May brought with it some critical challenges for Windows users. Following the routine Patch Tuesday updates, users began reporting serious system issues that triggered BitLocker recovery prompts, blue screens of death (BSODs), and failed upgrades.
In response, Microsoft has released two emergency out-of-band (OOB) updates: KB5061768 for Windows 10 and KB5059442 for Windows 11.
On May 13, Microsoft rolled out cumulative update KB5058379 for Windows 10. Soon after, IT admins and enterprise users began experiencing a disturbing pattern: devices rebooting into the BitLocker recovery screen without any changes to BIOS, hardware, or startup configuration.
Affected Systems:
- Windows 10 Enterprise/Pro systems
- Devices running Intel vPro (10th Gen or newer)
- Systems with Intel Trusted Execution Technology (TXT) enabled
Many users also encountered BSODs either during or right after the update process. The root cause? An unexpected termination of the LSASS (Local Security Authority Subsystem Service), which then forced a boot repair and subsequently triggered BitLocker into thinking the system had been tampered with.
Emergency Fix: KB5061768 for Windows 10
To resolve this, Microsoft issued KB5061768, a standalone out-of-band update available only through the Microsoft Update Catalog.
How to Fix It:
- Boot into BIOS/UEFI and temporarily disable Intel TXT.
- Boot into Windows (if possible).
- Download and install KB5061768 manually from the Microsoft Catalog.
- Reboot your PC.
- Re-enable Intel TXT in BIOS to restore security posture.
This update patches the issue that caused LSASS to crash, preventing BitLocker from unnecessarily asking for the recovery key.
Windows 11 24H2 Upgrade Blocked by VBS Bug
Alongside the Windows 10 updates chaos, Microsoft also had to deal with a growing problem on Windows 11 systems, specifically version 24H2.
Devices with Virtualization-Based Security (VBS) or Memory Integrity enabled were failing to upgrade due to a code integrity validation flaw.
These failures were particularly prevalent during in-place upgrades, with reports noting that the upgrade would stall or roll back without clear error messages.
Recovery Update: KB5059442 for Windows 11
To fix this, Microsoft quietly released KB5059442, a Safe OS Dynamic Update aimed at improving the Windows Recovery Environment (WinRE) and addressing VBS-related conflicts during the upgrade process.
This update is automatically applied during the Windows Setup phase for systems attempting to move to version 24H2, ensuring a smoother and more secure upgrade path.
