Microsoft has confirmed that the Windows 11 April 2026 security update KB5083769, released on April 14, causes some devices to boot directly to the BitLocker recovery screen instead of going to the desktop. Affected users need to enter the BitLocker recovery key for the system to start normally.

Microsoft states that this is a one-time issue and that future restarts should proceed normally after the key is entered. It appears that the problem only affects devices with a specific combination of BitLocker and Secure Boot settings, and most users who installed the update are not affected.

Causes Triggering the Issue

The BitLocker recovery prompt appears under several conditions on a device:

  • BitLocker must be enabled on the operating system drive, and the Group Policy setting for the TPM platform validation profile must include PCR7.
  • System Information should show Secure Boot Status as Not Possible for PCR7 Binding. Additionally, the UEFI CA 2023 certificate must be present in the Secure Boot Signature Database, and the device must not be running a 2023 signed Windows Boot Loader.

Microsoft believes that there is a misconfigured BitLocker setup that could trigger this behavior.

How to Recover If You Boot to the BitLocker Recovery Screen

Users on the BitLocker recovery screen need the recovery key to proceed. They can find the key on a separate device by matching the PC name and Key ID shown on the recovery screen with their Microsoft accounts.

After entering the key and clicking the continue button, the system will boot to the desktop and will not ask for the key again on subsequent restarts.

How to Prevent Before Installing KB5083769

Users who have not yet installed KB5083769 and want to avoid the recovery prompt can proactively reset the Group Policy configuration. To do this, open the Group Policy Editor by searching for 'gpedit' in the Start menu.

Then, navigate to Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives.

Right-click on the TPM platform validation profile for local UEFI firmware configurations and select Edit.

Change the setting to Not Configured, then click Apply and OK. Next, open Command Prompt as an administrator and run the necessary commands: manage-bde -protectors -enable C:

This process rebinds BitLocker to the default PCR profile and prevents the recovery screen from appearing after the update is installed.

Commercial users who cannot change Group Policy settings can contact Microsoft for the Known Issue Rollback update that can revert the misconfiguration.