After installing Windows Update KB5094126, or some subsequent security updates, some devices may unexpectedly prompt for the BitLocker Recovery Key at startup. This behaviour is expected and occurs because Microsoft has begun strictly enforcing Secure Boot integrity. If the device’s Secure Boot chain is not valid, Windows will require the BitLocker key before allowing the system to boot.
Windows 10
Windows 11
Systems with Secure Boot enabled
Systems with BitLocker enabled (Pro/Enterprise/Education editions)
Windows Home devices with Device Encryption (where supported)
Badly configured domain policies that have stored a broken Secure Boot chain (read Uni).
Date/time stamp mismatches
Questionable apps or malware having tried or succeeded in accessing boot files.
For years, Windows allowed devices to run with partially broken or non‑compliant Secure Boot configurations without interrupting the boot process. KB5094126 and subsequent security updates change that.
Microsoft is now enforcing Secure Boot chain validation, meaning:
If the Secure Boot certificates, bootloader, or firmware chain are invalid, modified, or out of date,
Windows will treat the boot environment as untrusted,
And BitLocker will require the Recovery Key to ensure the user is legitimate.
This is not caused by BitLocker “turning on by itself”. BitLocker (or Device Encryption) may have been active for months or even years, probably linked to a Uni account, onedrive, office install or other Uni system, but the key is only being requested now because the trusted boot chain is broken.
You may see the BitLocker recovery screen after an update if:
Secure Boot is disabled, partially disabled, or misconfigured
The system firmware (UEFI) has outdated Secure Boot certificates
A BIOS/UEFI update changed the boot chain
A bootloader was modified by third‑party software
The Trusted Platform Module (TPM) measured a change in the boot environment
The device was previously allowed to boot with an invalid Secure Boot chain, but now enforcement blocks it
In all cases, Windows is protecting the device and you from data theft by requiring the recovery key.
Windows Home does not include full BitLocker management, but many modern Home devices support Device Encryption, which is a simplified version of BitLocker.
Important differences:
No BitLocker management UI
Cannot manually configure encryption policies
Cannot enforce BitLocker without a Microsoft Account
Recovery keys are stored only in the user’s Microsoft Account (if encryption is enabled)
This means Study Tech, and probably the Uni have no access to these keys
It can be any Microsoft account only. However, if that Microsoft account name is random email/that email has used single sign on/sso to sign in, Gmail or iCloud etc then it can look like its an MS account with a gmail address etc, but it actually isn't.
Read, may be what the Uni policy changes your Windows to, once you sign into Onedrive, office etc.
Full BitLocker management
Can store keys in Azure AD, AD DS, MDM, or manually, with a prompt to save the key.
Can enforce encryption and passwords via domain policy, which Study Tech have no control over
Can manage TPM/Secure Boot interactions
This means:
If a Windows Home device is encrypted/asking for a key, you must have a Microsoft Account where the key is stored.
If you used a local account, the device cannot store a recovery key anywhere, and encryption could not have been enabled.
Microsoft may "force" device encryption with this or subsequent updates, they will make it very clear you need to save the key on a usb or similar.
We have had instances of Uni policy "half applying" and students being unable to access the key, we cannot help with this, save by wiping.