A wave of frustration swept through some Windows 11 users immediately following April’s security update. The latest patch, designated KB5083769, unexpectedly began demanding a BitLocker recovery key, effectively locking people out of their own computers.
For those without the crucial key readily available, access became impossible. Microsoft quickly acknowledged the problem, confirming that a specific, though uncommon, configuration was to blame.
The issue centers around a particular set of circumstances, primarily affecting systems with specific BitLocker Group Policy settings. These configurations are far more likely to be found in managed corporate environments than on personal devices.
To be affected, a device must meet all five of these conditions: BitLocker must be enabled on the operating system drive, a specific Group Policy must be configured including PCR7 validation, System Information must report a “Not Possible” Secure Boot State, the Windows UEFI CA 2023 certificate must be present, and the device must not already be running the 2023-signed Windows Boot Manager.
Essentially, the problem arises from a complex interplay of security features and update components. The immediate solution for those locked out is to enter their BitLocker recovery key – a task that requires prior foresight or access to IT support.
If the recovery key is lost or unavailable, contacting the IT department is the only recourse. Microsoft has also provided guidance for IT professionals to address and resolve the issue within their organizations.
A temporary workaround exists in the form of a “Known Issue Rollback,” allowing users to remove the problematic update (KB5083769 or KB5082052). However, this rollback reintroduces the security vulnerabilities that the update was designed to fix, creating a trade-off between access and protection.