A zero-day vulnerability named YellowKey allows attackers with physical access to Windows 11 devices to bypass default BitLocker encryption protections based on TPM-only configurations. This exploit undermines a core enterprise security control that is mandated in many organizations, including government contractors.
- Exploits default TPM-only BitLocker encryption on Windows 11
- Leverages transactional NTFS behavior to bypass recovery key prompts
- Highlights need for PIN protection and BIOS-level defenses
Threat signal
The YellowKey exploit introduces a critical risk vector to Windows 11’s default BitLocker encryption, which relies solely on a Trusted Platform Module (TPM) for key storage. By leveraging an obscure Windows filesystem feature known as transactional NTFS, the exploit subverts standard recovery mechanisms allowing attackers to access encrypted data without the need for a recovery key.
This vulnerability is significant as BitLocker is widely adopted to protect sensitive data across enterprise and government environments. The ability to bypass it with a short physical attack window challenges assumptions about the sufficiency of TPM-only configurations and calls into question device loss and theft protection assurances.
Operator exposure
Organizations using Windows 11 with default BitLocker settings are exposed to rapid decryption attacks if a device is physically accessed by an attacker. The exploit’s ability to manipulate system volumes across drives without authentication means sensitive data can be copied, modified, or deleted with minimal effort.
This exposure underscores a broader risk posture issue for enterprises relying on TPM-only protections without secondary authentication factors, such as PINs or passwords. Moreover, BIOS or firmware password locks can mitigate unauthorized boot or restart maneuvers that facilitate this attack, highlighting the need for layered defenses.
What teams should watch
Security and IT operations teams should urgently review BitLocker configurations to ensure multi-factor protections are enabled, such as requiring PINs before TPM key release. Additionally, implementing BIOS or firmware-level password protections can prevent unauthorized restarts or boot manipulations that trigger the exploit.
Teams should monitor Microsoft’s ongoing investigation for patches addressing this vulnerability and plan for rapid deployment. Beyond responding to this specific exploit, organizations should reassess assumptions about hardware-backed security measures and explore complementary controls to preserve data confidentiality on endpoints.