YellowKey BitLocker Exploit

Microsoft has just published their guidance here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585

Yes, I would also like to see a proper response from Microsoft. (has been 7 days since release now...)

We are moving toward deploying TPM+PIN, but rolling this out across an existing fleet is quite troublesome and will take a significant amount of time.

That said, the creator of the exploit has mentioned that they have a PoC capable of bypassing TPM+PIN as well (unreleased).

As an immediate mitigation, we have deployed a remediation script to disable WinRE, until Microsoft has a fix.

USB boot restrictions, BIOS passwords etc..., are  relatively easy to bypass on most hardware...

I’ve been wondering about this too — looks quite serious.

From what I see, YellowKey abuses WinRE + FsTx to get a shell with the BitLocker volume already unlocked, no password or recovery key needed. So in practice, with physical access, default BitLocker setups can be bypassed.

For now, likely worth tightening things around

•  pre-boot auth (TPM+PIN),
• USB boot restrictions,
• physical access controls.

Curious how Microsoft will address this.

The silence from Microsoft on this issue is deafening!

You should be looking at requiring a startup PIN. Intune will allow you to set the PIN as a requirement, but I don't believe that will apply except to net new volumes, existing volumes will need to be updated by the user - which makes sense, they need to know the PIN.