Updated May 19 with more details of exactly how the bug is breaking Windows on installation and how to solve it.
Windows 10 users have recently come across a problem caused by the latest Windows 10 KB5058379 update. The problem is, it’s a mandatory update. Here’s what you should do.
The issue was reported on May 15 by Windows Latest. “Windows 10 KB5058379 is causing PCs to boot into Windows Recovery and require BitLocker key. Windows Latest received reports that KB5058379 install starts, but ends up at “Enter the recovery key to get going again (Keyboard layout: US)” screen, and there’s a text field to add the recovery key. In some cases, there’s a BSOD as well,” Windows Latest said.
It’s unusual for BitLocker recovery to trigger automatically unless we make a change to the hardware or BIOS settings. Several users told Windows Latest that a BitLocker Recovery (Windows Boot Recovery) is prompted automatically after installing KB5058379, which is rolling out via Windows Update. In some cases, there’s a BSOD as well… Windows 10 KB5058379 is a mandatory security update rolling out for everyone, including businesses or enterprises, and you don’t have a choice but to install the update,” it went on.
If you aren’t familiar with BitLocker, then, as you’ll see below, there’s a chance that the problem won’t apply to you. Anyway, here’s how Bleeping Computer described the issue and how it manfests.
“The BitLocker Windows security feature encrypts storage drives to prevent data theft, and Windows computers typically enter BitLocker recovery mode after events like TPM (Trusted Platform Module) updates or hardware changes to regain access to protected drives. Today, Microsoft confirmed the issue and said it’s investigating reports that ‘a small number’ of Windows 10 PCs display BitLocker recovery screens after installing the KB5058379 update,” it said.
On Saturday, May 17, Microsoft updated a support document to acknowledge the issue. “We are aware of a known issue on devices with Intel Trusted Execution Technology (TXT) enabled on 10th generation or later Intel vPro processors,” it said. It also shared some good news.
It Probably Won’t Affect You
“Consumer devices typically do not use Intel vPro processors and are less likely to be impacted by this issue. This issue ONLY applies to the affected platforms listed below. Windows 10, versions 22H2; Windows 10 Enterprise LTSC 2021, Server: None,” Microsoft said in its support document.
Again, this is why you’ll probably know about BitLocker if there’s a chance you could be affected.
So, if you have a PC with Intel vPro chip, you could be tempted not to install it yet, though since it’s mandatory, it’s not advisable to skip it.
Take heart, though: Microsoft is working on it. “We are urgently working on a resolution for this issue, with plans to release an Out-of-band update to the Microsoft Update Catalog in the coming days,” it says, and the fact that the latest support document was filed on a Saturday indicates the urgency.
What To Do
The first stage, obviously, is to find your 48-digit Bitlocker recovery key. Here are Windows Latest’s helpful instructions for what you need to do.
You need to reboot into BIOS/UEFI, which can be done by pressing a key after power-on, but the keys are different across all OEMs. On most Dell/HP/Lenovo: press F2, F10/F12, or Esc immediately after power-on to enter BIOS/UEFI.
Next, in BIOS, look for Security, open Virtualization or Advanced CPU Settings and turn off Intel TXT. This could also be referred to as Trusted Execution, or OS Kernel DMA Support. Note that you can leave VT for Direct I/O (or VT-d) enabled. Finally, save changes and exit BIOS.
“The idea is to disable Intel TXT / Trusted Execution and allow KB5058379 to finish installation. If you followed the steps correctly, you won’t run into BitLocker Recovery or BSOD. Remember that the BSOD or BitLocker is triggered when installing KB5058379, but you won’t have the issue after the update is installed successfully. The catch is that it’s a challenge to install the security patch without turning off Intel TXT / Trusted Execution in BIOS,” Windows Latest explains.
Windows 11 is not affected by this issue, it seems.