Forum Discussion

AhBAy2335's avatar
AhBAy2335
Copper Contributor
May 18, 2026

BitLocker recovery still occurring after KB5089549 installation on HP EliteBook

Hi all,

 

We are experiencing ongoing BitLocker recovery prompts on a Windows 11 enterprise device even after successfully installing KB5089549, which Microsoft states fixes the recent Secure Boot / PCR7 BitLocker recovery issue.

 

Environment:

 

HP EliteBook G10

Windows 11 25H2

OS Build 26200.8457

Hybrid Azure AD Joined

BitLocker TPM protector enabled

Secure Boot enabled

VBS / Secure Launch enabled

 

What we already confirmed:

 

KB5089549 installed successfully

TPM healthy (Get-Tpm)

Secure Boot healthy (Confirm-SecureBootUEFI = True)

PCR7 Configuration = Bound

TPM protector recreated successfully

No pending HP BIOS/firmware updates via HP Image Assistant

BitLocker protection status healthy

 

Current issue:

The device still requests the BitLocker recovery key after every reboot.

 

We already tested:

 

Suspend BitLocker

Remove/re-add TPM protector

Multiple reboots

KB5089549 installation

No custom BitLocker PCR GPOs found

Hypervisor disabled using:

bcdedit /set hypervisorlaunchtype off

 

The issue still persists.

 

Interesting observations:

 

System has Secure Launch, SMM Firmware Measurement, and VBS enabled

USB4 / DisplayLink / dock-related drivers present

TPM protector uses PCR profile 7,11

 

Has anyone else seen:

 

continued BitLocker recovery after KB5089549,

especially on HP enterprise devices,

even when PCR7 shows “Bound” and Secure Boot/TPM health appear normal?

community
Update management

2 Replies

  • YannickDils's avatar
    YannickDils
    MCT
    May 18, 2026

    Not sure if related, but have been facing a lot of issues since the latest April updates on our AVD Farms using Confidential Compute + Disk Encryption Set. All VM's immediately start in bitlocker recovery mode? Have tried the same steps during image build as mentioned above.

    • AhBAy2335's avatar
      AhBAy2335
      Copper Contributor
      May 19, 2026

      Based on the current behavior, this now appears more related to measured boot / PCR measurement drift rather than the original “invalid PCR7 configuration” issue Microsoft documented.

       

      The symptoms seem closely related to the Secure Boot / BitLocker issue discussed in these articles:

       

      https://support.microsoft.com/en-us/topic/may-12-2026-kb5089549-os-builds-26200-8457-and-26100-8457-28ec2a99-4bbe-481d-a340-5c6cf18d9acb

      https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bitlocker-recovery-issue-only-for-windows-11-users/

       

      However, in this case:

       

      KB5089549 installed successfully,

      PCR7 is healthy/bound,

      TPM and Secure Boot are healthy,

      but BitLocker recovery still occurs after reboot.

       

      I suspect there may still be an unresolved interaction involving: