Full Report
Microsoft has released an out-of-band update to address a known issue causing some Windows 11 systems to enter recovery and fail to start while trying to install the KB5058405 May 2025 security update. [...]
Analysis Summary
This incident describes several recent, distinct issues requiring emergency patches from Microsoft, primarily affecting Windows 11 deployment and stability after applying standard (May 2025) security updates. No specific CVEs or traditional severity scores are listed, as the context describes *post-patch* operational failures rather than classic security vulnerabilities.
---
# Vulnerability: Failures Following May 2025 Windows Security Updates (KB5058405 Errors)
This summary covers multiple post-update issues mentioned in the context:
1. **Windows 11 Boot Failure:** Devices failing to start after installing KB5058405.
2. **VDI Installation Failure:** Devices in VDI environments failing to install KB5058405.
3. **Windows 11 Upgrade Bypass:** Systems being offered Windows 11 upgrades despite Intune blocks (April issue).
4. **WSUS/24H2 Update Failure:** Windows 11 24H2 feature updates failing via WSUS (April issue).
5. **Windows 10 BitLocker Recovery:** Windows 10 devices entering BitLocker recovery after May 2025 updates.
## CVE Details
- CVE ID: Not specified (These are operational/reliability issues following updates, not explicitly named security CVEs in this context.)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- **Products:** Windows 11 (Versions 22H2 and 23H2), Windows 10
- **Versions:** Specific functionality is affected by the May 2025 security update (KB5058405).
- **Configurations:** Windows 11 devices running in Virtual Desktop Infrastructure (VDI) environments are specifically called out for installation issues.
## Vulnerability Description
The context describes several high-impact operational bugs introduced or highlighted by the May 2025 security update package (KB5058405) or related April updates:
1. **Boot Failure:** Installation of KB5058405 might cause Windows 11 systems to fail to start, resulting in a recovery error (0xc0000098 in ACPI.sys).
2. **VDI Installation Block:** The standard May update may fail entirely on Windows 11 VDI deployments.
3. **BitLocker Recovery:** On Windows 10, the May security updates triggered an issue forcing systems into BitLocker recovery mode.
## Exploitation
- **Status:** Not applicable (These are system stability/deployment flaws, not security vulnerabilities being exploited.)
- **Complexity:** N/A
- **Attack Vector:** N/A
## Impact
- **Confidentiality:** Low (Operational/availability impact is primary)
- **Integrity:** Low (Data integrity of the OS seems threatened by potential boot failures)
- **Availability:** High (Direct impact on system uptime due to boot failures or required recovery processes)
## Remediation
### Patches
Microsoft has released Out-of-Band (OOB) updates to address these specific failures:
- **OOB Update:** Recommended deployment for affected VDI environments instead of KB5058405.
- **KB5058405:** This is the update that *causes* the stability issues on certain systems; its intended fix (if deployed) is the resolution for those specific boot failures.
- **Windows 10 Fix:** Emergency OOB updates were shipped earlier in the month to fix the BitLocker recovery bug on Windows 10.
### Workarounds
- **For VDI Deployments:** If an environment includes Windows 11 22H2/23H2 devices in VDI, administrators are advised to **apply the OOB update instead** of deploying the May 2025 security update (KB5058405).
## Detection
- **Indicators of Compromise:**
- Windows 11 boot failure resulting in `recovery error 0xc0000098 in ACPI.sys`.
- Windows 10 forcing entry into the BitLocker recovery screen post-May update installation.
- **Detection methods and tools:** Reviewing Windows Release Health dashboards for specific KB status, monitoring boot logs for recovery errors after update installation, and checking Intune/WSUS deployment logs for update failures.
## References
- Microsoft documentation related to KB5058405 failure (referencing error 0xc0000098 in ACPI.sys).
- Vendor advisories regarding the May 2025 security update impact and subsequent emergency OOB fixes referenced in the Windows release health dashboard.
- Links defanged:
- hxxps://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#kb5058405-might-fail-to-install-with-recovery-error-0xc0000098-in-acpi-sys
- hxxps://www.bleepingcomputer.com/news/microsoft/microsoft-some-devices-offered-windows-11-upgrades-despite-intune-blocks/ (Related April issue)
- hxxps://www.bleepingcomputer.com/news/microsoft/microsoft-windows-11-24h2-updates-fail-with-0x80240069-errors/ (Related April issue)
- hxxps://www.bleepingcomputer.com/news/microsoft/windows-10-emergency-updates-fix-bitlocker-recovery-issues/