In April 2026, HP released a BIOS update for business PCs that actually caused Windows 11 devices to enter a continuous BitLocker recovery loop. Users found their very own systems repeatedly asking for their BitLocker recovery key even after they successfully unlocked the system. Later on… the issue was traced to a problem with the Secure Boot certificate update process where the firmware failed to properly install Microsoft’s new 2023 Secure Boot keys. This triggered BitLocker security checks on every startup. HP acknowledged the problem later and released their guidance for affected users too.
In this article, we’ll explain what caused the issue, review the timeline of events, and explore the most effective ways to fix the problem and recover access to your system and data.
Timeline of Events
- February 2026: Microsoft announced that older Secure Boot certificates of systems would expire in June 2026 and advised that users have to install new 2023 Secure Boot certificates through Windows and those firmware updates.
- April 2026: HP pushed BIOS updates for business laptops and workstations. Soon after their installation, users in every nook and corner of the world started getting stuck in BitLocker recovery loops or got these Secure Boot-related errors.
- Late April – Early May 2026: These problems of boot issues increased in forums and IT communities. Users started to realize that rolling back this BIOS update resolved the problem.
- May 11, 2026: HP acknowledged their issue and released their support advisory with temporary workarounds.
- Late May 2026: Many tech publications reported on the problem and at the same time HP and Microsoft investigated the faulty BIOS update.
- June 2026: With the Secure Boot certificate transition deadline reached, these affected systems basically just required a firmware tweak or roll back of BIOS to restore normal BitLocker and Secure Boot functionality.
How the BIOS Update Broke BitLocker
BitLocker actually uses the TPM chip to verify that the system boot environment is not changed. When there is a modification in firmware, Secure Boot settings or even your boot files, BitLocker thinks it is a potential security risk and asks you for the recovery key. In HP’s case, that faulty BIOS update disrupted the Secure Boot certificate update process. Windows actually was just trying to install Microsoft’s new 2023 Secure Boot certificates but firmware was just failing to complete this handoff. As a result of it… BitLocker detected a mismatch between the expected and actual boot configuration on each and every startup. The problem also prevented users’ Windows from properly installing the new Secure Boot certificates before Microsoft’s 2026 deadline. This left users’ systems just stuck in a continuous BitLocker recovery loop despite otherwise functioning normally.
How to Resolve HP BitLocker Recovery Loop
1. Retrieve your BitLocker recovery key. Sign in at https://account.microsoft.com/devices/recoverykey (or contact your IT admin) and copy the 48-digit key for your device.
2. Enter BIOS/UEFI (F10). Restart and press Esc then F10 when the HP logo appears. Navigate to Security > Secure Boot Configuration.
3. Enable Secure Boot keys: Check all of these new options… Windows UEFI CA 2023, Microsoft UEFI CA 2023, Microsoft Option ROM UEFI CA 2023 and Enable MS UEFI CA Key. Save and exit (F10).
4. Let Windows reboot multiple times. The OS will now write the new certificates to the firmware. Wait for any automatic reboots to finish.
5. Confirm the update: Once back in Windows, open PowerShell as admin and run:
Powershell
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\ -Name UEFICA2023Status
It should report “Updated”. Alternatively, look for Event IDs 1797/1799 in Event Viewer under “Microsoft-Windows-BitLocker-API/Operational” which indicate success.
6. Re-enable BitLocker protection: If you suspended BitLocker earlier, resume it now:
bash
manage-bde -protectors -enable C:
Then, reboot once. BitLocker should now find the system in a trusted state.
7. If you still hit recovery: Boot into Windows RE (press F11 or use installation media) and open Command Prompt. Unlock the drive manually:
mathematica
manage-bde -unlock C: -RecoveryPassword <Your-Recovery-Key>
Then run
manage-bde -status
This will ensure it’s unlocked. If needed, copy off any important files (using notepad.exefile dialog or xcopy to USB). If the system is otherwise damaged, you may opt to rebuild Windows and restore files later.
BitLocker Recovery Key Retrieval
If you need your BitLocker recovery key, your search actually depends on the setup you have here.
- For normal personal PCs that are linked to a Microsoft account, open account.microsoft.com/devices and open your device there to view the BitLocker key.
- On organization PC systems, the key is basically stored in Azure AD or Intune from where admins can retrieve it.
- In an on-prem Active Directory setup, it can be available under device object in the BitLocker Recovery tab. It is also saved maybe as a printed copy or USB backup.
Once you have obtained that key of yours, the drive can then be unlocked using manage-bde -unlock C: -RecoveryPassword <key> for real. If you get out of this vicious loop and see that the data you were working on earlier on is missing, professional data recovery software like Stellar Data Recovery Professional for Windows can help recover files from the drive after it is unlocked.
Conclusion
The HP BIOS update issue is actually a reminder that even these critical firmware updates can have unexpected consequences for you. While the BitLocker recovery loop can be frustrating for you… HP identified its very root cause and provided workarounds to restore normal operation. The key here is to secure your BitLocker recovery key, apply the recommended BIOS fixes and verify that those new Secure Boot certificates are installed in there correctly. If the issue leads to data loss in any way, you can use a reliable professional Windows data recovery solution, such as Stellar Data Recovery Professional for Windows to just retrieve important files and minimize your downtime.
