In this blog post I’ll explain how to deploy KB5061768 OOB Update for Windows 10 BitLocker Recovery Screen Issue using Microsoft Intune. Microsoft has released KB5061768 as an Out-of-Band (OOB) update to resolve a critical issue in Windows 10 22H2 where devices may unexpectedly boot into the BitLocker recovery screen after restarting.
This issue can disrupt user productivity and may require manual recovery key input, especially in enterprise environments where BitLocker is widely deployed. The update addresses the root cause and is vital for organizations relying on BitLocker for device encryption and compliance.
To deploy this update using Microsoft Intune, administrators can utilize the Windows Update for Business (WUfB) policy by creating or modifying an update ring that targets Windows 10 22H2 devices. Either edit an existing policy or create a new one. Ensure that the ring is configured to receive quality updates without deferral. This ensures that KB5061768, though an optional update, is delivered promptly to affected systems.
For faster deployment, Intune also supports the “Expedite updates” feature. You can create a new expedited deployment targeting KB5061768, specifying the urgency and a deadline for installation. This method ensures that the update is installed within hours, not days, helping IT admins quickly mitigate the BitLocker recovery screen issue across their environment. Always test the update on a pilot group before full-scale deployment to verify compatibility and avoid potential disruptions. Here am configure this option.
Table of Contents
Why to Deploy KB5061768 OOB Update for Windows 10 using WUfB
Here is a table that summarizes the key reasons for deploying the KB5061768 OOB Update for the Windows 10 BitLocker Recovery Screen issue using Intune WUfB.
| Reason | Description | Benefit |
|---|---|---|
| Fix Critical BitLocker Issue | Addresses a bug where devices boot into BitLocker recovery unexpectedly after restart. | Reduces user downtime, prevents data access issues, and avoids unnecessary support calls |
| Centralized Deployment via Intune | Use Intune’s WUfB policies and expedite update options for controlled rollout. | Streamlined deployment across multiple devices with minimal manual intervention. |
| Faster Remediation with Expedited Updates | Intune allows administrators to push OOB updates like KB5061768 within hours. | Immediate resolution for affected endpoints, enhancing IT responsiveness. |
| Compliance & Security Enforcement | Ensures systems remain encrypted and aligned with BitLocker and data protection policies. | Maintains organizational security posture and compliance with regulatory requirements. |
| Remote & Scalable Management | Intune enables remote update management for on-premises and remote devices. | Ideal for distributed workforces, reducing the need for physical IT touchpoints. |
| Monitoring & Reporting | Intune provides insights into deployment success and update status. | Supports proactive monitoring and audit-readiness for enterprise IT operations. |
- 2025 May KB5058379 Windows 10 Patch 7 Zero-Day Vulnerabilities and 72 Flaws
- How to Configure Hotpatch Update for Windows 11 using Microsoft Intune Policy
- Easy way to Create Autopatch Multi-Phase Release with Intune Feature Update Policy
- Windows Update for Business Renamed to Windows Update Client Policies
Create an Expedite Windows Quality Update Policy
Here are the steps to create an Expedite Windows Quality Update Policy with Intune. Let’s discuss the step-by-step method to create this.
- Sign in to the Microsoft Intune admin center
- Navigate to Devices > Windows > Manage Updates > Windows updates
On the Next pane, i.e Windows updates navigate to below mentioned path, it will help you create an Expedite policy.
- Click on Quality updates > +Create > +Expedite policy
In the Settings pane, fill in the details below. In this example, we are going for the latest Expedite update for October. You also see 05/27/2025 – 2025.05 D Update for Windows 10 and later update available in Intune.
- Name: Deploy KB5061768 OOB Update for Windows 10 BitLocker Recovery Screen Issue
- Description: No Description
- Expedite installation of quality updates if device OS version less than: 05/27/2025 – 2025.05 D Update for Windows 10 and later
- Number of days to wait before restart is enforced : 0 days
On the next page, click on +Select scope tags and choose the Scope tags as Default. You can also select any other custom scope tags available to the tenant based on your requirements.
Click on Next and assign the profile to Windows 10 – Devices – OOB. Then click Add Groups and select the required device group in the Included Groups option.
On the Review + Create page, carefully review all the settings you’ve defined for the Expedite Windows Quality Update. Select Create to implement the changes once you’ve confirmed everything is correct.
- Best Way for Windows 11 24H2 Upgrade using Intune and Windows Update for Business WUfB Deployment
- How to Troubleshoot Windows Feature Update in Microsoft Intune
- Best Guide to Deploy and Update Visual Studio Code using Intune
Monitor the KB5061768 OOB Expedite Windows Quality Update Deployment Status
The policy has been deployed to the Microsoft Entra ID groups. The policy will take effect as soon as the device is synced.
Follow the steps below to generate a report on the Windows feature update status and monitor the profile deployment status from the Intune Portal.
- Navigate to Reports > Windows updates> Reports tab > Select Windows Expedite Update Report
Under the Expedited update policy, choose the Expedited update deployments as Deploy KB5061768 OOB Update for Windows 10 BitLocker Recovery Screen Issue. Click on OK. Leave Update aggregated status and Ownership as “All” and click on Generate report.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.
Hi Vaishnav, in your 3rd paragraph you refer to a setting called “Allow Microsoft to expedite updates when necessary” within the Update Rings policy. However, I don’t have that setting at all, when I create or edit a policy on the Update Rings tab in Intune. Where exactly should I find it?
Specifically, I’m going to:
Intune Admin Center > Devices > Windows > Windows updates > Update rings.
Hi Jerey, There isn’t a specific option for that. You can set the Quality Update deferral period (in days) to 0. If you are configuring the expedite policy separately, as I mentioned in the article, it will take precedence over your existing update ring and deploy that out-of-band patch.
Hello,
I paused all Windows 10 updates in Intune to avoid this issue. I want to start following the steps listed here. If I expediated the update on one device to test it, that expediate policy take precedence over the pause setting?
Hi Kyle, Yes, Expedite update policies do take precedence over a general pause updates setting.
It means, If you’ve paused all Windows 10/11 updates via Intune (using an Update Ring or WUfB settings), and then target a device with an Expedite Update policy, that targeted device will attempt to download and install the specified update immediately, even if other updates are paused.
This is by design to allow for urgent scenarios, like zero-day patches where critical updates must be deployed regardless of the general update deferral or pause policies.