Microsoft has confirmed that the April 2026 security update for Windows 11, KB5083769Released on April 14, is causing some devices to boot directly into the BitLocker recovery screen instead of the desktop. Affected users must enter their BitLocker recovery key before the system can start normally.
Microsoft says this is a one-time issue and future restarts after entering the key should proceed normally. The issue appears to only affect devices with a specific combination of BitLocker and Secure Boot settings, and most users who installed the update are not affected.
what triggers the problem
A BitLocker recovery prompt appears on the device when several conditions are met:
- BitLocker operating system is enabled on the drive, include PCR7 in the verification profile in the Group Policy setting to configure the TPM platform verification profile
- System information shows “Secure Boot State PCR7 Binding” as “Not Possible”. Additionally, the UEFI CA 2023 certificate must be present in the Secure Boot signature database, and the device must not already be running a 2023-signed Windows Boot Manager.
Microsoft considers this a “not recommended” BitLocker configuration that could trigger this behavior.
How to recover if your PC boots up BitLocker Recovery
Users already at the BitLocker recovery screen need their recovery key to continue. They can find the key in their Microsoft account on a different device by matching the PC name and key ID shown on the recovery screen.
Once the key is entered and the user clicks “Continue”, the system will boot to the desktop and will not ask for the key again on subsequent restarts.
How to prevent KB5083769 before it installs
Users who have not yet installed KB5083769 and want to avoid the recovery prompt can actively reset Group Policy Configuration. To do this, search for and open the Group Policy Editor. ‘gpedit’ In the Start menu.
Then, navigate to Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drive.
Right-click on “Configure TPM Platform Verification Profile for Basic UEFI Firmware Configuration” and select Edit.
Change the setting to Not Configured, then click Apply and OK. Next, open Command Prompt as administrator and run the required commands. manage-bde -protectors -enable C:
This process reassigns BitLocker to the default PCR profile and prevents the recovery screen from appearing after the update is installed.
Business users who cannot modify Group Policy settings can contact Microsoft to rollback updates for known issues, which can undo faulty configurations.
