Your Green Tick Is Not A Security Strategy: What YellowKey Tells You About BitLocker Defaults
BitLocker is on, so we’re fine.
Five days ago, that sentence became a confession.
On 12 May 2026, the day after Patch Tuesday, a researcher going by Chaotic Eclipse and Nightmare-Eclipse published working code for a Windows zero-day called YellowKey. It affects Windows 11, Windows Server 2022 and Windows Server 2025. It does not crack encryption. It does not break the maths. It tricks the Windows Recovery Environment into spawning a command shell with the BitLocker-protected drive already unlocked. Plug in a USB stick, hold a key combination, get the data.
Independent reproduction was confirmed within twenty four hours by Kevin Beaumont, Will Dormann and others. Microsoft has acknowledged it is investigating. As of this morning, no patch, no CVE, no scope statement.
If your laptop security plan is “BitLocker is enabled, so we’re covered,” then no, you are not covered. You are hoping. With a dashboard. And hope with a dashboard is still hope.
What The Default Actually Buys You
Let’s be clear about what most small businesses have, because the answer is usually “we don’t know.”
Buy a Windows 11 business laptop. