The Windows 11 BitLocker bypass vulnerability CVE-2026-45585, nicknamed “YellowKey,” exposes a critical flaw in how Windows Recovery Environment (WinRE) interacts with BitLocker-protected volumes. An attacker with physical access to a device and a USB key can bypass BitLocker encryption entirely, accessing sensitive data without credentials. Microsoft has published mitigation guidance and released a script for administrators, but a permanent security patch has not yet arrived.
Key Takeaways
- Windows 11 BitLocker bypass (CVE-2026-45585) requires physical access and a USB key to exploit.
- Affected systems include Windows 11 versions 24H2, 25H2, and 26H1 on x64, plus Windows Server 2025.
- The flaw lies in WinRE recovery environment, not BitLocker encryption itself.
- Microsoft provides two mitigation options: remove autofstx.exe from WinRE or enable TPM+PIN protection.
- An administrator script simplifies the first mitigation approach at scale.
How the Windows 11 BitLocker bypass works
The Windows 11 BitLocker bypass attack unfolds in three physical steps. An attacker places specially crafted FsTx files on a USB drive or directly into the EFI partition of a target machine. The device is then rebooted into Windows Recovery Environment. When the attacker holds the CTRL key during WinRE startup, a shell spawns with unrestricted access to the BitLocker-protected volume, bypassing all encryption protections.
The vulnerability does not crack BitLocker’s encryption algorithm—the encryption itself remains intact. Instead, the flaw exists in the recovery environment that surrounds BitLocker, specifically in how WinRE handles startup processes. The FsTx Auto Recovery Utility (autofstx.exe) automatically executes during WinRE launch, and this process can be hijacked to grant shell access before BitLocker validation occurs.
Researcher “Nightmare Eclipse” disclosed the flaw publicly and described it as a backdoor, raising questions about why such a critical startup process was left exposed. The headline quote from the researcher—”Can’t come up with an explanation beside the fact that this was intentional”—reflects the severity and puzzling nature of the vulnerability’s presence in production Windows builds.
Microsoft’s two mitigation paths for the Windows 11 BitLocker bypass
Microsoft released two distinct mitigation strategies, each with different operational implications. The first targets the vulnerability directly by removing the problematic autofstx.exe entry from WinRE. The second hardens BitLocker itself by requiring a PIN alongside TPM authentication, raising the bar for physical attacks even if WinRE is compromised.
For the first approach, administrators mount the WinRE image on each affected device, access the offline SYSTEM registry hive, and remove the autofstx.exe entry from the Session Manager’s BootExecute value. After committing changes and re-sealing WinRE, BitLocker trust is re-established without affecting encryption status. Microsoft released a PowerShell script that automates these steps. The script is designed to be safe—if the autofstx.exe entry is not present, it exits without making any changes. This allows administrators to run it across multiple machines without risk of unintended modifications.
The second approach is simpler but more invasive. Administrators can switch existing BitLocker protection from TPM-only to TPM+PIN via PowerShell, the command line, or Control Panel. For devices not yet encrypted, enabling “Require additional authentication at startup” through Microsoft Intune or Group Policies, combined with “Configure TPM startup PIN,” ensures that even physical access to WinRE cannot unlock the drive without the PIN.
Which affected Windows systems are vulnerable
The Windows 11 BitLocker bypass affects specific recent builds across consumer and server platforms. Vulnerable systems include Windows 11 versions 24H2, 25H2, and 26H1 running on x64 processors. Windows Server 2025 installations, including Server Core deployments, are also exposed. The vulnerability does not affect older Windows 10 builds or earlier Windows 11 versions, limiting the scope but still encompassing millions of devices worldwide.
Organizations running the latest Windows 11 builds should prioritize applying one of Microsoft’s mitigations immediately. The vulnerability requires physical access, which reduces risk in cloud and remote-work environments but elevates concern for on-premises data centers, retail kiosks, and corporate offices where devices may be left unattended.
