Microsoft Confirms Windows Update Locking PCs Or Blue Screen Of Death — How To Fix
Updated May 20 with details of how Microsoft has now fixed the bug and what you should do.
Windows 10 users have recently come across a problem caused by the latest Windows 10 KB5058379 update. The problem is, it’s a mandatory update. Now, Microsoft has issued a critical update to put things right. Full details of what you should do at the end of this post.
Windows 10
First, some history. The issue was reported on May 15 by Windows Latest. “Windows 10 KB5058379 is causing PCs to boot into Windows Recovery and require BitLocker key. Windows Latest received reports that KB5058379 install starts, but ends up at “Enter the recovery key to get going again (Keyboard layout: US)” screen, and there’s a text field to add the recovery key. In some cases, there’s a BSOD as well,” Windows Latest said.
It’s unusual for BitLocker recovery to trigger automatically unless we make a change to the hardware or BIOS settings. Several users told Windows Latest that a BitLocker Recovery (Windows Boot Recovery) is prompted automatically after installing KB5058379, which is rolling out via Windows Update. In some cases, there’s a BSOD as well… Windows 10 KB5058379 is a mandatory security update rolling out for everyone, including businesses or enterprises, and you don’t have a choice but to install the update,” it went on.
If you aren’t familiar with BitLocker, then, as you’ll see below, there’s a chance that the problem won’t apply to you. Anyway, here’s how Bleeping Computer described the issue and how it manfests.
“The BitLocker Windows security feature encrypts storage drives to prevent data theft, and Windows computers typically enter BitLocker recovery mode after events like TPM (Trusted Platform Module) updates or hardware changes to regain access to protected drives. Today, Microsoft confirmed the issue and said it’s investigating reports that ‘a small number’ of Windows 10 PCs display BitLocker recovery screens after installing the KB5058379 update,” it said.
On Saturday, May 17, Microsoft updated a support document to acknowledge the issue. “We are aware of a known issue on devices with Intel Trusted Execution Technology (TXT) enabled on 10th generation or later Intel vPro processors,” it said. It also shared some good news.
It Probably Won’t Affect You
“Consumer devices typically do not use Intel vPro processors and are less likely to be impacted by this issue. This issue ONLY applies to the affected platforms listed below. Windows 10, versions 22H2; Windows 10 Enterprise LTSC 2021, Server: None,” Microsoft said in its support document.
Again, this is why you’ll probably know about BitLocker if there’s a chance you could be affected.
So, if you have a PC with Intel vPro chip, you could be tempted not to install it yet, though since it’s mandatory, it’s not advisable to skip it.
Take heart, though: Microsoft is working on it. “We are urgently working on a resolution for this issue, with plans to release an Out-of-band update to the Microsoft Update Catalog in the coming days,” it says, and the fact that the latest support document was filed on a Saturday indicates the urgency.
What To Do
The first stage, obviously, is to find your 48-digit Bitlocker recovery key. Here are Windows Latest’s helpful instructions for what you need to do.
You need to reboot into BIOS/UEFI, which can be done by pressing a key after power-on, but the keys are different across all OEMs. On most Dell/HP/Lenovo: press F2, F10/F12, or Esc immediately after power-on to enter BIOS/UEFI.
Next, in BIOS, look for Security, open Virtualization or Advanced CPU Settings and turn off Intel TXT. This could also be referred to as Trusted Execution, or OS Kernel DMA Support. Note that you can leave VT for Direct I/O (or VT-d) enabled. Finally, save changes and exit BIOS.
“The idea is to disable Intel TXT / Trusted Execution and allow KB5058379 to finish installation. If you followed the steps correctly, you won’t run into BitLocker Recovery or BSOD. Remember that the BSOD or BitLocker is triggered when installing KB5058379, but you won’t have the issue after the update is installed successfully. The catch is that it’s a challenge to install the security patch without turning off Intel TXT / Trusted Execution in BIOS,” Windows Latest explains.
Windows 11 is not affected by this issue, it seems.
The Fix
So, how about that update to fix things? Microsoft said it was working urgently and would release an update in days. It did, just 48 hours after it acknowledged the flaw.
On Monday, May 19, Microsoft said it had resolved the problem. “We are aware of a known issue on devices with Intel Trusted Execution Technology (TXT) enabled on 10th generation or later Intel vPro processors. On these systems, installing the May 13, 2025, Windows security update (KB5058379) might cause lsass.exe to terminate unexpectedly, triggering an Automatic Repair. On devices with BitLocker enabled, BitLocker requires the input of your BitLocker recovery key to initiate the Automatic Repair,” it said.
Then it described the resolution, with an update that is only available to download through the Microsoft Update Catalog, so that’s the place you need to visit to sort this.
“This issue was resolved in the out-of-band (OOB) update KB5061768, which is only available via the Microsoft Update Catalog. If your organization uses the affected platforms and hasn’t yet deployed the May 13, 2025, Windows security update, or if KB5058379 failed to install, we recommend you apply this OOB update instead,” it said.
If you have already installed the updated and are unable to start your PC, you need to disable Intel VT for Direct I/O (also known as VTD or VTX) and Intel Trusted Execution Technology (TXT) in your BIOS / UEFI settings. This disabling should only be temporary. You’ll need to enter your BitLocker recovery key. If you don’t have that, see the instructions to retrieve the key.
Once you’ve done that, go to the Microsoft Update Catalog and install the new update, KB5061768.
Then restart Windows and return to your BIOS / UEFI settings. This is when you re-enable Intel VT for Direct I/O (also known as VTD or VTX) and TXT. (Note that you’ll again need your BitLocker recovery key for this step.