Windows 11 KB5089549 BitLocker Recovery Loop HP Fix

> Before you do anything: locate your BitLocker recovery key NOW. Sign into [account.microsoft.com/devices/recoverykey](https://account.microsoft.com/devices/recoverykey) on a phone or second PC, or check your Microsoft Entra / Intune portal under "Devices -> BitLocker keys". If your key was only saved to a local USB and the device is locked, do not reset, re-flash BIOS, or wipe the drive — your data becomes unrecoverable.

What is the KB5089549 BitLocker Recovery Loop on HP?

After installing the May 2026 cumulative update KB5089549 on Windows 11 23H2, 24H2, or 25H2, many HP Commercial Notebooks, Commercial Desktops, and Z-series Workstations boot directly into the BitLocker recovery screen demanding the 48-digit recovery key. Entering the correct key gets you to the desktop once, but the next reboot demands the key again — a true loop. Microsoft confirmed the PCR7 / TPM-binding regression as a known issue, and HP published advisory HPSBHF03991 acknowledging the parallel BIOS-side cause: an HP BIOS update shipped through Windows Update in early April 2026 mis-handles the Windows UEFI CA 2023 Secure Boot certificate, which changes PCR7 measurements on every cold boot.

When does it occur?

• Immediately after KB5089549 installs and the machine reboots to apply.
• On HP EliteBook 840 / 845 / 860 G10 and G11, ProBook 450 / 460 G10, Elite x360, Z2 / Z4 / Z6 G5 Workstations.
• After the HP BIOS firmware updates dated April 03 - April 22, 2026 are applied via Windows Update.
• When the device wakes from S4 (hibernate) or after a Modern Standby drain to 0%.
• After joining the device to Microsoft Entra ID or Intune for the first time post-update.
• When you press F10 to enter BIOS and then resume boot — PCR7 changes mid-boot.

Common causes

• KB5089549 re-measures PCR7 against the new Windows UEFI CA 2023 certificate while the HP BIOS still references the 2011 cert, breaking the TPM seal.
• The HP BIOS update bundled in the April 2026 firmware package writes the Secure Boot DBX in a non-idempotent way, so every cold boot produces a different PCR7 value.
• BitLocker was set to "TPM-only" protector (no PIN), so the moment PCR7 drifts the recovery key is the only unlock path.
• Microsoft Entra / Intune did not back up the recovery key because the device hit the loop *before* the policy sync completed.
• A previous KB5083769 (April 2026) install left a stale pcr7-config value of BindingPossibleButNotBound in msinfo32.
• HP Sure Start re-validates the BIOS on every boot and re-applies its own measurement, compounding the drift.

Step-by-step fixes

1. Unlock with the recovery key once and dump the current PCR7 state. Enter the key, sign in, open an elevated PowerShell, and run manage-bde -protectors -get C: plus Get-Tpm and msinfo32 | findstr /i "pcr7". Save the output — you will need it.
2. Suspend BitLocker before the next reboot. In the same elevated PowerShell: manage-bde -protectors -disable C: -RebootCount 3. This skips the TPM seal check for the next 3 boots and breaks the loop long enough to patch.
3. Install Microsoft's emergency rollback patch KB5089573. Download the MSU directly from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/) and install with wusa C:\path\to\windows11.0-kb5089573-x64.msu /quiet /norestart. KB5089573 reverts the PCR7 measurement logic to the pre-KB5089549 behavior.
4. Block the bad HP BIOS update. Open Settings -> Windows Update -> Advanced options -> Optional updates, uncheck any "HP - Firmware" entry. Then run Microsoft's "Show or hide updates" troubleshooter (wushowhide.diagcab) to hide the firmware KB so it doesn't re-offer.
5. **Re-enable BitLocker only after PCR7 is Bound.** Re-run msinfo32 | findstr /i "pcr7". If it now reads Binding, run manage-bde -protectors -enable C: and reboot once to confirm no recovery prompt.
6. If HP Sure Start fires, downgrade BIOS to the March 2026 release. From HP's support site, grab the BIOS for your exact model dated 2026-03 or earlier (e.g. EliteBook 840 G11 BIOS V01.10.00). Run the installer from inside Windows (do NOT use F.10 in-BIOS update while BitLocker is suspended). Reboot.
7. Back up the recovery key to multiple locations. manage-bde -protectors -get C: > %USERPROFILE%\Desktop\bitlocker-keys.txt, then upload to OneDrive AND print a paper copy. Save the key ID + recovery key. Do NOT skip this — the next firmware push could re-trigger the loop.
8. For Intune-managed fleets, push the Microsoft mitigation via Known Issue Rollback (KIR). Import the KIR Group Policy MSI from [Microsoft's KIR portal](https://learn.microsoft.com/en-us/windows/deployment/update/known-issue-rollback) and target the policy KB5089549 240608 240612 BitLocker Recovery Mitigation to the affected device group. Reboot.

If it still doesn't work

If KB5089573 is already installed and the loop continues, the device is hitting the HP-side BIOS bug rather than the Microsoft-side one — flash the March 2026 BIOS in step 6, and if the in-Windows installer refuses because Sure Start blocks it, create a HP USB recovery key (HP Cloud Recovery Tool), boot from it, and select "Restore BIOS". For Z-series Workstations with vPro / AMT, an out-of-band BIOS rollback via the HP Integrated Lights-Out (iLO) interface is the fastest path. Open a case with HP Enterprise Support quoting advisory HPSBHF03991 — affected commercial customers are being prioritized for free on-site BIOS reflash. If the recovery key was never escrowed to Entra/Intune and your local USB key is lost, the encrypted drive is mathematically unrecoverable; restore from your last backup rather than wasting time on third-party "BitLocker recovery" tools, which cannot break AES-XTS.