Microsoft has confirmed that a recent Windows security update can cause some PCs to open the BitLocker recovery screen after restart instead of loading Windows normally. If that happens, users must enter the BitLocker recovery key before they can access the system again.
The issue does not affect every device, especially since recent Windows builds already changed behavior in several update areas. Microsoft says it only happens on systems with a specific BitLocker, TPM, and Secure Boot setup. Most regular home PCs are unlikely to see the problem, while company-managed and school-managed systems face a higher chance of being affected.
The update is still important because Microsoft says it fixes more than 160 security vulnerabilities, including critical flaws and at least one security issue already being actively exploited, continuing Microsoft’s recent patch cycle.
Systems Most Likely to Be Affected
Microsoft says the issue can happen when all of these conditions are present:
- BitLocker is enabled on the Windows drive.
- The Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled.
- PCR7 is included in the validation profile.
- System Information (msinfo32.exe) shows Secure Boot State PCR7 Binding as Not Possible.
- The Windows UEFI CA 2023 certificate is installed in Secure Boot.
- The PC is not already using the newer 2023-signed Windows Boot Manager.
If those conditions are met, the first restart after installing the update may ask for the BitLocker recovery key.
Temporary Workaround From Microsoft
Microsoft has shared a temporary fix for administrators until a permanent update arrives, following other recent Windows maintenance issues.
- Open Group Policy Editor (gpedit.msc) or Group Policy Management Console.
- Go to:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
- Set Configure TPM platform validation profile for native UEFI firmware configurations to Not Configured.
- Run this command to refresh the policy:
gpupdate /force
- Run this command to suspend BitLocker on drive C:
manage-bde -protectors -disable C:
- Run this command to enable BitLocker again:
manage-bde -protectors -enable C:
Microsoft says this rebuilds BitLocker bindings with the default PCR profile.
If You Are Already Locked Out
Users already stuck on the recovery screen should first look for their BitLocker recovery key before attempting broader Windows repair steps.
- Personal devices often save the key in the owner’s Microsoft account.
- Work or school devices may store it in Active Directory, Entra ID, or internal IT systems.
Microsoft says a permanent fix will arrive in a future Windows update.
The issue can affect Windows 11, Windows 10, Windows Server 2025, and Windows Server 2022 systems that match the required setup, including systems recently updated to newer feature releases.
