Microsoft confirms Bitlocker boot problems after Windows 10/11 May 2025 update

[German]Update KB5058379 for Windows 10 22H2 from May 13, 2025 causes the operating system to request the Bitlocker recovery key on boot and hang on some systems. Windows 11 also appears to be affected. Microsoft has now confirmed the bug for Windows 10 and the KB5058379 update.

The Bitlocker Recovery Key Problem

Cumulative update KB5058379 rolled out for Windows 10 22H2 on May 13, 2025 (see Patchday: Windows 10/11 Updates (May 13,  2025)) contains security fixes that are mentioned in the article Microsoft Security Update Summary (May 13, 2025). On some machines, Windows 10 was locked after installing the update because the system requested the Bitlocker recovery key when booting and got stuck. I have also received reports from blog readers that Windows 11 is also affected. I reported this in the blog post Windows 10/11: May 2025 updates triggers Bitlocker Recovery and BSODs.

Microsoft confirms the Bitlocker problem

As of May 16, 2025, Microsoft has posted the support article Windows 10 might repeatedly display the BitLocker recovery screen at startup in the Windows Release Health dashboard of Windows Server 10 22H2 (noticed here). There, Microsoft confirms that after installing the May 2025 update (KB5058379), Windows 10 22H2 may display the BitLocker recovery screen.

Redmond is aware of the problem on devices with Intel Trusted Execution Technology (TXT) enabled on Intel vPro processors of the 10th or later generation. On these systems, the installation of the Windows security update from May 13, 2025 (KB5058379) can cause lsass.exe to terminate unexpectedly and trigger an automatic repair.

On devices where BitLocker is enabled, BitLocker then requires you to enter the BitLocker recovery key to initiate the automatic repair. In the article above, I gave the advice to activate Intel Trusted Execution Technology (TXT) in order to be able to install the update. Affected devices will then enter one of two states:

• Some devices may make multiple attempts to install the KB5058379 update before the startup repair successfully reverts to the previously installed update.
• The startup repair may encounter an error that causes a reboot loop, which in turn triggers an auto-repair and returns the device to the BitLocker recovery screen.

This should only affect clients in corporate environments, as consumers generally do not use Intel vPro processors on their systems. According to Microsoft, other symptoms can be observed on affected devices:

• The Windows Event Viewer in the System Event Log might display Event ID 20 with the following text: "Installation failed: Windows could not install the following update with error 0x800F0845: 2025-05 Cumulative Update for Windows 10 22H2 for x64-based systems (KB5058379)."
• Event ID 1074 may appear in the system event log with the text: "The system process 'C:\WINDOWS\system32\lsass.exe' was terminated unexpectedly with status code -1073740791."

According to Microsoft, Windows 10 22H2 and Windows 10 Enterprise LTSC 2021 are affected (nothing is mentioned about Windows 11). Microsoft is working hard on a solution and plans to release it in the coming days via an out-of-band update for the Microsoft Update Catalog. However, anyone who does not have a Bitlocker recovery key and cannot roll back the machine will lose their data. Find your BitLocker recovery key provides information on where to find a secure Bitlocker recovery key. Microsoft has no way of restoring a Bitlocker recovery key.

PS: If anyone is affected by this problem on Windows 11, I would be interested to know exactly which versions are affected.

Fixed with an out-of-band update, see Windows 10: Out-of-Band Update KB5061768 for Bitlocker issue (May 19, 2025).

Similar articles:
Microsoft Security Update Summary (May 13, 2025)
Patchday: Windows 10/11 Updates (May 13,  2025)
Patchday: Windows Server-Updates (May 13,  2025)
Patchday: Microsoft Office Updates (May 13, 2025)

Windows 10/11: Preview Updates April 22 and 25, 2025