BitLocker Recovery Prompt Triggered After Secure Boot Policy or Boot File Updates — TPM PCR Validation Failure / CVE-2026-45585 WinRE Bypass (YellowKey)

Indicators

• Device boots to blue 'BitLocker Recovery' screen requesting a 48-digit recovery password before Windows loads
• User cannot boot normally after applying a Windows Update, firmware update, or Secure Boot policy change
• Event ID 768 or 851 logged in Microsoft-Windows-BitLocker-API/Management indicating TPM failed to unseal the VMK
• System was previously booting normally with TPM-only BitLocker protector requiring no user interaction
• Recovery prompt appears consistently on every reboot until BitLocker is suspended and resumed
• BitLocker recovery prompt appears after applying April 2026 cumulative or Secure Boot servicing update with no hardware changes made
• Device running BitLocker in TPM-only mode (no pre-boot PIN or Startup Key) — vulnerable to CVE-2026-45585 WinRE bypass
• Device inventory/compliance tools (Intune, Absolute) report WinRE security patch mitigation for CVE-2026-45585 has NOT been applied
• Device reported lost or stolen, raising risk of physical interdiction and WinRE-based BitLocker bypass

Likely causes

• Secure Boot policy update (db/dbx/KEK/PK changes) altered PCR 7 measurements, causing TPM to reject VMK unsealing
• Windows Update or servicing replaced boot-critical files (bootmgr, winload.efi, BCD) whose hashes are measured into PCRs 4, 8, or 11
• UEFI/BIOS firmware update changed firmware measurements in PCR 0, 1, 2, or 3 beyond the sealed PCR policy
• BitLocker was not suspended prior to applying updates that touch measured boot components
• Recovery key not escrowed before the triggering event, leaving no automated recovery path
• Unexpected change to BCD store (e.g., by third-party tool or dual-boot setup) altered PCR 11 value
• April 2026 cumulative update or Secure Boot servicing package modifies measured boot components, altering PCR7 values on affected TPM/PCR7-bound configurations — Microsoft has acknowledged this behaviour
• CVE-2026-45585 (YellowKey): structural exploit in how WinRE interacts with TPM validation states during physical interdictions — allows attacker with physical access to bypass TPM-sealed BitLocker keys (MSRC advisory published May 19, 2026)
• TPM-only BitLocker configuration (no PIN or Startup Key) provides no defence against the WinRE-based bypass vector described in CVE-2026-45585

Diagnostic steps

1. Note the BitLocker Recovery Key ID shown on the recovery screen (partial GUID) and locate the matching 48-digit recovery password from escrow (Active Directory BitLocker Recovery tab, Azure AD portal, Intune, MBAM self-service portal, or Microsoft Account at account.microsoft.com/devices/recoverykey)
   Confirms you have the correct recovery credential for this specific volume and protector, preventing failed unlock attempts
2. After unlocking with the recovery password and booting into Windows, open elevated PowerShell and run: `manage-bde -status C:`
   Determines current BitLocker state, identifies configured protectors, and confirms whether protection is suspended or active
3. Run `manage-bde -protectors -get C:` to list all key protectors (TPM, TPM+PIN, Recovery Password) and their associated IDs, noting the PCR validation profile shown for the TPM protector
   Reveals PCR binding configuration — including whether PCR7 is included — to determine which registers were disrupted by the triggering change; also confirms whether device uses TPM-only (no PIN/Startup Key) and is therefore in scope for CVE-2026-45585
4. Open Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management, and examine Event ID 768 or 851 entries, noting the reason code in the event description
   Identifies the exact PCR or protector that caused the recovery trigger, distinguishing between firmware change, Secure Boot policy change, or boot file modification
5. If cause was a planned update, verify completion via `Get-HotFix` or Settings > Update History, and confirm UEFI/BIOS version via `Get-WmiObject Win32_BIOS` or firmware vendor tool
   Ensures system is in a known-good post-update state before re-sealing BitLocker to new PCR values, preventing immediate repeat recovery cycle
6. Run `Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10` to list recently installed updates and confirm which April 2026 or Secure Boot servicing KB was installed immediately before the recovery prompt.
   Establishes a precise timeline linking a specific KB to the BitLocker recovery trigger, distinguishing from unrelated hardware or config changes.
7. Query Intune or Absolute device compliance reports to identify all Windows 10, Windows 11, and Windows Server endpoints using BitLocker without a PIN or Startup Key (TPM-only protector) — establish fleet-wide exposure scope for CVE-2026-45585.
   Determine how many devices are vulnerable based on platform and BitLocker configuration before prioritising remediation.
8. Filter the device list in Intune or Absolute to identify endpoints where the WinRE security patch mitigation for CVE-2026-45585 has NOT been applied.
   Identify the unpatched subset that remains actively vulnerable to the YellowKey WinRE bypass.
9. Cross-reference unpatched devices against asset management records for any devices reported lost, stolen, or outside corporate control.
   Prioritise incident response and potential data breach notification obligations for highest-risk physically-interdicted assets.
10. Review the MSRC advisory for CVE-2026-45585 (published May 19, 2026) to confirm specific WinRE binary versions addressed and validate that the patch script version available in SCCM/Intune matches Microsoft's official remediation guidance.
    Ensure the correct remediation artefact is deployed and advisory scope matches the environment being assessed.
11. On remediated devices, run `reagentc /info` to confirm WinRE is enabled and the updated recovery image is active.
    Verify the WinRE patch was successfully applied and the recovery environment reflects the patched binaries.

