Latest patch leaves some Windows 10 machines stuck in recovery loops

Updated As Microsoft's Build developer shindig begins, many users are once again facing a familiar problem: broken Windows.

The affected versions this time? Windows 10 22H2 and Windows 10 Enterprise LTSC 2021 (for anyone who was hoping to dodge the upcoming end of Windows 10 support with a crafty switch to an alternative).

If a customer is running a device with Intel Trusted Execution Technology (TXT) enabled on a tenth-generation or later Intel processor with vPro support, has BitLocker enabled, and obediently installed the KB5058379 patch released on May 13, then they'd better have their BitLocker key handy.

According to Microsoft, the patch "might cause lsass.exe to terminate unexpectedly, triggering an Automatic Repair."

Microsoft warned that affected systems might either make several attempts to install the update before Startup Repair rolls back to the previously installed update, or Startup Repair could go into a reboot loop, "which again initiates an Automatic Repair, returning the device to the BitLocker recovery screen."

"Consumer devices typically do not use Intel vPro processors and are less likely to be impacted by this issue," the company said. A great comfort to administrators faced with digging out BitLocker recovery keys thanks to what some might consider Microsoft's inadequate testing practices.

In addition to releasing the broken patch, Microsoft announced on May 13 that it would lay off thousands of employees.

• Microsoft winnows: Layoffs hit software engineers hard
• Microsoft pulls MS365 Business Premium from nonprofits
• Microsoft proposes sweeping global concessions to Teams for up to a decade
• Microsoft blows deadline for special Azure for EU hosters

Hopefully, sufficient staff remain to deal with the problem. Microsoft: "We are urgently working on a resolution for this issue, with plans to release an Out-of-band update to the Microsoft Update Catalog in the coming days."

Until the update arrives, there are several workarounds for the issue posted on social media, one of which involves disabling TXT on afflicted machines. Doing so, however, risks opening hardware up to attack.

According to Intel: "Intel Trusted Execution Technology provides these mechanisms by enabling an environment where applications can run within their own space – protected from all other software on the system." Switching it off could therefore introduce serious security risks.

Administrators are stuck between a rock and a hard place. Postponing the update, which contains useful fixes, is not ideal. However, neither is running the risk of leaving users with borked devices due to Microsoft's latest misadventure in validation. ®

Updated to add:

On May 20, Microsoft pushed out an out-of-band update, KB5061768 to deal with the problem. The company recommended that users who hadn't yet or were unable to install the original update, KB5058379, install this instead.