Microsoft this week released its latest Patch Tuesday update, the release is for the month of April 2026. On Windows 11 under KB5083769 and KB5082052, the new update brings a major Remote Desktop-related change, among other things (read the changelog in full in the linked article above).
While initially Microsoft did not report any known issues with the latest Patch Tuesday, the company has now added that all systems which have received the updates are affected by a BitLocker-related issue. This means Windows 11, Windows 10 (KB5082200), as well as Windows Server 2025 and Server 2022, are all hit by this.
The company has explained that the issue is due to an unrecommended BitLocker-based Group Policy configuration. This leads to a BitLocker Recovery key prompt on affected systems. The good news, Microsoft says, is that the key will only be necessary to be entered once, plus it also seemingly affects only a limited number of systems. Such devices have to meet the following criteria:
-
BitLocker is enabled on the OS drive.
-
The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
-
System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible".
-
The Windows UEFI CA 2023 certificate is present in the device’s Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
-
The device is not already running the 2023-signed Windows Boot Manager.
Microsoft has also provided the following workarounds for the bug that will let an admin or user to remove the problematic Group Policy configuration before downloading the Windows update. This is also the recommended solution. It writes:
- Open Group Policy Editor (gpedit.msc) or your Group Policy Management Console.
- Navigate to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- Set "Configure TPM platform validation profile for native UEFI firmware configurations" to "Not Configured".
- Run the following command on affected devices to propagate the policy change: gpupdate /force
- Run the following command to suspend BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -disable C:
- Run the following command to resume BitLocker (where BitLocker is enabled on the C: drive): manage-bde -protectors -enable C:
- This updates the BitLocker bindings to use the Windows-selected default PCR profile.
Aside from that, admins can also apply a known issue rollback (KIR) to prevent the issue before downloading the Patch Tuesday.
Update, April 22 2026, 12.00 GMT: Microsoft has issued an update for this bug as it has removed the KIR policy workaround; the company has not specified why. Perhaps the rollback was not working as expected. The tech giant maintains that the bug will be addressed in a future Windows update release. Maybe it will be patched in the upcoming KB5083631 update that is expected to make Windows 11 significantly faster.