A recently released Windows update — KB5058379 — is triggering unexpected BitLocker recovery screens for systems using Intel’s Trusted Execution Technology (TXT). Microsoft has since issued an Out-of-Band fix (KB5061768), but small health care organizations without centralized patching or encryption management may still be exposed to risk.
🔍 What Went Wrong?
The May 13, 2025 release of KB5058379 caused systems with TXT enabled — a hardware-level security feature — to incorrectly trigger BitLocker recovery mode on reboot. TXT itself is not the problem; the issue was entirely due to a flaw in the update.
🛠️ Microsoft’s Known Issues Page: May 13, 2025 — KB5058379 Known Issues
For organizations without enterprise-grade encryption key management, this bug creates a worst-case scenario: widespread device lockouts, inaccessibility of protected data, and lost time trying to recover access manually.
⚠️ The Fix Requires Manual Action
Microsoft has released KB5061768, an Out-of-Band update that corrects the issue. However, this fix is not automatically applied — organizations must:
- Manually import KB5061768 into their patching systems
- Ensure it supersedes the faulty KB5058379
- Update any deployment groups or scheduled workflows
- Confirm affected devices receive the corrected patch
Many small health care organizations may miss this critical fix which was released out-of-band due to not actively managing endpoints.
🔗 Explore Software Updates Management
🛡️ visuaFUSION Clients Were Already Protected
Our clients — exclusively small health care organizations — were protected from day one.
Here’s why:
✅ Controlled, Phased Patch Rollouts
We deploy updates to a pilot group first, monitor community reports from systems administrators, giving us time to become aware of any issues prior to rolling out to the rest of the organization. 🔗 Explore Systems Management
✅ Segmented Patching Groups
Production patching groups are isolated from test patching groups, and Critical systems are placed into maintenance windows on top of that. This methodology prevents full-org downtime from a bad patch. 🔗 Explore Software Updates Management
✅ Enterprise-Level Security for Small Health Care
We recommend the use of both Intel TXT and BitLocker as part of a compliance-forward security posture, but with the right infrastructure in place to manage them effectively.
The patching methodology adopted by our managed environments caught the KB5058379 issue early, allowed it to run its course, and only released KB5061768 after successful testing.
💬 If You’re Not Managing Patching Centrally — Let’s Talk
This incident highlights a broader challenge: many small health care organizations are still running IT environments that lack centralized update control, encryption recovery tools, and visibility into critical system health.
We’ve written about this in more depth: 🔗 Is Your Small Health Care Organization Still Running on “Small Business” IT?
If your organization isn't actively managing patching — or if you're unsure whether BitLocker recovery keys are accessible during incidents like this — we can help you understand what an enterprise-grade IT environment looks like for a small health care team.
🤝 Want Peace of Mind with Patching and Security?
Our HealthNet service gives small health care organizations the benefit of enterprise-level tools and strategies — without the overhead of building it all in-house.
Let’s make sure your technology works for you — not against you.
- Log in to post comments