BitLocker is Microsoft’s built‑in full‑disk encryption highlight for Windows. It secures your information by scrambling everything on the drive so that if somebody gets hold of your equipment (e.g., a stolen portable workstation or somebody evacuating the drive), they cannot get to your information without the appropriate keys.
Because of this, when things go off-base with BitLocker, the result can be exceptionally genuine: misfortune of get to, information being bolted behind a recuperation key, or (in extraordinary cases) requiring a full reinstall. The bug we talk about here is precisely of that kind.
What’s going wrong
Several later things affirm that after introducing certain Windows upgrades, a few frameworks entered startling BitLocker recuperation mode — in other words, the framework inquired for the recuperation key (which numerous clients may not have quick get to to) or fizzled to boot legitimately. A few key points:
On May 13, 2025, Microsoft discharged overhaul KB5058379 for Windows 10 (version 22H2) and related SKUs.
Born City
+1
The bug is particularly influencing frameworks that have Intel vPro equipment (10th generation or more current) and have Intel Trusted Execution Innovation (TXT) empowered.
TechZone Global
+3
Bleeping Computer
+3
Born City
+3
On those frameworks, the overhaul may cause the handle lsass.exe to crash suddenly, which in turn triggers Windows’ “Automatic Repair”. On machines with BitLocker empowered, this repair triggers the BitLocker recuperation incite.
Born City
+2
BetaNews
+2
Some clients detailed that indeed entering the rectify recuperation key did not continuously reestablish boot, or the framework got stuck in a circle of startup repair/BitLocker screens.
Born City
+1
The bug has been recognized by Microsoft by means of the Windows Discharge Wellbeing dashboard.
Bleeping Computer
+1
Microsoft discharged an out‑of‑band crisis overhaul, KB5061768 for Windows 10, to settle this issue.
Bleeping Computer
+1
Who is affected
From accessible information:
Primarily Windows 10 (version 22H2) and Windows 10 Enterprise/LTSC versions; standard Windows 11 shows up less clearly influenced.
Bleeping Computer
+1
Systems with Intel 10th gen or more up to date vPro processors and Intel Trusted Execution Innovation (TXT) empowered in BIOS/UEFI.
Bleeping Computer
+1
BitLocker must as of now be empowered on the framework. If you do not utilize BitLocker or gadget encryption, you likely dodge this.
Consumer gadgets (Domestic versions) are less likely affected since numerous do not have Intel vPro / TXT empowered.
Bleeping Computer
+1
Why it things: what can go wrong
A framework booting into BitLocker recuperation mode implies you must enter the 48‑digit recuperation key (or comparable) to continue. If you don’t have it, you may viably lose get to to your data.
If the recuperation enters a circle (framework inquires key, you enter, at that point falls flat, rehashes) your framework may gotten to be unusable without more profound mediation (bootable media, command provoke, etc).
For venture / overseen gadgets, this can cruel handfuls or hundreds of machines bolted down out of the blue post‑update.
While this bug didn’t cause far reaching information devastation (i.e., BitLocker didn’t itself decode or wipe information), the hazard is exceptionally genuine: blocked off drives, downtime, recuperation costs, potential information misfortune if the key cannot be retrieved.
What you ought to do now
If you have a PC (particularly Windows 10) AND BitLocker empowered, I emphatically suggest doing the following:
1. Make beyond any doubt your BitLocker recuperation key is sponsored up
Check the area where your recuperation key is put away. If you utilized a Microsoft account, you may discover it through https://aka.ms/myrecoverykey
.
Malwarebytes
+1
If in a space (work/school), make beyond any doubt your director has the recuperation key.
If your key is not sponsored up or open, you’re at higher risk.
2. Check whether your framework is affected
If your equipment matches: Intel vPro 10th gen or more current, with TXT empowered, and you’re on Windows 10 22H2 (or LTSC) and you introduced the May 13 upgrade (KB5058379) — you may be at risk.
