[UPDATE] Windows 11 KB5083769 & KB5082052 Incorrectly Trigger BitLocker Recovery Prompts

[UPDATE: April 22, 2026 | 15:45 IST] Microsoft has reportedly removed the second workaround of applying a Known Issue Rollback (KIR) before installation to fix the issue. As of now, there’s no explanation for why the workaround has been removed. However, it’s possible that the workaround wasn’t effective in addressing the problem. The company has previously confirmed that it is working on a fix, which should be released in a future update.

[ORIGINAL STORY] Yesterday, Microsoft released April 2026 Patch Tuesday updates for Windows 11 version 23H2 and 24H2/25H2 under KB5082052 and KB5083769, respectively. While the update brings a mix of security improvements across Secure Boot and networking, and fixes Reset this PC issues, it also introduces a BitLocker-related complication for a limited set of Windows 11 devices. Do note that Windows 10 systems with KB5082200 installed, Windows Server 2022 and 2025 are also affected by this issue.

Microsoft confirms BitLocker recovery trigger in select Windows 11 systems after latest Patch Tuesday update

The company says some devices may unexpectedly prompt users to enter their BitLocker recovery key after the first restart following installation. However, Microsoft confirms that this only affects systems with a very specific configuration, mostly seen in enterprise-managed environments rather than personal PCs.

The issue occurs when BitLocker is enabled on the OS drive and a particular Group Policy setting is active, specifically the “Configure TPM platform validation profile for native UEFI firmware configurations” option with PCR7 included. The problem becomes more likely when Secure Boot reports PCR7 Binding as “Not Possible,” and when the device is eligible for the Windows UEFI CA 2023 certificate but is not yet using the 2023-signed Windows Boot Manager.

In these cases, users may be asked to enter their recovery key once, after which normal restarts continue without further prompts, as long as system policies remain unchanged.

Microsoft recommends that IT administrators audit BitLocker Group Policy configurations before deploying the update. Specifically, systems using explicit PCR7 validation profiles should be reviewed using tools like msinfo32 to check Secure Boot status.

The company shares two workarounds, while also promising a permanent fix in a future update

The company has further suggested two workarounds. The first involves removing the conflicting Group Policy setting, forcing a policy update using gpupdate /force, and temporarily suspending and re-enabling BitLocker protection on the system drive. Here are the steps shared by the company:

1. Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
3. Set “Configure TPM platform validation profile for native UEFI firmware configurations” to “Not Configured“.
4. Run the following command on affected devices to propagate the policy change: gpupdate /force
5. Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C: 
6. Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C: 
7. ​​​​​​​This updates the BitLocker bindings to use the Windows-selected default PCR profile.

The second option is applying a Known Issue Rollback (KIR) before installation, which prevents the trigger condition entirely for affected systems. The company notes, “A Known Issue Rollback (KIR) is available for customers who cannot remove the PCR7 group policy before deploying this update. The KIR prevents the automatic switch to the 2023 Boot Manager, avoiding the BitLocker recovery trigger. The KIR should be deployed before installing the update on affected devices. Contact Microsoft’s Support for business to obtain this KIR.”

Microsoft says a permanent fix is already in development and will be included in a future Windows update.