Microsoft Fixes BitLocker Recovery Issue Only for Windows 11
Microsoft has fixed a BitLocker recovery issue impacting systems after April 2026 updates, but the KB5089549 release applies only to Windows 11 25H2. Windows 10 and Windows Server users must continue using workarounds until a future update, as the bug stems from unrecommended Group Policy settings common in enterprise environments.
BitLocker is a Windows security feature that encrypts storage drives to protect against data theft. It also often activates recovery mode after hardware changes or TPM updates, blocking access to protected drives that haven't been unlocked normally.
Microsoft acknowledged the issue on April 14, saying it affects Windows 10, Windows 11, and Windows Server devices with an unrecommended BitLocker Group Policy configuration. The company said affected devices might be required to enter their BitLocker recovery key on the first restart after installing the update.
While this issue also affects systems running Windows client platforms such as Windows 10 and Windows 11, Microsoft said it's unlikely to affect personal devices, since affected configurations are typically found only on enterprise systems managed by IT teams.
On Tuesday, Microsoft announced that it addressed the issue with the KB5089549 cumulative update for Windows 11 25H2. Windows 10 and Windows Server customers will need to wait for a fix, as a permanent resolution is planned for a future update.
The update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module validation settings, including invalid PCR7 configurations. This might occur after installing the April 2026 security update KB5083769.
Until a fix is available for all affected platforms, Windows admins are advised to remove the "Configure TPM platform validation profile for native UEFI firmware configurations" Group Policy configuration before deploying the April 2026 updates, and to ensure that BitLocker bindings use the PCR7 profile.
This is the latest in a series of similar incidents. In August 2022, Windows devices also became stuck at a BitLocker recovery prompt after installing the KB5012170 security update. Two years later, in August 2024, Microsoft fixed another known issue that triggered BitLocker recovery prompts after installing the July 2024 Windows security updates. More recently, in May 2025, Microsoft issued out-of-band emergency updates to address a similar issue that caused Windows 10 PCs to request the BitLocker recovery key after installing the May 2025 security updates. This week, it also released the May 2026 Patch Tuesday security updates, covering 120 vulnerabilities, including 17 critical flaws.
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.
EXPERT TAKE
Expert Take: Enterprise admins should audit BitLocker Group Policy settings for PCR7 compliance and remove the native UEFI TPM validation profile prior to future Patch Tuesday deployments to avoid triggering recovery on mixed Windows fleets.