Why Microsoft’s response breaks the usual patch cycle
Microsoft’s decision to publish mitigation guidance before releasing a security patch is unusual and reflects the severity of the flaw. The company stated: “We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available”. This interim approach gives administrators time to harden systems while Microsoft develops and tests a permanent fix.
The mitigation-first strategy also signals confidence in the workarounds. Both approaches—removing autofstx.exe or enabling TPM+PIN—address the root cause without requiring a full OS rebuild or rollback. However, administrators should treat these as temporary measures and plan to deploy the official patch once available.
Is the Windows 11 BitLocker bypass a backdoor or an oversight?
The researcher’s claim that the flaw appears intentional raises uncomfortable questions about Microsoft’s development and security review processes. A startup process that automatically executes in the recovery environment without proper validation is unusual for a company as security-conscious as Microsoft. Whether this represents a deliberate backdoor, a missed security review, or a trade-off made for recovery functionality remains unclear.
What is clear is that the flaw was discoverable through physical access, meaning any attacker with a few minutes alone with a device could exploit it. This level of exposure in a production operating system is difficult to justify as an oversight, yet the absence of public evidence of intentional backdooring means the researcher’s allegation remains speculation rather than confirmed fact.
TPM+PIN as a practical defense
The TPM+PIN mitigation is particularly valuable because it hardens BitLocker against all WinRE-based attacks, not just this specific vulnerability. A PIN requirement means that even if an attacker gains shell access in WinRE, they cannot unlock the volume without entering the correct PIN. This transforms a physical-access attack from a simple USB-key exploit into a brute-force challenge.
For organizations handling sensitive data, TPM+PIN should be considered a baseline requirement regardless of this specific flaw. The trade-off is user friction—employees must enter a PIN at every startup—but the security gain justifies the inconvenience for high-risk systems.
How does the Windows 11 BitLocker bypass compare to other BitLocker attacks?
BitLocker has weathered various attacks over the years, but most require either advanced cryptographic techniques or extended access to the system. The Windows 11 BitLocker bypass is notable because it bypasses encryption entirely through a recovery-environment flaw rather than attacking the encryption itself. This is fundamentally different from attacks that target the TPM, extract keys from memory, or exploit weak PIN entropy. The vulnerability exists at the architectural level—in how the OS trusts and executes code before BitLocker validation occurs.
Compared to older BitLocker vulnerabilities, this flaw is more practical for attackers because it requires no specialized knowledge of cryptography, no expensive hardware, and no extended system access. A USB key and a few minutes of physical access are sufficient.
FAQ: Windows 11 BitLocker bypass questions
Can I protect against the Windows 11 BitLocker bypass without a PIN?
No. The direct mitigation—removing autofstx.exe from WinRE—addresses the specific vulnerability but does not prevent other WinRE-based attacks. For comprehensive protection, Microsoft recommends TPM+PIN, which requires a PIN at every startup. This is the only mitigation that prevents unauthorized access even if WinRE is compromised.
Does the mitigation script work on Windows Server 2025?
Yes. Microsoft’s script is designed to work on Windows Server 2025 installations, including Server Core deployments. The script mounts WinRE, edits the offline registry, and re-seals the image with BitLocker trust intact, making it suitable for both consumer and server environments.
Will enabling TPM+PIN slow down my system?
No performance impact occurs from enabling TPM+PIN. The only change is user-facing—employees must enter a PIN at startup. System performance during operation remains unchanged. The PIN entry adds roughly 10-15 seconds to the boot process, depending on PIN length and user typing speed.
The Windows 11 BitLocker bypass represents a significant gap in how Windows validates code during recovery. Until Microsoft releases a permanent patch, organizations should deploy one of the two mitigations immediately. For systems handling sensitive data, TPM+PIN is the stronger choice despite the added startup friction. This incident underscores why physical security and endpoint hardening remain non-negotiable, even in an era of sophisticated cryptography.
Edited by the All Things Geek team.
Source: Windows Central
