Loading...
Loading...
Researchers disclosed a Zero Day named YellowKey that can unlock BitLocker-protected drives using a few files on a USB stick, exploiting Windows’ handling of BitLocker metadata and recovery flows to bypass passwords and TPM protections. Microsoft is investigating as organizations weigh the exploit’s implications for endpoint security and forensics. The disclosure comes amid patch disruption: April updates caused some Windows 10/11 systems to enter BitLocker recovery mode, prompting Microsoft to issue partial fixes and guidance to adjust TPM group policies. May extended updates fix many vulnerabilities but still warn of BitLocker recovery prompts, leaving enterprises balancing urgent mitigations, USB hygiene, and upcoming patches.
YellowKey shows BitLocker can be bypassed by simple USB files, altering risk assessments for endpoint encryption and physical device security. Tech teams must reassess patching, forensics procedures, and USB hygiene to prevent silent data exposure.
Dossier last updated: 2026-05-22 01:24:46
Microsoft has acknowledged a Windows BitLocker security bypass named YellowKey and published temporary mitigations for affected Windows 11 and Windows Server releases. Researcher Chaotic Eclipse demonstrated that a specially crafted USB device can bypass parts of BitLocker to access locked files; Windows 10 is reportedly unaffected. Microsoft's mitigation requires running a provided script to remove the autofstx.exe entry from the Session Manager BootExecute multi-string registry value and then following guidance to re-establish BitLocker trust for the Windows Recovery Environment (WinRE). The fixes are interim while Microsoft investigates a permanent patch; administrators should apply the mitigations promptly to protect encrypted data.
Security researchers disclosed a Zero Day dubbed “YellowKey” that lets attackers unlock Microsoft BitLocker–protected drives using a few files placed on a USB stick. The exploit abuses how Windows handles BitLocker metadata and recovery keys, enabling local access without the user’s BitLocker password or TPM protections. Researchers demonstrated the technique with forensics tools and proof-of-concept files; Microsoft is reportedly investigating. This matters because BitLocker is widely used for disk encryption across enterprises and consumer devices, so the flaw could undermine endpoint security, data protection, and incident response assumptions. Organizations should monitor vendor advisories, avoid untrusted USB devices, and follow forensic guidance until a patch or mitigation is issued.
Microsoft has acknowledged that its April 2026 security update (KB5083769) caused some Windows 10, Windows 11 and Windows Server 2025 devices to boot into BitLocker recovery mode, requiring users to enter recovery keys. The issue is tied to BitLocker group policy and specific TPM validation configurations—notably invalid PCR7 settings—and is most common on enterprise-managed machines. Microsoft issued a May patch (KB5089549) that fixes the problem for Windows 11 25H2, but fixes for Windows 10 and Windows Server 2025 were not yet released. Until full coverage is available, Microsoft advises administrators to remove the “Configure TPM platform validation profile for native UEFI firmware configurations” group policy before deploying the May updates.
Microsoft released the May extended security update KB5087544 for Windows 10 Enterprise LTSC and devices enrolled in ESU, raising builds to 19045.7291 (ESU) and 19044.7291 (LTSC). The cumulative update fixes 120 vulnerabilities — including 14 remote code execution, 61 privilege escalation, and other severity classes — but no zero-days. It also fixes a remote desktop warning display bug introduced by April’s patch (affecting multi-monitor, mixed-DPI .rdp sessions), enhances Windows Security to show dynamic Secure Boot state and expands coverage for new Secure Boot certificates. Microsoft warns some devices may prompt for BitLocker recovery keys after install and provides a temporary mitigation; a permanent fix is pending. This matters for enterprise stability and security posture.