Microsoft fixes BitLocker recovery issue only for Windows 11 users
Microsoft has addressed a BitLocker recovery boot issue with the KB5089549 cumulative update for Windows 11 25H2, but Windows 10 and Server users still lack a fix.
Microsoft has addressed a known issue causing some Windows 11 systems to boot into BitLocker recovery after installing the April 2026 Windows security updates. The fix is included in the KB5089549 cumulative update for Windows 11 25H2, but Windows 10 and Windows Server customers will need to wait for a permanent resolution, which is planned for a future update.
BitLocker is a Windows security feature that encrypts storage drives to protect against data theft. It often activates recovery mode after hardware changes or TPM (Trusted Platform Module) updates, blocking access to protected drives that haven't been unlocked normally. The bug, triggered after installing April 2026 security updates, affects devices with an unrecommended BitLocker Group Policy configuration that prompts for a recovery key on restart.
Microsoft acknowledged the issue on April 14, stating that it affects Windows 10, Windows 11, and Windows Server devices with an "unrecommended" BitLocker Group Policy configuration, and that it will prompt users to enter their BitLocker recovery key. "Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft said. While this issue also affects systems running Windows client platforms such as Windows 10 and Windows 11, Microsoft said it's unlikely to affect personal devices, since affected configurations are typically found only on enterprise systems managed by IT teams.
On Tuesday, Microsoft announced that it addressed the issue with the KB5089549 cumulative update for Windows 11 25H2, but Windows 10 and Windows Server customers will need to wait for a fix, as a permanent resolution is planned for a future update. "This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations. This might occur after installing the April 2026 security update (KB5083769)," it said.
Until a fix is available for all affected platforms, Windows admins are advised to remove the "Configure TPM platform validation profile for native UEFI firmware configurations" Group Policy configuration before deploying the April 2026 updates, and to ensure that BitLocker bindings use the PCR7 profile by following these steps.
This is not the first time BitLocker recovery issues have plagued Windows users. In August 2022, Windows devices became stuck at a BitLocker recovery prompt after installing the KB5012170 security update. Two years later, in August 2024, Microsoft fixed another known issue that triggered BitLocker recovery prompts after installing the July 2024 Windows security updates. More recently, in May 2025, Microsoft issued out-of-band emergency updates to address a similar issue that caused Windows 10 PCs to request the BitLocker recovery key after installing the May 2025 security updates.
This week, Microsoft also released the May 2026 Patch Tuesday security updates, covering 120 vulnerabilities, including 17 "critical" flaws. The BitLocker fix for Windows 11 is part of that release, but the incomplete coverage across platforms leaves many enterprise environments still vulnerable to the recovery boot loop.