- Windows 10’s May update carries a bug that could be a painful experience
- Microsoft has rushed out an emergency fix already
- Be sure to apply that fix before you install the May update – but if you’ve already encountered this bug, there’s still a way out
Windows 10 users need to be aware of a fresh bug in the latest update for the OS, even though it’s a glitch that’s going to be much more prevalent with business laptops rather than consumer machines.
That’s because if your Windows 10 PC does encounter the problem, it can be quite a nasty one to have to rescue your system from – and you can avoid any potentially technically traumatic episode by simply installing an emergency fix Microsoft has just rushed out.
Windows Latest reported the issue with the May update for Windows 10, which causes an affected PC to fail to install the upgrade, and then run an automatic repair – a process that can happen several times, confusingly.
Adding further to the confusion is that if you have BitLocker or Device Encryption turned on (so the data on your drive is encrypted), you’ll end up at the recovery screen. That recovery process asks for your key ID, and if you don’t have that info to hand, then you’re in something of a pickle, shall we say.
Let’s cover those all-important caveats first, though, the main one being that to be affected, your PC must be running an Intel vPro processor (10th-gen or newer). This is because the bug relates to Intel Trusted Execution Technology (TXT for short) which is part of the vPro array of security measures.
As the name suggests, vPro is a brand of chips mostly used for professional (business) notebooks, but they can be found in consumer laptops, too. As Microsoft notes: “Consumer devices typically do not use Intel vPro processors and are less likely to be impacted by this issue.”
It’s worth checking if your PC has such an Intel vPro chip inside, and if it has, if you haven’t already installed the May update for Windows 10 22H2, whatever you do, push pause on that.
Rather than grabbing the May cumulative update, to avoid the bug in question, make sure you install Microsoft’s emergency patch which was deployed yesterday.
This is KB5061768which you can only install manually – it won’t be delivered by Windows Update. Get it from Microsoft’s update catalog hereand download the ‘Windows 10 version 1903 and later’ variant which is correct for your PC. (That’s likely the 64-bit (or x64) version – check your processor type in the Device Specifications section of System > About in the Settings app, but if you don’t have a 64-bit CPU and OS, you want the x86 version, ignore the Arm variant).
Breaking down the problem – and what to do if you’re already hit, and locked out of your PC
What’s actually happening with this glitch? There’s some problem with the May update for Windows 10 which is causing a process (lsass.exe, a security-related service) to be terminated unexpectedly. This is prompting the automatic repair process to run to try and fix things, though as noted above, your Windows 10 PC may make several repeated failed attempts to install the update before it gives up and rolls back to the previous (April) update (hopefully).
That’s messy, but things are worse for those using Device Encryption or BitLocker, who could end up stuck at the recovery screen if they don’t have their recovery key to hand.
So, what happens if you’ve missed the boat to install this emergency fix from Microsoft, as you’ve already installed the May update for Windows 10, and now you can’t get into your system (past the recovery screen) to download and apply said fix?
Well, in this case, Microsoft advises that to start Windows 10 successfully, you’ll need to turn off Intel Trusted Execution Technology and another setting, Intel VT for Direct I/O, in your PC’s BIOS. However, that apparently requires entering your BitLocker recovery key (again, problematic if you don’t have it on hand).
If you’re stuck in this particular dead-end, according to Windows Latest, it’s possible to simply turn off Intel Trusted Execution Technology (TXT) in your BIOS, without touching the other setting (Intel VT), and then you can successfully restart your PC to get back to the desktop.
The first step here is to get into the BIOS, and the method to do this varies depending on your PC (check the manuals supplied with your machine). The key to access the BIOS can be one of a number of possibilities, but it’s often F2, F10, or F12, which you press repeatedly as the system just starts to boot up.
Once in the BIOS, you need to find the Intel TXT (or Trusted Execution Technology) setting. This is likely in Security > Virtualization, or System Security Settings, or some label pertaining to Security or System Configuration. It’ll most likely be a security-related title, so check carefully through any such option screens looking for Intel TXT. When you locate this, turn it off, but as mentioned, you can leave Intel VT for Direct I/O alone.
Now choose the option to save changes to the BIOS and reboot your PC, and you should be back in Windows 10, where you can now install Microsoft’s patch (KB5061768) from the update catalog. Once that’s done, you can go back into your BIOS and switch Intel TXT back on.
All things considered, to avoid any potential messing around like this, it’s a far better idea to install the fix before you grab the May cumulative update for Windows 10.
This is not the first time Microsoft has visited a bug like this on Windows 10 users (or indeed Windows 11 PCs). It’s also worth remembering that if you’re running Windows 11, and you upgrade to the latest version, 24H2, using a clean install, this applies the Device Encryption feature automatically. Note that an in-place upgrade to Windows 11 24H2 won’t do this, only a clean install of Windows 11 24H2. Furthermore, it has to be an installation linked to a Microsoft account, too, as that’s where the encryption recovery key info is saved (which is why you must be very careful about deleting a Microsoft account, as the key vanishes with it).
Device Encryption is basically a ‘lite’ version of BitLocker, providing encryption for Windows 11 Home PCs, but it only covers the data on the main system drive.
