嗯,用户让我总结一下这篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我需要快速浏览文章内容。文章主要讲的是微软确认在安装2026年4月的安全更新KB5082063后,某些Windows Server 2025设备会进入BitLocker恢复模式。BitLocker是Windows的一个加密功能,用于保护数据不被窃取。 接着,文章提到这种情况通常发生在硬件变化或TPM更新后。微软指出,一些设备如果配置了不推荐的BitLocker组策略,可能需要在第一次重启时输入恢复密钥。不过这种情况只会在特定配置下发生,并且只影响企业设备,个人设备一般不会受影响。 微软正在解决这个问题,并提供了一些临时解决方案,比如移除特定组策略或应用已知问题回滚。此外,文章还提到了之前类似的问题和微软的修复情况。 现在我要把这些信息浓缩到100字以内。重点包括:安装特定安全更新后某些Windows Server 2025设备进入BitLocker恢复模式;原因涉及特定的组策略配置;只影响企业设备;微软正在解决并提供临时方案。 所以总结应该是:安装特定安全更新后,部分Windows Server 2025设备进入BitLocker恢复模式,因特定组策略配置导致。主要影响企业设备,微软正在解决并提供临时方案。 </think> 安装特定安全更新后,部分Windows Server 2025设备将进入BitLocker恢复模式,因涉及特定的组策略配置。该问题主要影响企业设备,微软正寻求解决方案并提供临时应对措施。 2026-4-15 11:46:43 Author: www.bleepingcomputer.com(查看原文) 阅读量:4 收藏
Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update.
BitLocker is a Windows security feature that encrypts storage drives to prevent data theft. Windows computers typically enter BitLocker recovery mode after hardware changes or events such as TPM (Trusted Platform Module) updates, to regain access to protected drives that have not been unlocked via the default unlock mechanism.
"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft said.
"In this scenario, the BitLocker recovery key only needs to be entered once -- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged."
However, as the company explained, this only happens for very specific configurations, on systems where all the following conditions are met:
- BitLocker is enabled on the OS drive.
- The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
- System Information (msinfo32.exe) reports that the Secure Boot State PCR7 Binding is "Not Possible".
- The Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
- The device is not already running the 2023-signed Windows Boot Manager.
Microsoft added that this known issue is unlikely to affect personal devices, as impacted configurations are typically found on systems managed by enterprise IT teams.
The company is now working on a solution to this issue and has shared temporary workarounds that allow installation of this month's security updates.
Admins are advised to remove the Group Policy configuration before deploying the KB5082063 update, and to ensure that BitLocker bindings use the PCR7 profile by following these steps.
Those who can't remove the PCR7 group policy before installing can apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager and to avoid triggering BitLocker recovery.
In May 2025, Microsoft released emergency updates to address a similar issue that was causing Windows 10 systems to boot into BitLocker recovery after installing the May 2025 security updates.
One year earlier, in August 2024, Microsoft fixed another known issue triggering BitLocker recovery prompts across all supported Windows versions after installing the July 2024 Windows security updates.
In August 2022, Windows devices also became stuck at a BitLocker recovery prompt after installing the KB5012170 security update.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
如有侵权请联系:admin#unsafe.sh