Forum Discussion
YellowKey BitLocker Exploit
Hi StuartK73 ,
From what I understand, Microsoft’s script is intended to apply the current mitigation for the YellowKey / CVE-2026-45585 issue, so yes, I would deploy that first rather than immediately moving everyone to TPM+PIN.
For Intune, I would personally use a remediation approach if possible:
- Detection script: check whether the mitigation is already applied
- Remediation script: apply Microsoft’s mitigation when missing
- Start with a small pilot group
- Then expand in rings
I would not disable WinRE permanently unless Microsoft specifically recommends it for your scenario. I would also not rush into TPM+PIN for every user unless your risk profile requires it, because that can create a lot of operational impact.
So my approach would be:
Apply Microsoft’s mitigation script via Intune, validate on pilot devices, monitor BitLocker/WinRE behavior, and keep TPM+PIN for higher-risk devices or users where physical access risk is a bigger concern.
Hi Buddy
Many thanks for your very informative reply.
Can you elaborate on:
- Detection script: check whether the mitigation is already applied
- Remediation script: apply Microsoft’s mitigation when missing
As I can only see the X 1 MS script and I'm not sure how to detect and remediate scripts from that.
Info appreciated.
Stuart