Full Report
The Windows 10 KB5058379 cumulative update is triggering unexpected BitLocker recovery prompts on some devices afters it's installed and the computer restarted. [...]
Analysis Summary
# Vulnerability: Windows 10 Update KB5058379 Triggering BitLocker Recovery
## CVE Details
- CVE ID: Not Applicable
- CVSS Score: Not Applicable (This is an operational/patch failure, not a traditional security flaw requiring a CVE)
- CWE: Not Applicable
## Affected Systems
- Products: Windows 10 operating system
- Versions: Systems attempting to install or that have installed update KB5058379.
- Configurations: Systems using BitLocker encryption, often combined with Virtualization-Based Security (VBS) features like Secure Boot or Trusted Platform Module (TPM) checks.
## Vulnerability Description
The update KB5058379 for Windows 10, upon installation or reboot, is causing systems configured with BitLocker drive encryption to enter Recovery Mode. This unexpected behavior suggests the update is interacting poorly with the system's measured boot configuration, security hardware (like TPM), or Virtualization-Based Security (VBS) settings (such as Secure Boot or Intel TXT), causing BitLocker to fail its integrity check and require the recovery key.
## Exploitation
- Status: Not Exploitation related (This is a patch deployment issue).
- Complexity: Not Applicable
- Attack Vector: Not Applicable
## Impact
- Confidentiality: High (If the BitLocker recovery key is lost, data becomes inaccessible. The incident itself forces exposure of the recovery key prompt.)
- Integrity: High (System boot process is halted/compromised until recovery key is entered.)
- Availability: High (System becomes unusable until recovery is successful.)
## Remediation
### Patches
- No direct patch listed to resolve the BitLocker triggering issue caused by KB5058379. The primary remediation involves system configuration changes.
### Workarounds
The following workarounds aim to adjust BIOS/firmware settings to satisfy the BitLocker integrity requirements before booting:
1. **Disable Trusted Execution Technology (TXT) in BIOS/Firmware:** Locate the TXT setting and set it to **Disabled**. Save and reboot.
2. **Disable Virtualization Technologies (if issue persists):** Re-enter BIOS/Firmware settings and disable **Intel VT-d (VTD)** and **Intel VT-x (VTX)**. *Note: This action may prompt for the BitLocker recovery key.*
3. **Check Microsoft Defender System Guard Firmware Protection Status (Registry Method):** Navigate to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard` and check the `Enabled` DWORD. If '1', protection is enabled.
4. **Disable Firmware Protection via Group Policy (if restricted):**
* **Group Policy Editor:** Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. Under **Secure Launch Configuration**, set the option to **Disabled**.
* **Registry Editor:** Set `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard` "Enabled"=dword:00000000.
**Important Note:** Disabling Secure Boot or virtualization features significantly impacts security posture. It is strongly encouraged to test disabling TXT first before disabling Secure Boot or other virtualization features.
## Detection
- Indicators of Compromise: System boots directly into the BitLocker Recovery screen following the installation of update KB5058379.
- Detection methods and tools: Monitoring system boot events and patch installation logs for failures or recovery key prompts related to KB5058379. Verification of VBS/Firmware Protection status via the Registry or Windows Security GUI.
## References
- Vendor Advisories: Microsoft was contacted regarding the issue (as per the source).
- Relevant links:
- bleepingcomputer dot com/news/microsoft/windows-10-kb5058379-update-triggering-bitlocker-recovery-after-install/