Microsoft has released an urgent out-of-band (OOB) update—KB5061768—for Windows 10, targeting a critical flaw that left enterprise systems trapped in BitLocker recovery loops after the May 2025 Patch Tuesday update.
The emergency patch, available exclusively through the Microsoft Update Catalog, addresses a widespread issue that has disrupted IT operations across organizations using Intel vPro hardware.
Background: The BitLocker Boot Loop Crisis
The trouble began with the cumulative security update KB5058379, released on May 13, 2025.
Shortly after deployment, administrators reported that affected Windows 10 devices would unexpectedly reboot into the BitLocker recovery screen, demanding the BitLocker recovery key even though no hardware or firmware changes had occurred.
In some cases, entering the correct key led only to repeated boot loops or blue screens of death (BSODs).
The root cause was traced to a crash in the Local Security Authority Subsystem Service (LSASS), a core Windows process responsible for authentication and cryptographic operations.
On systems with Intel Trusted Execution Technology (TXT) enabled—primarily 10th generation or newer Intel vPro processors—the LSASS crash triggered Windows’ Automatic Repair, which in turn prompted for the BitLocker recovery key as a security precaution.
Who Was Affected?
The issue primarily impacted enterprise-class endpoints running:
- Windows 10, version 22H2
- Windows 10 Enterprise LTSC 2021
- Windows 10 IoT Enterprise LTSC 2021
The intersecting requirements—Intel vPro hardware, Intel TXT enabled, and BitLocker in use—meant that most consumer devices (Home or Pro editions) were not affected.
However, for businesses and organizations, the disruption was significant, with reports of devices from major vendors like Lenovo, Dell, and HP being impacted.
Technical Details and Deployment Guidance
KB5061768 is a cumulative update, meaning it includes all previous fixes and can be safely installed even if prior updates have not been applied.
This all-in-one approach simplifies remediation and minimizes downtime in enterprise environments.
Deployment Steps
- Manual Installation: KB5061768 is not distributed via Windows Update and must be downloaded from the Microsoft Update Catalog.
- For Systems Already Affected:
- Temporarily disable Intel TXT (and, if necessary, Intel VT for Direct I/O) in the BIOS/UEFI.
- Boot into Windows, and enter the BitLocker recovery key if prompted.
- Install KB5061768.
- Reboot and re-enable Intel TXT to restore full security posture.
- For Unaffected Systems: Install KB5061768 before deploying KB5058379 to prevent the issue from occurring.
Note: The update also includes the latest Servicing Stack Update (SSU), which improves the reliability of the Windows update process. Once installed, the SSU cannot be removed separately.
Known Issues
Microsoft has acknowledged a display issue where CJK (Chinese, Japanese, Korean) text may appear blurry in Chromium-based browsers at 100% scaling (96 DPI).
A temporary workaround is to increase display scaling to 125% or higher while a permanent fix is investigated.
End of Windows 10 Support Looms
This critical update arrives as Windows 10 approaches its end of support on October 14, 2025.
After this date, Microsoft will cease providing free security updates and technical assistance, urging users and organizations to transition to Windows 11 for continued protection and support.
KB5061768 is a vital fix for enterprise customers running Windows 10 on Intel vPro hardware, resolving a major security and operational disruption caused by the May 2025 updates.
Administrators are urged to apply the update promptly and follow Microsoft’s deployment guidance to restore normal operations and safeguard their systems.
Key Technical Codes:
- Problematic Update: KB5058379
- Emergency Fix: KB5061768
- Servicing Stack Update: KB5058526
- BIOS/UEFI Settings: Intel TXT, Intel VT for Direct I/O (VTD/VTX)
- Core Process: LSASS (Local Security Authority Subsystem Service)
- Security Feature: BitLocker
For further details, consult the Microsoft Update Catalog and the Windows Release Health dashboard.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The emergency patch, available exclusively through the Microsoft Update Catalog, addresses a widespread issue that has disrupted IT operations){kind=link}