Windows 10 Update KB5058379 Initiates BitLocker Recovery Process on Select Devices

The recently released Windows 10 cumulative update, designated KB5058379, has raised concerns as it appears to trigger unanticipated BitLocker recovery prompts following installation and reboot on certain devices.

Issued on May 13, 2025, as part of Microsoft’s May Patch Tuesday updates, KB5058379 is a mandatory update designed to address critical security vulnerabilities, including five actively exploited zero-day flaws.

Reports suggest that after the installation of this update, numerous users and administrators have encountered automatic booting into the WinRE BitLocker recovery screen. While not all Windows devices seem affected, the volume of reports indicates that the update has caused significant disruptions for some users.

An administrator reported on a community forum that multiple laptops encountered various issues post-update, with some systems requiring BitLocker keys to start, while others failed to boot entirely. Similarly, another user noted difficulty with devices that prompted the BitLocker recovery window after applying the update.

Affected hardware appears to encompass various brands, including Lenovo, Dell, and HP, though the specific hardware or configuration conflicts causing the issue remain unclear. Some users proposed a workaround involving the disabling of Intel Trusted Execution Technology (TXT) within the BIOS, which is a security feature that ensures the integrity of system components prior to executing sensitive tasks.

While Microsoft has yet to officially acknowledge this issue, it has been reported that company support teams are aware of users experiencing these complications. Affected users have relayed that Microsoft’s support has confirmed ongoing investigations into the matter.

Microsoft has provided guidance for users struggling to regain access to their systems, which includes the following steps:

1. Disable Secure Boot
– Access the system’s BIOS/Firmware settings.
– Locate the Secure Boot option and set it to Disabled.
– Save the changes and reboot the device.

2. Disable Virtualization Technologies (if the issue persists)
– Return to BIOS/Firmware settings.
– Disable all virtualization options, such as Intel VT-d (VTD) and Intel VT-x (VTX).

Note: Users should ensure they possess the BitLocker recovery key, as this action may prompt its entry.

3. Check Microsoft Defender System Guard Firmware Protection Status
– Registry Method:
– Open the Registry Editor (regedit).
– Navigate to: HKEYLOCALMACHINESYSTEMCurrentControlSetControlDeviceGuardScenariosSystemGuard
– Assess the Enabled DWORD value:
– 1 → Firmware protection is enabled
– 0 or missing → Firmware protection is disabled or not configured
– GUI Method (if available):
– Access Windows Security > Device Security, and review under Core Isolation or Firmware Protection.

4. Disable Firmware Protection via Group Policy (if restricted by policy)
– If firmware protection settings are obscured due to Group Policy, follow these steps:
– Open gpedit.msc.
– Navigate to: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
– Set the Secure Launch Configuration option to Disabled.

Alternatively, use the Registry Editor to change the following value:
– [HKEYLOCALMACHINESYSTEMCurrentControlSetControlDeviceGuardScenariosSystemGuard]
– “Enabled”=dword:00000000

Importantly, a system restart will be required for these changes to take effect.

Users are advised to be cautious when disabling Secure Boot or virtualization features, given their critical role in device security and performance. As a best practice, it is recommended to test these workarounds in a controlled manner prior to implementing broader fixes across multiple devices.

Microsoft has been contacted for additional insights regarding this issue and updates will be communicated when available.