The Windows 10 KB5058379 cumulative update, released on May 13, 2025, as part of Microsoft’s Patch Tuesday, aimed to address several security vulnerabilities. However, shortly after its release, users began reporting unexpected issues, including devices booting into BitLocker recovery mode and encountering Blue Screen of Death (BSOD) errors.
Understanding the Issue
BitLocker Recovery Prompts
BitLocker Recovery Screen on Reboot
The most prominent issue associated with KB5058379 is that, after installation and reboot, some devices boot directly into the Windows Recovery Environment (WinRE) and prompt users to enter their BitLocker recovery key.
Blue Screen of Death (BSOD) Errors
In addition to the BitLocker issues, some users have reported encountering BSODs after installing the update. These errors further complicate the recovery process, as they can prevent users from accessing the recovery environment or entering their BitLocker keys.
Affected Systems
The issues appear to predominantly affect:
- Windows 10 versions 22H2 and 21H2 LTSC/Enterprise editions
- Devices from OEMs such as Dell, HP, and Lenovo
It’s worth noting that while consumer devices are less frequently affected, enterprise environments, especially those with specific security configurations, are experiencing these problems more commonly.
What’s Causing the Issue?
Some community members traced the issue to Intel’s Trusted Execution Technology (TXT), a BIOS feature that verifies system integrity before boot. Disabling TXT has helped some users bypass the recovery prompt and boot normally into Windows.
“Trusted Execution Technology (TXT) is a hardware-based security feature that verifies the integrity of system components before allowing sensitive operations to run.”
— Intel Docs
Additionally, users have reported that other advanced BIOS settings and system firmware protections may be interacting poorly with KB5058379.
Microsoft’s (Unofficial) Response on Windows 10 KB5058379 Update
As of now, Microsoft’s Windows 10 health dashboard does not list KB5058379 as having any known issues. However, Microsoft Support has reportedly acknowledged the problem privately:
“I would like to inform you that we are currently experiencing a known issue with the May Month Patch KB5058379… A support ticket has already been raised with the Microsoft Product Group (PG) team, and they are actively working on a resolution.”
— Impacted user report on Reddit
Workarounds
Until Microsoft issues an official fix, users have turned to the following workarounds, as allegedly provided by Microsoft Support:
1. Disable Secure Boot
- Enter BIOS/UEFI settings during startup (keys: F2, F10, Del, Esc).
- Locate Secure Boot and set it to Disabled.
- Save and exit BIOS, then restart.
2. Disable Virtualisation Technologies
- Re-enter BIOS and disable:
- Intel VT-x (VTX)
- Intel VT-d (VTD)
Note: This may prompt BitLocker recovery—ensure you have the key.
3. Check Defender System Guard Firmware Protection
Registry Method:
- Open
regedit - Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard - Check
Enabled:1→ Enabled0or missing → Disabled
GUI Method:
- Go to Windows Security > Device Security > Core Isolation/Firmware Protection.
4. Disable Firmware Protection via Group Policy
If firmware protection settings are hidden or enabled due to Group Policy / Intune, follow these steps:
Group Policy:
- Run
gpedit.msc - Go to:
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security - Set Secure Launch Configuration to Disabled
Registry:
regCopyEdit[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard]
"Enabled"=dword:00000000
Intune
- Sign in to the Intune Admin Centre portal
- Select Devices > Windows > Configuration profiles > Create a profile.
- Select Windows 10 and later in Platform, and select Profile Type as Settings catalog. Click on the Create button.
On the Basics tab pane, provide a name for the policy as “Turn Off Virtualisation Based Security Policy.”
In Configuration Settings, click Add Settings to browse or search the catalog for Device Guard and select Disable Virtualisation Based Security
Restart is required for changes to apply.
⚠️ Important: Try disabling Intel TXT first before changing Secure Boot or virtualization settings, as these may impact system security, performance, and virtual machine compatibility.
Recommendations for IT Admins and Users
- Backup Recovery Keys: Ensure BitLocker recovery keys are saved in a secure location, such as your Microsoft account or Active Directory.
- Pause KB5058379 Rollout: If you’re managing devices via WSUS or Intune, consider deferring this update.
- Monitor Official Updates: Keep checking Microsoft’s update catalog and release health dashboard for advisories.
Conclusion
The KB5058379 update, while intended to patch critical vulnerabilities, has introduced unexpected problems for certain Windows 10 users and enterprise environments. From BitLocker recovery prompts to BSODs, the update appears to conflict with certain BIOS security settings, especially Intel TXT and Defender’s System Guard.
Microsoft has yet to issue a public fix, but internal acknowledgements suggest a resolution is in the works. Until then, users are advised to tread carefully, especially when managing large fleets of devices.