Resolution path

• Step 1 — Enter the 48-digit BitLocker recovery password at the recovery screen to unlock the drive and allow Windows to boot. Do not attempt to bypass via other means as data integrity must be confirmed first.
• Step 2 — Once logged into Windows, immediately suspend BitLocker protection: run `manage-bde -protectors -disable C:` (or via GUI: Control Panel > BitLocker Drive Encryption > Suspend protection). This writes a clear key so TPM PCR values are not checked on the next boot.
• Step 3 — If the triggering change is still in progress (e.g., firmware update requiring another reboot), reboot now with BitLocker suspended. After final reboot and system stability confirmation, resume BitLocker to re-seal to current PCR values: `manage-bde -protectors -enable C:`
• Step 4 — Verify TPM protector is now active and bound to new PCR measurements: run `manage-bde -status C:` and confirm 'Protection Status: Protection On' and 'Key Protectors: TPM' (or TPM+PIN as configured). System should now boot normally without requesting recovery.
• Step 5 — Escrow the current recovery key to AD or Azure AD: for Azure AD run `BackupToAAD-BitLockerKeyProtector -MountPoint C: -KeyProtectorId (Get-BitLockerVolume -MountPoint C:).KeyProtector[0].KeyProtectorId`; for on-premises AD use `manage-bde -protectors -adbackup C: -id {GUID}` or `Backup-BitLockerKeyProtector` with the appropriate protector ID.
• Step 6 — If PCR7 binding is confirmed and recovery recurs after future Secure Boot updates, adjust the PCR validation profile via Group Policy: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > 'Configure TPM platform validation profile for native UEFI firmware configurations', and configure a profile excluding PCR 7. Test on a pilot group first and evaluate against your threat model.
• Rollback — If suspend/re-enable of protectors causes issues, the recovery password protector remains active; do not remove it until TPM protector resealing is confirmed successful.
• Rollback — If a PCR profile Group Policy change causes boot failures, boot to WinRE, unlock with the recovery key, and revert the GP setting or restore the previous PCR validation profile.
• Rollback — If the triggering update must be removed, suspend BitLocker first, then uninstall via `wusa /uninstall /kb:<KB_number>` from an elevated prompt or via Settings > Windows Update > Update History > Uninstall Updates.
• Verification — Reboot after re-enabling protectors and confirm system reaches Windows login screen without a recovery prompt.
• Verification — Run `manage-bde -status C:` and confirm 'Protection Status: Protection On' and 'Lock Status: Unlocked' without recovery key entry.
• Verification — Confirm recovery key escrow by checking Azure AD / Entra ID portal (Devices > [device] > BitLocker keys) or querying AD for 'msFVE-RecoveryInformation' child objects on the computer account.
• CVE-2026-45585 Option A — Patch WinRE: Deploy Microsoft's official WinRE configuration script via SCCM or Intune to update local recovery image binaries on all affected endpoints. Target the unpatched device group identified via compliance tool query. Verify in Intune/Absolute post-deployment.
• CVE-2026-45585 Option B — Enforce Pre-Boot PIN: Configure a BitLocker pre-boot PIN requirement via GPO or Intune device configuration policy. This adds an authentication factor that mitigates the TPM-only WinRE bypass even if WinRE patching is delayed.
• CVE-2026-45585 — Prioritise both mitigations in combination for highest-risk devices (e.g., laptops used off-premises). Pilot staged deployment before fleet-wide rollout.
• CVE-2026-45585 Rollback — If WinRE configuration script causes recovery environment boot failure, boot from external Windows installation media and restore a known-good WinRE.wim via DISM: `dism /image:C:\ /get-imageinfo` then re-apply WinRE.wim.
• CVE-2026-45585 Rollback — If pre-boot PIN enforcement causes user lockout (PIN not set before policy applies), retrieve recovery key from Azure AD / Intune > Devices > Recovery Keys, unlock drive, then re-enrol PIN via `manage-bde -protectors -add C: -TPMAndPIN`.
• CVE-2026-45585 Rollback — If staged SCCM/Intune deployment causes issues, pause rollout using deployment targeting controls before widening to full fleet.

