Microsoft has broken its usual patching cadence to ship two urgent out-of-band updates, targeting a pair of showstopping bugs that left virtual machines unresponsive and triggered mass BitLocker recovery prompts. The updates—KB5061906 for Windows Server 2022 and KB5061768 for Windows 10—address regressions introduced by the May 2025 Patch Tuesday security fixes, and are being distributed exclusively through the Microsoft Update Catalog. IT teams running Azure Confidential VMs or hardware with Intel vPro and Trusted Execution Technology are advised to apply the patches immediately, while others can safely ignore them.
Windows Server 2022: When Confidential VMs Suddenly Die
Update KB5061906 arrived over a weekend, a rarity that underscores the severity of the fault. After installing the May security updates, certain confidential virtual machines hosted on Windows Server 2022 Hyper-V would “suddenly and unexpectedly stop responding or restart,” Microsoft wrote in its Windows Message Center advisory. The problem primarily afflicts Azure Confidential VMs, which use hardware-based trusted execution environments to protect data in use. Standard Hyper-V environments are not expected to be impacted, except in rare scenarios involving preview or pre-production configurations.
The bug strikes at the intersection of the hypervisor and the specialized isolation logic that underpins confidential computing. When a confidential VM hangs or reboots without warning, it can disrupt critical services and force manual intervention. For businesses that rely on these VMs for sensitive workloads—financial processing, health records, or IP-sensitive analytics—the outage risk is real. Microsoft has classified KB5061906 as a non-security update, yet it recommends installation even if the May patches were never applied, a departure from standard protocol that hints at the tangled nature of the code changes.
The update advances Windows Server 2022 to build 20348.3695. Its availability solely via the Windows Update Catalog, bypassing Windows Update and WSUS, gives IT administrators tight control. Those unaffected can skip it without penalty, but for those running the vulnerable configurations, the patch is a must.
Windows 10: BitLocker Recovery Key Nightmare
Almost simultaneously, Microsoft issued KB5061768 for Windows 10 to correct a separate but equally disruptive regression. On devices equipped with Intel vPro processors and Trusted Execution Technology (TXT), the May security update could cause the Local Security Authority Subsystem Service (lsass.exe) to crash unexpectedly. That critical process failure triggers Windows’ automatic repair function—and when BitLocker encryption is active, the repair cycle forces the user to enter a 48-digit recovery key before the system will boot.
In enterprise environments with hundreds or thousands of BitLocker-protected PCs, a wave of such prompts can overwhelm help desks. The update applies to Windows 10 21H2 and 22H2, as well as Enterprise LTSC 2021 and IoT Enterprise LTSC 2021 editions, raising OS builds to 19044.5856 and 19045.5856 respectively. Microsoft notes that Windows Home and Pro editions are unlikely to be affected because Intel vPro is rarely found in those tiers. Like the server fix, KB5061768 is offered only through the Update Catalog, and Microsoft advises organizations where the issue does not occur to refrain from installing it.
The Pattern: Out-of-Band Updates Becoming Routine
These unscheduled releases are not outliers. In mid-April, Microsoft shipped an out-of-band fix for a Group Policy display error, and similar emergency patches have appeared with increasing frequency over the past year. The trend points to growing complexity in the Windows ecosystem, where deep interactions between hardware-based security features, hypervisors, and cumulative updates can introduce regressions that evade standard testing. While Microsoft’s agility in responding is commendable, the need for such fixes also raises questions about quality assurance pipelines. For IT departments, the message is clear: patch management must now include monitoring for out-of-cycle releases and maintaining the capacity for rapid, targeted deployment.
Expert Analysis: Strengths, Weaknesses, and Strategic Insights
What Microsoft Got Right
Rapid Response: Identifying, diagnosing, and delivering fixes for these critical bugs outside the normal Patch Tuesday window demonstrates a strong commitment to enterprise stability. When VM uptime or user productivity is at stake, speed matters.
Controlled Rollout: By limiting distribution to the Update Catalog, Microsoft avoids inflicting unnecessary changes on the broader user base. This opt-in approach allows IT teams to test and validate on a subset of machines before wider deployment.
Clear Communication: The Windows Message Center advisories are detailed, specifying exactly which configurations are at risk and plainly stating when the update can be skipped. Such transparency helps administrators make informed decisions without guesswork.
The Risks and Weaknesses
Complex Interdependencies: The bugs originate from the interplay of hypervisor-level features, chipset security extensions, and OS updates—a reminder that even mature platforms hide fragile fault lines. As organizations adopt advanced security capabilities, they inadvertently increase the surface for unforeseen conflicts.
Testing Gaps in Edge Cases: Microsoft acknowledges that “preview or pre-production configurations” might be vulnerable, implying that such edge cases may not receive exhaustive regression testing. This is a warning for teams pushing the envelope with early-adopter features.
Administrative Overhead: The Catalog-only distribution demands that IT staff actively follow advisories, evaluate exposure, and manually deploy patches. In large, decentralized organizations, this can strain resources and leave gaps.
Recovery Disruption: The BitLocker recovery prompt issue can turn a routine restart into a helpdesk bottleneck. End-users, especially remote workers, may need support retrieving keys, leading to lost productivity and frustration.
Practical Guidance for IT Professionals
For those managing affected environments, immediate action is recommended:
- Audit Your Fleet: Identify which servers host Azure Confidential VMs or run Hyper-V with preview features, and which PCs have Intel vPro/TXT plus BitLocker. A current hardware and software inventory is essential.
- Download and Test: Obtain KB5061906 and/or KB5061768 from the Windows Update Catalog. Deploy in a staging environment that mirrors production configurations to verify the fix does not introduce new issues.
- Plan the Rollout: Use change management protocols. For critical servers, schedule maintenance windows. For Windows 10 endpoints, consider phased deployment to catch any side effects early.
- Monitor and Validate: After applying the patches, monitor system logs and VM health. For BitLocker systems, confirm that lsass.exe is stable and that automatic repair no longer triggers unwanted recovery prompts.
If your organization does not use the affected configurations, Microsoft’s advice is simple: skip these updates. There is no need to introduce change where no exposure exists.
The Broader Picture: A New Normal in Windows Servicing
These emergency updates reflect a shifting landscape for enterprise IT. The days of relying solely on Patch Tuesday are over. Modern environments mix cloud, on-premises, and edge computing, often with hardware-rooted security like TPM, TXT, and confidential computing. Each month’s cumulative update now carries the potential for unexpected interactions. Microsoft’s increasing reliance on out-of-band releases suggests that its internal test matrices cannot cover every permutation. The answer lies in shared responsibility: Microsoft provides the fixes quickly, but IT teams must build the agility to receive and apply them without delay.
Looking ahead, investments in automated testing, telemetry-driven anomaly detection, and canary deployment rings will become baseline expectations for both software vendors and their customers. The Windows ecosystem is too vast and diverse for any lab to replicate every real-world scenario. Thus, close community engagement—through forums, message centers, and peer networks—remains a vital early-warning system.
Conclusion
The out-of-band updates KB5061906 and KB5061768 are more than routine hotfixes. They are a vivid demonstration of how modern security features can inadvertently introduce instability. By moving quickly, Microsoft has contained two potentially devastating regressions: one that could render confidential VMs unusable, and another that could lock users out of their PCs. For IT leaders, the episode is a call to strengthen patch management practices, maintain accurate inventories, and treat every update—scheduled or not—with the seriousness it deserves. The rhythm of patching is no longer a predictable beat; it is a constant pulse that demands ongoing attention.