BitLocker recovery still occurring after KB5089549 installation on HP EliteBook

BitLocker recovery triggering after KB5089549 is consistent with what several organizations have reported when the update modifies boot configuration data in a way that the TPM interprets as a security state change. The update appears to be touching components that TPM monitors as part of the secure boot measurement chain, which causes the recovery prompt even on machines where nothing has actually changed from a security standpoint.

The most reliable resolution we found across multiple affected machines was suspending BitLocker before applying the update rather than dealing with recovery afterward. For machines already stuck in recovery, key retrieval from Azure AD or on-premises AD, depending on your backup configuration, should work cleanly if the keys were properly escrowed before the issue occurred.

It's worth checking whether your HP EliteBook BIOS is on the latest version as well because some EliteBook configurations have a BIOS interaction with this specific update that compounds the TPM measurement issue. HP released updated firmware that addresses part of this behavior on affected models.

We encountered this across several HP devices during a Microsoft 365 infrastructure rollout we were managing through Tech Distributor, our Microsoft distributor in Dubai. The pattern was consistent enough across machines that we flagged it before completing the full deployment, and the BIOS update combined with BitLocker suspension during patching resolved it on every affected unit.

Are the affected machines all on the same BIOS version, or is the issue appearing across different firmware revisions?