On May 19, 2025, Microsoft issued an emergency out-of-band update, KB5061768, to resolve a critical problem causing Windows 10 systems to boot into BitLocker recovery screens after installing the May 2025 security updates. This urgent fix addresses widespread reports from enterprise users encountering system lockouts and boot loops that necessitated BitLocker recovery keys for access.
Understanding the BitLocker Recovery Issue
The issue surfaced following the deployment of the Windows 10 KB5058379 security update on May 13, 2025. This update inadvertently caused the Local Security Authority Subsystem Service (LSASS) to terminate unexpectedly on affected systems. The abrupt termination triggered Automatic Repair processes, prompting BitLocker to request recovery keys. In some instances, systems entered persistent boot loops even after the correct recovery key was provided.
Microsoft detailed the problem in its release health update, stating:
On affected devices, upon installing the update, Windows might fail to start enough times to trigger an Automatic Repair. On devices with BitLocker enabled, BitLocker requires the input of your BitLocker recovery key to initiate an Automatic Repair.
Affected Systems
The problem primarily impacts systems running Windows 10 version 22H2, Windows 10 Enterprise LTSC 2021, and Windows 10 IoT Enterprise LTSC 2021 equipped with Intel vPro processors (10th generation or later) that have Intel Trusted Execution Technology (TXT) enabled. Most consumer devices running Home and Pro editions of Windows 10 are unaffected, as they typically do not utilize Intel vPro processors.
Affected systems displayed Event ID 20 in Windows Event Viewer with error code 0x800F0845, alongside Event ID 1074 reporting unexpected termination of lsass.exe with status code -1073740791.
Deployment of the Emergency Update
The emergency update KB5061768, corresponding to OS Builds 19044.5856 and 19045.5856, is available exclusively through the Microsoft Update Catalog. As a cumulative update, it does not require prior updates before installation. Microsoft advises affected organizations to download and install the update promptly to resolve the issue.
Steps for Systems Unable to Boot
For systems unable to boot due to the BitLocker prompt, Microsoft recommends temporarily disabling Intel VT for Direct I/O (VTD/VTX) and Intel Trusted Execution Technology (TXT) in BIOS/UEFI settings. After disabling these features, systems should boot successfully, allowing administrators to install the KB5061768 update. Following installation and restart, the Intel security features can be re-enabled, though this will require entering the BitLocker recovery key once more.
Microsoft emphasizes the importance of maintaining secure backups of BitLocker recovery keys, stating:
Microsoft Support doesn’t have the ability to retrieve, provide, or recreate a lost BitLocker recovery key.
Context and Implications
This emergency release comes as Microsoft continues preparation for Windows 10’s end of support on October 14, 2025. After this date, Microsoft will no longer provide free software updates, technical assistance, or security fixes for Windows 10.
The KB5061768 update also includes the latest servicing stack update (SSU KB5058526) for builds 19044.5853 and 19045.5853, improving the reliability of the update process for future installations.
For organizations unsure if they’re affected by this issue, Microsoft notes that the problem primarily impacts enterprise environments utilizing specific Intel security features, and those not experiencing BitLocker recovery prompts do not need to install the emergency update.
