u/bdam55

The link above is for one version, but the story is the same for everything else, including Windows 10 (LTSB/ESU) and Windows Server.

In a _very_ specific scenario, users are going to get a BitLocker recovery prompt after updating. If this is not you, then you are fine:

1. BitLocker is enabled on the OS drive.
2. The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
3. System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".
4. The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
5. The device is not already running the 2023-signed Windows Boot Manager.

There's a workaround: change the GPO and then disable and reenable BitLocker. Not trivial, you're going to need to script and deploy that.

You can also apply a Known Issue Rollback (KIR) so it won't happen in the first place.

In _both_ cases, you have to apply this before the update is installed. If users get hit, they will need the BL key. Only once though, should be fine after that.