Windows 10 KB5058379 update triggering BitLocker Recovery after install
The Windows 10 KB5058379 cumulative update is triggering unexpected BitLocker recovery prompts on some devices afters it’s installed and the computer restarted.
On May 13, Microsoft released the Windows 10 KB5058379 cumulative update as part of their May 2025 Patch Tuesday updates. This is a mandatory update as it contains security updates for vulnerabilities fixed by Microsoft, which included five actively exploited zero-day flaws.
As first spotted by Windows Latest, since the release of this update, some Windows users and admins have been reporting that after installing the update and restarting the device, the computer would automatically boot into the WinRE BitLocker recovery screen.
While this is not impacting all Windows devices, there have been enough reports to indicate a problem with the update on some devices.
“We have about a half dozen laptops that experienced various intermittent issues after receiving the same KB – some require bitlocker keys to start up, others refusing to start at all,” a Windows admin posted to Reddit.
“The latest KB5058379 released May 13 quality update failed in Windows 10 devices. Some devices it caused triggering bitlocker key window after restart,” another person posted to the Microsoft forums.
Soon after, numerous people responded to the posts stating that devices in their organizations were booting into WinRE and then shown the BitLocker recovery screen.
Source: Microsoft
There are reports of devices from Lenovo, Dell, and HP being impacted by this issue, so it’s unclear what particular hardware or setting conflict is occurring.
Some users reported on Reddit that they could boot into Windows again by disabling Intel Trusted Execution Technology (TXT) in the BIOS.
Trusted Execution Technology (TXT) is a hardware-based security feature that verifies the integrity of system components before allowing sensitive operations to run.
While Microsoft has not publicly acknowledged the issue, Microsoft Support allegedly told a user that they are aware of the issues.
“I would like to inform you that we are currently experiencing a known issue with the May Month Patch KB5058379, titled “BitLocker Recovery Triggered on Windows 10 devices after installing KB5058379” on Windows 10 machines,” an impacted user posted to Reddit.
“A support ticket has already been raised with the Microsoft Product Group (PG) team, and they are actively working on a resolution.”
Microsoft then shared the following steps for users to get back into Windows.
1. Disable Secure Boot
- Access the system’s BIOS/Firmware settings.
- Locate the Secure Boot option and set it to Disabled.
- Save the changes and reboot the device.
2. Disable Virtualization Technologies (if issue persists)
- Re-enter BIOS/Firmware settings.
- Disable all virtualization options, including:
- Intel VT-d (VTD)
- Intel VT-x (VTX)
Note: This action may prompt for the BitLocker recovery key, so please ensure the key is available.
3. Check Microsoft Defender System Guard Firmware Protection Status
You can verify this in one of two ways:
- Registry Method
- Open Registry Editor (regedit).
- Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
- Check the Enabled DWORD value:
- 1 → Firmware protection is enabled
- 0 or missing → Firmware protection is disabled or not configured
- GUI Method (if available)
- Open Windows Security > Device Security, and look under Core Isolation or Firmware Protection.
4. Disable Firmware Protection via Group Policy (if restricted by policy)
If firmware protection settings are hidden due to Group Policy, follow these steps:
- Using Group Policy Editor
- Open gpedit.msc.
- Navigate to: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
- Under Secure Launch Configuration, set the option to Disabled.
- Or via Registry Editor
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard]
- “Enabled”=dword:00000000
Important: A system restart is required for this change to take effect.
It is strongly encouraged to test disabling TXT in the BIOS before disabling Secure Boot or virtualization features, as disabling them could have a significant impact on the device’s security, performance, and usability of virtualization software.
BleepingComputer did not test these workarounds, so test them first before rolling out fixes to multiple devices.
BleepingComputer contacted Microsoft to learn more about this issue and will update the story if we receive a response.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
