BitLocker YellowKey Bypass — CVE-2026-45585: WinRE TPM Validation Physical Access Exploit

Indicators

• Device inventory/compliance tools (Intune, Absolute) report that the WinRE security patch mitigation has NOT been applied to managed endpoints
• BitLocker configuration on affected devices shows TPM-only protection — no pre-boot PIN or Startup Key protector present (manage-bde shows only 'TPM' protector)
• Lost or stolen corporate laptop where raw disk data may have been accessed without BitLocker unlock credentials
• MSRC advisory CVE-2026-45585 published May 19, 2026 matches device OS version and BitLocker configuration

Likely causes

• Structural exploit in the Windows Recovery Environment (WinRE) interaction with TPM validation states — during physical interdiction, an attacker can manipulate the WinRE boot path to bypass normal TPM-based BitLocker key release
• Standard BitLocker configurations relying solely on TPM (no PIN, no Startup Key) provide no second factor to prevent key release in the compromised WinRE context
• Absence of the Microsoft-issued WinRE configuration script/patch leaves local recovery image binaries in a vulnerable state

Diagnostic steps

1. Query device inventory and compliance tools (Intune and/or Absolute) to identify all managed devices where the WinRE security patch mitigation for CVE-2026-45585 has NOT been applied.
   Establish the blast radius — determine exactly how many and which devices remain vulnerable before prioritising remediation.
2. On a representative sample of affected devices, run: `manage-bde -protectors -get C:` to enumerate active BitLocker protectors and confirm whether a PIN or Startup Key protector is present alongside the TPM protector.
   Confirm that affected devices are in the vulnerable TPM-only configuration (no PIN, no Startup Key), making them susceptible to the WinRE bypass.
3. Cross-reference the MSRC advisory for CVE-2026-45585 (published May 19, 2026) against device OS build versions to confirm which devices fall within the affected Windows 10, Windows 11, and Windows Server scope.
   Ensure remediation scope is accurate and excludes any devices already patched or running non-affected configurations.
4. Review SCCM/Intune deployment status reports to determine whether the WinRE configuration script has been successfully deployed and executed on each target device, noting any failures or devices not reporting back.
   Identify deployment gaps — devices that are in scope but have not received or successfully run the remediation script.
5. Run `reagentc /info` on sample devices to verify WinRE status and confirm the recovery image location and enablement state.
   Validate that WinRE is properly configured and accessible for script-based remediation.
6. For any device flagged as high-risk (lost, stolen, or unmanaged), escalate immediately to security/compliance teams and consider the device's data as potentially compromised pending investigation.
   Ensure major data security and compliance violation risks are triaged for lost or stolen assets per incident response policy.

Resolution path

• Step 1 — Deploy Microsoft's official WinRE configuration script via SCCM or Intune to all affected devices. This script updates the local Windows Recovery Environment image binaries to close the CVE-2026-45585 attack surface. Validate successful execution via compliance reporting in Intune/SCCM before proceeding.
• Step 2 — For devices where the WinRE script cannot be deployed immediately, enforce a BitLocker pre-boot PIN requirement as an interim compensating control. Configure via GPO: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup — set to require 'TPM + PIN'. Alternatively, configure via Intune BitLocker policy.
• Step 3 — After the WinRE script has been deployed and/or pre-boot PIN enforced, re-run compliance queries in Intune/Absolute to confirm all targeted devices now show the mitigation as applied. Document completion for compliance/audit purposes.
• Step 4 — For any devices that fail automated deployment, schedule manual remediation: connect the device to the network or on-site, run the WinRE configuration script interactively with administrative privileges, and verify the updated WinRE image is in place using `reagentc /info` to confirm WinRE status.

Prevention

• Enforce BitLocker pre-boot PIN or Startup Key requirement across all endpoints via GPO or Intune policy — this eliminates the TPM-only configuration that is vulnerable to the WinRE bypass attack, even before WinRE patching is complete.
• Establish a compliance policy in Intune/Absolute that continuously monitors and alerts on any device where the WinRE image is not at the current patched version, ensuring future WinRE updates are tracked as a mandatory compliance item.
• Implement a mobile device policy requiring immediate remote wipe or BitLocker key rotation for any reported lost or stolen corporate laptop, minimising the window of exposure for physical interdiction attacks.
• Restrict physical access to corporate endpoints and enforce full-disk encryption audit reviews quarterly to ensure no devices regress to a TPM-only BitLocker configuration.

Tools

• Microsoft Intune — fleet-wide deployment of WinRE script and BitLocker PIN policy enforcement
• SCCM (System Center Configuration Manager) — alternative deployment vehicle for WinRE configuration script
• Absolute — device inventory and compliance tracking for patch mitigation status
• manage-bde — built-in Windows command-line tool for inspecting and managing BitLocker protectors
• reagentc — built-in Windows command-line tool for managing Windows Recovery Environment status and images
• Group Policy (GPO) — enforce BitLocker pre-boot PIN requirement across the domain

References

• Microsoft Security Response Center (MSRC) Advisory — CVE-2026-45585 (BitLocker YellowKey Bypass)