Prevention

• Always suspend BitLocker before applying UEFI/BIOS firmware updates or any update known to modify boot-critical files: run `manage-bde -protectors -disable C:` before the update and re-enable after final post-update reboot
• Ensure BitLocker recovery keys are escrowed to Active Directory or Azure AD for every protected device before any maintenance window — verify escrow status with `Get-BitLockerVolume | Select-Object MountPoint, KeyProtector` and confirm KeyProtectorType includes RecoveryPassword with a backed-up ID
• Configure Group Policy or Intune policy to require recovery key backup before BitLocker can be enabled: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > 'Do not enable BitLocker until recovery information is stored to AD DS'
• Use a narrow PCR profile (e.g., PCR 7 only for Secure Boot state) where threat model permits, to reduce frequency of recovery triggers from routine boot file updates — evaluate against security requirements and test in pilot group first
• Integrate BitLocker suspension into patch management tooling (SCCM/MECM task sequence, Intune pre-script, or WSUS pre/post scripts) so suspension and resumption are automated for all managed endpoints during patching cycles
• Monitor Microsoft update release notes and support advisories for Secure Boot or boot-file changes flagged as affecting PCR7 measurements; pilot-test such updates on a small device subset before broad deployment to detect BitLocker recovery issues before fleet-wide impact.
• Review and standardise BitLocker PCR validation profiles across the environment — where PCR7 binding is not required by policy, configure profiles excluding PCR7 to reduce sensitivity to Secure Boot policy changes triggering recovery.
• Enforce BitLocker pre-boot PIN or Startup Key requirements organisation-wide via GPO or Intune — prevent TPM-only configurations, mitigating CVE-2026-45585 WinRE bypass even on unpatched devices
• Create an Intune compliance policy that flags devices where the WinRE security patch mitigation (CVE-2026-45585) has not been applied, and restrict/quarantine non-compliant device access until remediated
• Include WinRE patch status in device build standards and onboarding checklists so all newly provisioned devices are compliant before deployment
• Implement a lost/stolen device response procedure that immediately triggers BitLocker recovery key rotation and remote wipe via Intune for any device reported missing, reducing the window for physical interdiction attacks

Tools

• manage-bde.exe — primary CLI tool for BitLocker management, status, protector control, and AD backup
• Get-BitLockerVolume (PowerShell, BitLocker module) — retrieves BitLocker volume status and protector details
• BackupToAAD-BitLockerKeyProtector (PowerShell) — escrows recovery key to Azure Active Directory
• Backup-BitLockerKeyProtector (PowerShell) — escrows recovery key to on-premises Active Directory (alternative to manage-bde -adbackup)
• Event Viewer > Microsoft-Windows-BitLocker-API/Management — BitLocker-specific event log for trigger diagnosis
• tpm.msc — TPM Management Console for viewing TPM status (use with caution)
• Azure AD / Intune portal — retrieve recovery keys for Azure AD-joined or Hybrid-joined devices
• Active Directory Users and Computers (ADUC) — retrieve recovery keys escrowed to on-premises AD
• gpedit.msc (Group Policy Editor) — configure BitLocker TPM PCR validation profile (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > OS Drives > 'Configure TPM platform validation profile for native UEFI firmware configurations')
• Windows Recovery Environment (WinRE) — offline remediation access when system is otherwise inaccessible
• reagentc.exe — verify WinRE status and confirm updated recovery image is active post-remediation
• Absolute — device inventory and compliance verification for CVE-2026-45585 WinRE patch status
• DISM — WinRE image servicing and recovery if WinRE configuration script causes boot issues (`dism /image:C:\ /get-imageinfo`)

References

• BitLocker recovery overview — Microsoft Learn
• BitLocker Group Policy settings (PCR profile configuration) — Microsoft Learn
• Secure Boot and BitLocker — understanding the relationship
• Back up the BitLocker recovery key — Microsoft Learn
• Microsoft Support — BitLocker recovery prompts after Secure Boot / boot-file updates (April 2026)
• Microsoft Security Response Center (MSRC) Advisory — CVE-2026-45585 (BitLocker YellowKey Bypass, May 19, 2026)