A BitLocker recovery boot loop has been reported after April 2026 security updates. Microsoft has only fixed it for Windows 11 25H2 so far.
One wrong turn after an update can turn a locked drive into a recovery screen, and Microsoft is now working through the fallout from a BitLocker problem affecting Windows systems after April 2026 security updates.
The issue was reported after some Windows 11 machines installed the April 2026 Windows security updates and then booted straight into BitLocker recovery.. BitLocker is designed to protect storage drives by encrypting data. and recovery mode typically appears when the system detects changes in hardware or trust settings—such as updates involving the TPM (Trusted Platform Module)—that prevent the drive from being unlocked through normal means.
Microsoft acknowledged the problem on April 14 and said it affects devices running Windows 10. Windows 11. and Windows Server when they use an “unrecommended” BitLocker Group Policy configuration.. In those cases. the company said systems might be required to enter the BitLocker recovery key on the first restart after installing the update.. The company’s phrasing pointed to a configuration mismatch rather than a broad failure of BitLocker itself.
Although the issue spans Windows client and server platforms, Microsoft indicated it is unlikely to hit typical personal devices.. The reason is straightforward: the problematic BitLocker Group Policy settings are generally associated with enterprise environments. where systems are managed and configured by IT teams rather than end users.
Microsoft’s first fix came with a targeted update for newer Windows 11 systems.. The company said the issue has been addressed on Tuesday for Windows 11 25H2 via the KB5089549 cumulative update.. For other affected platforms—Windows 10 and Windows Server—Microsoft said users will need to wait. with a permanent resolution planned for a future update.
In explaining what the fix targets, Microsoft pointed to boot file updates interacting with specific TPM validation settings.. The company said the problem can occur when the system’s TPM validation settings include invalid PCR7 (Platform Configuration Register 7) configurations.. Microsoft tied the trigger to the April 2026 security update (KB5083769). describing how updating boot files on systems with certain TPM validation profiles can lead to unexpected BitLocker recovery prompts.
Until fixes are available across all impacted platforms. Microsoft advised administrators to adjust the relevant Group Policy setting before deploying the April 2026 updates.. Specifically. it recommends removing the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy configuration when preparing systems for the update rollout.. Admins are also told to ensure that BitLocker bindings use the PCR7 profile by following Microsoft’s recommended steps.
For administrators, this matters because BitLocker recovery prompts are not just an inconvenience.. They can interrupt device availability and delay access to encrypted storage. particularly in environments where devices are remotely managed or where recovery keys are stored and handled through enterprise processes.. Even when a recovery key is available. the operational impact can be significant if the prompt appears at boot and requires manual intervention.
This is not the first time BitLocker recovery prompts have been triggered by Windows security updates.. In August 2022, Windows devices were reported to get stuck at a BitLocker recovery prompt after installing the KB5012170 security update.. That was followed by another Microsoft fix in August 2024, when an issue triggered recovery prompts after July 2024 Windows security updates.
More recently. Microsoft issued out-of-band emergency updates in May 2025 to address a similar problem that caused Windows 10 PCs to request the BitLocker recovery key after installing the May 2025 security updates.. The repeated pattern across different update cycles underscores how changes to boot-related components and trust validation settings can produce cascading effects on systems configured to enforce particular security profiles.
The timing now also overlaps with Microsoft’s broader security update cadence.. This week. Microsoft released the May 2026 Patch Tuesday security updates. covering 120 vulnerabilities. including 17 marked as “critical.” While the BitLocker issue is a reliability and access problem rather than a vulnerability. it highlights how tightly security servicing. device trust mechanisms. and system boot behavior are intertwined for many enterprise deployments.
For Windows administrators watching the rollout closely. the message from Microsoft is clear: the immediate mitigation involves revisiting BitLocker Group Policy configuration and TPM validation profiles. while the permanent fix is rolling out first to Windows 11 25H2 and later planned for Windows 10 and Windows Server.. In the meantime. teams relying on uninterrupted access to encrypted drives will likely want to validate recovery-key readiness and monitor restart outcomes after applying the affected updates.
BitLocker recovery Windows 11 25H2 KB5089549 TPM PCR7 Windows security updates enterprise Group Policy cybersecurity updates