the first restart after installing the April update. Depois In addition, the system returns to normal on the next launches. Administradores preparing large-scale patch rollout need to consider extra time to provide recovery keys to affected users.
The problem resembles a similar occurrence after the security update from October of the previous year. Naquela occasion, devices based on Intel processors with Connected Standby support also reported the recovery screen.
Soluções alternatives available before installation
Microsoft recommends two measures to avoid the key request. The first is to remove the group policy setting before applying the update. The second involves applying a known issue reversal, called KIR.
Para the first option, administrators must open Editor of Política of Grupo or Console of Gerenciamento of Política of Grupo. Depois, navigate to Configuração from Computador > Modelos Administrativos > Componentes from Windows > Criptografia from Unidade from BitLocker Disk > Unidades from Sistema Operacional. The policy “Configure TPM Platform Validation Profile for Native UEFI Firmware Configurations” must be set to “Not Configured”.
Then run gpupdate /force on the affected devices. Suspenda BitLocker with manage-bde -protectors -disable C: and then re-enable with manage-bde -protectors -enable C:. Essa sequence updates the BitLocker bindings to use the default profile selected by Windows.
The second option requires contacting Microsoft support to obtain the KIR. Essa rollback prevents automatic switching to Gerenciador from Inicialização 2023. Ela must be deployed before installing the April update on affected devices.
- Remova group policy “Configure TPM platform validation profile for native UEFI firmware configurations”
- Execute gpupdate /force after change
- Suspenda and re-enable BitLocker to update bindings
- Aplique or Known Issue Rollback (KIR) before upgrade if policy cannot be removed
- Verifique PCR7 status in msinfo32.exe before deploying patches at scale
Detalhes technicians behind the change
The April update includes improvements to Secure Boot. Sistemas with the Windows UEFI CA 2023 certificate in the signature database now uses the Gerenciador of Inicialização signed in 2023 as the default. Essa change changes the PCR7 measurement.
Quando policy explicitly includes PCR7, BitLocker detects the difference in platform measurement. The result is the recovery screen, even though PCR7 binding is reported as “Not Possible”. Nessa situation, BitLocker would normally switch to PCR profile 0,2,4,11.
The company reinforces that changing the default validation profile affects the security and manageability of the device. The recommendation is to keep the default configuration whenever possible.
Próximos steps from Microsoft
The company does not yet have a permanent solution to the problem. A definitive fix should arrive in a future Windows update. Enquanto this, the alternative solutions are for administrators who need to keep the security update up to date.
Microsoft advises IT teams to audit BitLocker policies before installing the April patch. Verificar PCR7 status in msinfo32.exe helps identify devices that may present the recovery screen.
The case reinforces the importance of testing updates in controlled environments before widespread deployment. Especialmente in configurations that deviate from the standard recommended by the manufacturer.