Microsoft has confirmed that the April 2026 security update for Windows 11, designated KB5083769, is triggering BitLocker recovery screens on a small subset of devices. The update, released on April 14, 2026, is causing affected systems to boot directly into the BitLocker recovery interface instead of the normal desktop environment, requiring users to enter their recovery key to regain access.
According to Microsoft’s official support documentation for KB5083769, this behavior is linked to specific BitLocker and Secure Boot configurations that the company characterizes as “unrecommended.” The issue does not affect the majority of users installing the update, and Microsoft states that once the recovery key is entered and the system boots successfully, subsequent restarts will not prompt for the key again.
The problem stems from a combination of conditions involving BitLocker encryption, Group Policy settings for TPM validation, and Secure Boot state reporting. Microsoft has provided detailed guidance on both preventing the issue before installation and recovering from it if a device is already affected.
What Triggers the BitLocker Recovery Prompt
Microsoft identifies two primary conditions that must be present for the KB5083769 update to trigger a BitLocker recovery screen. First, BitLocker must be enabled on the operating system drive, and the Group Policy setting “Configure TPM platform validation profile for native UEFI firmware configurations” must include PCR7 in the validation profile.
Second, the device’s System Information must display “Secure Boot State PCR7 Binding” as “Not Possible.” the UEFI CA 2023 certificate must be present in the Secure Boot Signature Database (DB), and the device must not already be running the 2023-signed Windows Boot Manager. When these specific configurations coincide, the update can cause the system to fail BitLocker validation during boot, forcing entry into recovery mode.
These requirements were outlined in Microsoft’s official changelog for KB5083769, which notes that the update includes improvements from prior monthly releases but also introduces this known issue for devices with the described configuration. The company emphasizes that this setup is not recommended for standard deployments.
How to Recover from the BitLocker Recovery Screen
If a PC boots to the BitLocker recovery screen after installing KB5083769, users must enter their 48-digit BitLocker recovery key to proceed. This key can be retrieved from the Microsoft account associated with the device by signing in from another trusted device and navigating to the account’s device management section, where recovery keys are stored.
On the recovery screen, users should locate the Key ID displayed and match it to the corresponding key in their Microsoft account. Once the correct key is entered and the user selects “Continue,” the system will boot to the desktop. Microsoft confirms that after this successful boot, the recovery prompt will not reappear on future restarts, characterizing the issue as a one-time occurrence per affected device.
How to Prevent the Issue Before Installing KB5083769
Users who have not yet installed KB5083769 and wish to avoid the recovery screen can take preventive steps by adjusting the relevant Group Policy setting. To do this, open the Group Policy Editor by typing “gpedit” in the Start menu search bar and launching the application.
Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Locate the policy titled “Configure TPM platform validation profile for native UEFI firmware configurations,” right-click it, and select Edit. Change the setting to “Not configured,” then click Apply and OK to save the change.
After adjusting the policy, open an elevated Command Prompt (run as administrator) and execute the command: manage-bde -protectors -enable C:. This command rebinds BitLocker to the default TPM validation profile, aligning the encryption protectors with the system’s expected Secure Boot state and preventing the validation failure that triggers recovery mode.
For commercial or enterprise users who lack permission to modify Group Policy settings due to organizational controls, Microsoft offers an alternative: contacting support for a Known Issue Rollback update. This specialized update can revert the problematic configuration introduced by KB5083769 without requiring local policy changes.
Context: Secure Boot and Certificate Updates in 2026
This BitLocker issue occurs amid broader changes to Windows Secure Boot infrastructure. Microsoft has previously warned that Secure Boot certificates used by most Windows devices are set to expire starting in June 2026, which could affect secure boot capability if devices are not updated in time. The company has advised users to review guidance on certificate expiration and take preparatory actions well before the deadline.
The UEFI CA 2023 certificate, mentioned in the trigger conditions for the BitLocker issue, is part of Microsoft’s ongoing effort to maintain a trusted boot ecosystem. Devices eligible for Secure Boot updates must have this certificate present in their Signature Database to validate the Windows Boot Manager and other early-launch components.
Microsoft continues to monitor reports related to KB5083769 and has committed to providing updates through the Windows release health dashboard and official support channels. Users experiencing persistent issues beyond the recovery key prompt are encouraged to seek assistance via Microsoft Support or their organization’s IT department.
As Microsoft advances its continuous innovation model for Windows 11, updates like KB5083769 deliver cumulative security and quality improvements. Yet, the company acknowledges that even well-tested releases can interact unexpectedly with specific hardware and software configurations, underscoring the importance of clear communication and accessible remediation paths when issues arise.
For the most current information on KB5083769, including any future updates to the known issue documentation, users should consult the official Microsoft Support page for the update or visit the Windows 11 release health dashboard.