BitLocker Recovery Prompt After Windows 10 Update? Fix It with KB5061768
Suddenly your PC boots up, and bam — you’re staring at a BitLocker recovery prompt, thinking, “What the heck just happened?” That’s pretty much what happened to me after installing the March 2025 Windows 10 security update — KB508379.
Dealing with that pesky BitLocker recovery screen after the latest Windows update
Turns out, Microsoft kinda acknowledges there’s an issue with that update, and it’s causing a weird crash involving the local security authority subsystem service (LSASS). When LSASS crashes, Windows freaks out and asks for your BitLocker recovery key, which is definitely not what you want first thing in the morning.
What’s causing this mess?
From what I pieced together, the root seems tied to KB508379 — the latest security patch. It apparently has a bug that makes LSASS terminate unexpectedly on certain configurations. This bug hits especially hard if you’ve got Intel Trusted Execution Technology (TXT) enabled, or if your device has a 10th gen Intel CPU or newer.
Sometimes it’s also related to BIOS or firmware settings, like having Secure Boot turned on or measured boot features enabled. These settings can get pretty confusing, and if they’re misconfigured, the problem gets worse.
So, basically, what happens is this: LSASS crashes (which it’s responsible for security policies and user authentication), and Windows reacts by prompting for the BitLocker recovery key. Believe me, finding that key isn’t always straightforward if you don’t keep it handy.
During my troubleshooting, I noticed this prompt showing up after a reboot, and sometimes it took a few tries—rebooting into recovery mode, fiddling with BIOS settings, etc. And the settings you need to look for are often buried under labels like Security, Boot, or Misc—which makes digging through BIOS pretty annoying.
Is Microsoft doing anything about it?
Yes and no. Microsoft is aware of this bug and is actively working on a fix. They’ve released an out-of-band update — that’s tech-speak for an emergency patch outside of the normal update cycle. The fix comes as KB5061768, but here’s the kicker: it’s not being pushed automatically. You’ve gotta go find it yourself. Typical Microsoft, right? You have to manually download it from the Microsoft Update Catalog.
How do I grab and install this fix?
If you’re stuck with the BitLocker prompt after KB508379, head over to the Update Catalog, search for KB5061768, and download the version that matches your system — here’s where knowing your system type is key.
You can check if your Windows is 64-bit or 32-bit in Settings > System > About under System type. Usually, modern systems are x64 or ARM64, but if you’re on some older hardware, it might be 32-bit.
Once you find the right file (like Windows10.0-KB5061768-x64.msu), you can double-click it to start installation. If your normal installer bugs out, open Command Prompt as administrator and run:
DISM /Online /Add-Package /PackagePath:C:\Path\To\KB5061768-x64.msuIt’s a bit of a pain, but it gets the job done. Sometimes you might need to boot into Safe Mode if your system is really locked up — I did, and it’s a whole fun adventure trying to get there with BitLocker encryption turned on.
Why’t it so complicated to install?
This isn’t your usual Windows Update thing. Microsoft’s being cautious because pushing out system-level patches can brick a machine if not properly tested. So instead, they make the patch available through the Update Catalog for manual download and installation.
That way, you at least have control over when and how to patch, especially if your system is in a bad state already. And because some of these patches affect Low-Level system stuff like TPM and Secure Boot, you gotta be very careful before poking around in BIOS/UEFI.
What BIOS/UEFI settings should I check?
First, check whether Secure Boot is enabled (you’ll see this in your BIOS under Security or Boot). If it’s on, try toggling it off, then back on after installing the fix — sometimes that resets things. Also, verify that your TPM (Trusted Platform Module) is enabled and recognized by Windows.
For that, you can check in the BIOS/UEFI menu—usually under something like Trusted Computing or Security > TPM. If BIOS/UEFI is reset or if you’re unsure, resetting to defaults can sometimes fix detection issues.
On my older ASUS, I had to dig through Advanced > Security > TPM to see if it was activated. And just a word of caution: messing around with virtualization features like Intel VT-x can sometimes impact system security and how things boot, so toggle those only if you’re comfortable—your mileage may vary.
Final tips & what finally worked
Trust me, it’s a maze. I spent way too long trying different BIOS settings, re-downloading the update, even disabling Secure Boot temporarily. The crucial part was downloading the correct KB fix, installing it manually, and making sure my BIOS settings matched—TPM enabled, Secure Boot toggled, etc. After all that, the system finally booted normally and the BitLocker prompt disappeared.
If you’re in the same boat, double-check: your system architecture matches the update you download, back up your data (especially if your drive is encrypted), and don’t rush into BIOS changes without research. Sometimes, just resetting BIOS to defaults and re-enabling features like Secure Boot can reset the hardware detection that’s causing trouble.
Hope this helps — it took way too long to figure out, and I’m pretty sure that many others are facing the same headache. Good luck, and don’t forget to back up your most important stuff before diving into BIOS or system updates!