Researchers Showed That a USB Drive, a Reboot, and Holding CTRL Bypass BitLocker on a Locked Windows 11 Laptop—Microsoft Has No Patch, Only Mitigations

What Happened

On May 20, 2026, Microsoft issued an out-of-cycle advisory for CVE-2026-45585, a BitLocker security feature bypass nicknamed YellowKey. The advisory followed the public disclosure of a working proof of concept by an anonymous researcher using the handle "Nightmare Eclipse," who skipped the coordinated disclosure process entirely.

The exploit chain is short enough to fit in a paragraph. Place several specially crafted files named with an FsTx prefix on a USB drive or in the EFI partition. Reboot the target Windows 11 device into the Windows Recovery Environment (WinRE). At the right moment, hold the CTRL key. WinRE drops into a shell that has unrestricted access to BitLocker-protected volumes. The encryption is bypassed, the disk is readable, and the attacker can copy off whatever they want.

No patch exists. Microsoft published three mitigations and acknowledged that a fix is still in development.

Why TPM-Only BitLocker Was Always the Weak Configuration

BitLocker has three operating modes. TPM-only mode—the default on every consumer Windows 11 device that does not have its BitLocker policy explicitly managed—uses the TPM chip alone to unlock the disk at boot. Once Windows reaches the login screen, the disk is decrypted. Anyone who can reach a privileged code path before that login screen has access to a decrypted disk.

TPM+PIN mode requires a numeric PIN to be entered at boot before the TPM releases the key. Pre-boot authentication is the security wall that TPM-only mode lacks. The pre-boot PIN is the difference between "your laptop is encrypted" and "your laptop is encrypted unless someone takes 90 seconds to attack it."

YellowKey is the latest in a long line of attacks that exploit the gap between "BitLocker is on" and "BitLocker requires user authentication before decryption." Prior research from the Dolos Group, the Saarbrücken team, and several disclosure-tracker labs have repeatedly shown that TPM-only mode is bypassable by attackers with physical access. Microsoft's defensive position has been that physical access means game over anyway. YellowKey makes the bypass not just possible but trivial.

The Three Mitigations Microsoft Recommends

Until Microsoft ships a patch, the advisory lists three defenses. None of them are perfect; all of them help.

• Remove autofstx.exe from Session Manager BootExecute. The vulnerability rides on a Windows component that pre-executes during early boot. Stripping the entry breaks the exploit chain. Registry path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute.
• Switch BitLocker from TPM-only to TPM+PIN mode. This is the strongest defense and the one most administrators have been avoiding for usability reasons. The Group Policy path is Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → Require additional authentication at startup, then set "Configure TPM startup PIN" to "Require startup PIN with TPM."
• Enforce mandatory pre-boot PIN via Intune. For organizations on Intune, the policy Endpoint Security → Disk encryption → BitLocker → Startup authentication required: Yes achieves the same goal at scale.

All three mitigations require administrative privileges to deploy. Most laptops in BYOD or unmanaged environments are not going to receive them.

Who Is Affected

Every Windows 11 device using TPM-only BitLocker. That covers the bulk of consumer Windows 11 laptops sold since 2021, plus a meaningful share of corporate laptops where IT administrators chose TPM-only for the convenience. Microsoft has not published an estimated population, but external estimates put the TPM-only Windows 11 install base at hundreds of millions of devices globally.

Devices in TPM+PIN mode are not affected. Windows 10 devices using BitLocker in equivalent configurations are not affected. Linux dual-boot machines using LUKS encryption are not affected. The bug is specific to the Windows 11 BitLocker code path that handles FsTx file processing in WinRE.

Who Cares About a Physical Attack? A Lot of People, Actually

"Physical access means game over" is a comforting maxim for cloud-first security teams. It does not survive contact with the way laptops actually move through the world. A few populations for whom physical access is the working threat model:

• Journalists crossing borders. Border officials in the United States, United Kingdom, and most G20 nations can detain a device while the owner is questioned. YellowKey lets an officer with a USB drive read a journalist's source list in 90 seconds.
• Domestic violence survivors. Abusers routinely have physical access to a partner's devices. YellowKey hands them whatever the partner had hoped was encrypted.
• Executives traveling to high-risk jurisdictions. Hotel rooms in Beijing, Moscow, and Dubai are extensively documented as collection environments. A laptop left in a safe is not safe from a 90-second YellowKey.
• Anyone whose laptop gets stolen. Resale value plus data resale value combine. The disk is no longer just resold blank.

For each of these populations, "your data is encrypted at rest" was the central security promise of switching to BitLocker. That promise depended on the assumption that the encryption could not be bypassed without the user's authentication. YellowKey nullifies the assumption until a patch ships.

The Disclosure Question

Nightmare Eclipse went public with the proof of concept before Microsoft had a patch. The standard line on this practice is that it forces vendors to move faster on bugs they would otherwise sit on. The counterargument is that everyone with a USB drive now has a working exploit. Both are true. In CVE-2026-45585's case, the proof of concept is public, the patch is not, and the gap is at least several weeks—Microsoft's monthly Patch Tuesday cadence is not flexible enough to ship an out-of-cycle BitLocker fix without significant testing.

What to Do This Week

• Check your BitLocker configuration. Open Settings → Privacy & Security → Device Encryption. If it says "On" without prompting for a PIN at boot, you are in TPM-only mode and exposed.
• Enable a startup PIN. Run manage-bde -protectors -add C: -tpmandpin from an elevated Command Prompt and choose a PIN you can remember.
• For organizations: push a Group Policy or Intune configuration profile. The 30-second PIN entry is a real productivity hit; the alternative is the bypass.
• Treat laptops as decrypted if they leave your physical custody. If your laptop spent the night in a hotel safe in a country you do not control, assume the disk has been read.
• Watch for the Microsoft patch. Apply within 24 hours of release. This is one of the few bugs where waiting for a patch window makes you measurably more exposed.

Why This Matters for Email

A successful YellowKey attack on a corporate laptop reaches Outlook PST files, Microsoft Teams chat caches, browser session cookies, and every credential file that lives in the user profile. From there, mailbox access is trivial: paste the session cookie into a fresh browser and you are logged in to the user's Outlook Web Access or Gmail account without ever triggering an MFA prompt. The encryption-at-rest story is, for email purposes, an encryption-at-rest story for the entire correspondence history.

If a laptop with mailbox access goes missing, "It's encrypted with BitLocker" is no longer a satisfactory answer until CVE-2026-45585 ships a fix and that fix lands on the device.