Microsoft’s April 2026 Windows 11 update has sparked a BitLocker recovery prompt on a subset of PCs. The glitch appears only when BitLocker is enabled and a specific Group Policy—“Configure TPM platform validation profile for native UEFI firmware configurations”—includes PCR7. Users meeting this rare setup see a password prompt during boot, but only once for initial startup recovery after.

The issue hinges on a chain of conditions: BitLocker must be active, the TPM register PCR7 must be in the validation profile, msinfo32 must report Secure Boot State PC47 Binding as “Not Possible,” and the Windows UEFI CA 2023 certificate must reside in the device’s Secure Boot DB. Only when all align does the BitLocker Recovery environment trigger on startup.

Microsoft recommends deleting the PCR7 Group Policy before deploying the update, or applying a Known Issue Rollback (KIR) if removal isn’t feasible. The company plans a fix in the next Windows 11 release, but the problem’s limited scope means its impact remains modest compared to past global rollouts. End users with standard builds are unlikely to experience the prompt today.