Check BIOS/UEFI: Is Intel TXT empowered? Is VTD/VTX empowered? These may contribute.
Bleeping Computer
3. Introduce the settle (in the event that applicable)
If your machine is on the influenced category and hasn’t however connected the settle, introduce upgrade KB5061768 (for Windows 10) from Microsoft Upgrade Catalog.
Bleeping Computer
+1
For frameworks as of now bolted, the suggested workaround: impair Intel TXT (and Intel VT for Coordinate I/O / VTD) in BIOS briefly, boot in, enter recuperation key, introduce the fix, at that point re‑enable TXT/VTD.
TechZone Global
4. Consider stopping overhauls (in the event that in doubt)
If your framework is in a generation environment (workstations, corporate armada) you might incidentally delay sending May overhauls to unaffected machines whereas you confirm compatibility / backing up keys.
Always test overhauls in a arranging environment some time recently wide rollout.
5. Have a recuperation arrange ready
Make beyond any doubt you have bootable Windows media (USB) so you can get to WinRE, command provoke, etc, if things go wrong.
Know how to utilize manage-bde commands to open or debilitate BitLocker (on the off chance that you have the key). E.g., manage-bde -open C: -Recovery Password YOUR‑KEY taken after by manage-bde -off C: to unscramble. (As one client pointed out, this is more progressed)
Microsoft Learn
+1
Ensure your customary information reinforcements are working — so in the most exceedingly bad case you can recuperate information indeed if the drive closes up requiring recuperation or reinstall.
Why did this happen? (Specialized root cause)
From the open info:
The overhaul KB5058379 activated a crash of lsass.exe (the Nearby Security Specialist Subsystem Benefit) on influenced frameworks. This crash driven Windows to trigger Programmed Repair mode.
Born City
+1
On machines with BitLocker empowered, when Programmed Repair kicks in (since of fizzled boot / crash), BitLocker inquires for the recuperation key as portion of the security handle. The rationale: if a drive is scrambled and framework stability/firmware keenness is suspect, you must affirm you’re authorized.
The nearness of Intel TXT (Trusted Execution Innovation) and Virtualization/Direct I/O highlights shows up to trigger the condition where the crash happens. Conceivably since a firmware/TPM estimation changed or was invalid, or since the driver stack for TXT/VTD had an interaction with the update.
Microsoft states the issue is “on gadgets with Intel Trusted Execution Innovation (TXT) empowered on 10th gen or afterward Intel vPro processors … introducing the May 13, 2025, Windows security upgrade (KB5058379) might cause lsass.exe to end unexpectedly.”
Born City
+1
What this implies for the broader client base & take‑aways
For normal shopper PCs (particularly if you don’t have Intel vPro/TXT, or if you’re running Windows 11), the hazard shows up lower (in spite of the fact that not zero). Microsoft accentuates the affected equipment is moderately specialized.
Bleeping Computer
+1
For business/managed situations, particularly armadas with BitLocker empowered and corporate equipment (vPro etc), this bug is a genuine operational chance (lock‑out, downtime).
This kind of bug underlines a few common lessons:
Just since an overhaul is named “security” or “cumulative” doesn’t cruel zero chance — you still require to test if you have extraordinary equipment or settings (e.g., TXT, virtualization).
Backing up recuperation keys is not discretionary when you utilize full‑disk encryption — losing the key implies losing access.
There is a pressure: empowering more hardware-based security (e.g., TXT, Secure Boot, BitLocker) increments security — but too increments complexity and chance of edge‑case failures.
The “automatic encryption” or “automatic security include enablement” way (i.e., gadget encryption turning on certainly) has more stakes — it's less unmistakable to clients, so they may not know their recuperation key situation.
Microsoft has settled the quick issue by means of the crisis upgrade — but the reality that these sorts of things happen (and have happened numerous times) implies it’s astute to approach huge upgrades with a methodology, particularly in endeavor settings. (E.g., test, delay, guarantee recuperation)
0 Comments