"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft said.
What Microsoft acknowledged on April 14
On April 14 Microsoft confirmed a problem that can force affected systems into BitLocker recovery after installing the April 2026 security updates. The company said the behavior arises on devices configured with an "unrecommended" BitLocker Group Policy setting and that the update can prompt users to enter their BitLocker recovery key. Microsoft noted the situation affects Windows 10, Windows 11, and Windows Server devices with those Group Policy configurations.
Fixed for Windows 11 25H2 only — KB5089549
Microsoft has released a cumulative update, KB5089549, that addresses the issue for Windows 11 25H2 systems. According to the update text, "This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations. This might occur after installing the April 2026 security update (KB5083769)." The company said Windows 10 and Windows Server customers will need to wait: a permanent resolution for those platforms is planned for a future update.
Guidance for Windows admins: Group Policy and PCR7
Until fixes reach all affected platforms, Microsoft advised Windows admins to take two specific actions before deploying the April 2026 updates. First, remove the Group Policy named "Configure TPM platform validation profile for native UEFI firmware configurations." Second, ensure that BitLocker bindings use the PCR7 profile — Microsoft directs administrators to follow stated steps to confirm bindings, though those steps were not reproduced verbatim in the advisory. Microsoft also said the affected configurations are typically found on enterprise systems managed by IT teams, so personal devices are unlikely to encounter the problem.
History of similar BitLocker recovery incidents
This is not an isolated event. Microsoft itself has faced multiple episodes where security updates triggered BitLocker recovery prompts. In August 2022, devices became stuck at a BitLocker recovery prompt after installing update KB5012170. In July 2024 Microsoft fixed a known issue that likewise triggered BitLocker recovery prompts after that month's security updates. And in May 2025, Microsoft issued out‑of‑band emergency updates to address a similar issue that caused Windows 10 PCs to request the BitLocker recovery key after the May 2025 security updates.
How Windows admins, affected enterprises, and end users are likely to respond
- Windows admins: Expect rapid policy reviews and a conservative deployment posture for the April 2026 updates. Microsoft’s specific instruction to remove the "Configure TPM platform validation profile for native UEFI firmware configurations" Group Policy will be a near‑term mitigation for many managed environments.
- Affected enterprises: Organizations that use custom TPM validation or nonstandard PCR7 settings will likely delay broad deployments until Windows 10 and Windows Server receive their fixes, or they will roll back the specific Group Policy to avoid recovery prompts that could disrupt access to encrypted drives.
- End users: Microsoft emphasized that personal devices are unlikely to be affected because the problematic Group Policy configurations are typically enterprise-managed. Nevertheless, any user who is prompted for a BitLocker recovery key after the April update will need that key to regain access.
The technical trigger Microsoft highlighted centers on TPM validation settings and PCR7 bindings; the fix for Windows 11 25H2 is in place, but Windows 10 and Windows Server customers remain on the clock awaiting a follow‑on update. For administrators, the immediate choice is clear: remove the unrecommended Group Policy or stagger deployments until all platforms are patched — a narrow, practical decision that avoids an otherwise avoidable interruption to encrypted drives.
Original reporting: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bitlocker-recovery-issue-only-for-windows-11-users/




