Microsoft has resolved a critical issue with the May 2025 Windows security update (KB5058379) that caused affected systems to boot directly into BitLocker recovery mode. The problem specifically impacts devices with Intel Trusted Execution Technology (TXT) enabled on 10th generation or later Intel vPro processors.
The update conflict causes the Local Security Authority Subsystem Service (lsass.exe) to terminate unexpectedly, triggering Windows Automatic Repair. For systems with BitLocker encryption enabled, this requires users to input their BitLocker recovery key before the repair process can begin.
Affected users report their devices entering one of two problematic states: either making multiple failed attempts to install the update before rolling back, or entering a continuous reboot loop that repeatedly requires BitLocker recovery key input.
Event logs on impacted systems typically show Event ID 20 with error code 0x800F0845 indicating update installation failure, along with Event ID 1074 showing lsass.exe termination with status code -1073740791.
Microsoft has released an out-of-band update (KB5061768) to address the issue, available exclusively through the Microsoft Update Catalog. Organizations using the affected platforms are advised to apply this update instead of the regular May security update.
For users already experiencing startup failures, Microsoft recommends:
- Temporarily disabling Intel VT for Direct I/O and Intel TXT in BIOS/UEFI settings
- Installing update KB5061768
- Re-enabling the Intel security features after a successful update
The issue predominantly affects business devices with Intel vPro processors running Windows 10 version 22H2 or Windows 10 Enterprise LTSC 2021. Consumer devices typically do not use Intel vPro processors and are less likely to be affected.
Microsoft reminds users that support services cannot retrieve lost BitLocker recovery keys, emphasizing the importance of proper key management for all BitLocker-enabled systems.