Microsoft issues workaround for BitLocker bug in KB5058379 update

Earlier, we reported that Windows 11 users were fuming over BitLocker encryption issues that could potentially cause data loss. Now, it appears the problem has also started bothering Windows 10 users. It begins with the installation of KB5058379 via Windows Update on Windows 10, leading to the dreaded “Enter the recovery key” blue screen prompting to enter the BitLocker recovery key. Thankfully, there is a workaround to fix the issue temporarily. Read on!

Generally, BitLocker recovery is triggered automatically when there is a hardware change, a TPM-related issue, or change in BIOS/UEFI configuration, boot configuration, or BitLocker policy.

What we know so far

After Microsoft released the security update, KB5058379, on May 13, some Windows 10 devices, including those used by businesses or enterprises, have been affected. The update causes lsass.exe to terminate unexpectedly, triggering an Automatic Repair or prompting to enter BitLocker recovery on BitLocker-enabled devices.

Some devices repeatedly try to install the update before Startup Repair successfully rolls back to the previously installed update. Others might experience failure and get stuck in a reboot loop, which again initiates the Automatic Repair, and returns the device to the BitLocker recovery screen.

In an attempt to fix the issue, some users have tried uninstalling the update or pausing it for a while. However, neither helped.

The additional symptoms mentioned by Microsoft are:

• Event ID 20 might appear in the Windows Event Viewer in the System event log, with the following text: “Installation Failure: Windows failed to install the following update with error 0x800F0845: 2025-05 Cumulative Update for Windows 10 22H2 for x64-based Systems (KB5058379).”
• Event ID 1074 might appear in the System event log, with the text: “The system process ‘C:\WINDOWS\system32\lsass.exe’ terminated unexpectedly with status code -1073740791.”

Here are the editions of Windows affected by the issue:

• Windows 10 21H2 LTSC/Enterprise
• Windows 10 22H2
• Lenovo, HP and Dell PCs

Upon initial investigation, the findings suggest the issue affects all Intel devices (10th Gen or later with vPro processors) with the TXT (Trusted Execution Technology) feature enabled. Furthermore, the bug has mostly affected enterprise PCs managed via SCCM (System Center Configuration Manager), Intune, and WSUS (Windows Server Update Services).

Microsoft is still investigating the issue using crash dumps and logs provided by customers affected by it. In the coming days, the tech giant plans to release an Out-of-band update to the Microsoft Update Catalog.

Next steps & Workarounds to fix the Windows 10 KB5058379 issue

A user, Callum Hargreaves2, on the Microsoft community page shared the suggestions provided on the support call:

– Continue to keep affected devices with update installation paused.
– For devices already affected and requiring BitLocker recovery, applying the recovery key and rolling back the update as you described is the advised interim measure.
– Disabling TXT in BIOS is another possible workaround, but as you noted, it may require remote staff to come in and is not ideal for large deployments.
– Microsoft is working to document the issue on the Windows Release Health and Microsoft 365 Admin Center portals; updates will be provided as new information becomes available.

Disabling TXT in BIOS is a temporary adjustment that targets the virtualization security component, which seems to conflict with the update. Apparently, you can disable it, install the security update, and then enable it.

Were you able to fix the issue of entering the BitLocker recovery key while trying to install KB5058379 on Windows 10 using the workaround suggested by Microsoft? Share your experience with our readers in the comments section below.