microsoft has confirmed that the April 2026 security update for windows 11, KB5083769released on April 14, is causing some devices to boot directly into the BitLocker recovery screen instead of the desktop. Affected users must enter their BitLocker recovery key before the system can boot normally.
Microsoft says this is a one-time issue and future reboots should proceed normally once the key is entered. The issue appears to affect only devices with a specific combination of BitLocker and Secure Boot settings, and most users who install the update are not affected.
What triggers the problem?
The BitLocker recovery message appears on a device when several conditions are met:
- BitLocker is enabled on the operating system drive, the group policy setting to configure the TPM platform validation profile includes PCR7 in the validation profile.
- The system information shows “Secure Boot State PCR7 Link” as “Not Possible.” Additionally, the UEFI CA 2023 certificate must be present in the Secure Boot signature database and the device must not be running Windows Boot Manager signed in 2023.
Microsoft considers this a “non-recommended” BitLocker setting that can trigger this behavior.
How to recover if your PC starts BitLocker recovery
Users already on the BitLocker recovery screen need their recovery key to continue. They can find the key in your Microsoft account on a separate device by matching the PC name and key ID shown on the recovery screen.
Once the key is entered and the user clicks “continue”, the system will boot to the desktop and will not prompt for the key again on subsequent reboots.
How to prevent it before installing KB5083769
Users who have not yet installed KB5083769 and want to avoid the recovery message can proactively reset group policy settings. To do this, open the Group Policy Editor by searching ‘gpedit’ in the Start menu.
Then navigate to Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives.
Right-click on “Configure TPM Platform Validation Profile for Native UEFI Firmware Configurations” and select Edit.
Change the setting to Not Configured, then click Apply and OK. Next, open the command prompt as administrator and run the necessary commands. manage-bde -protectors -enable C:
This process rebinds BitLocker to the default PCR profile and prevents the recovery screen from appearing after installing the update.
Business users who are unable to modify Group Policy settings can contact Microsoft for a known issues rollback update, which may undo the faulty settings.
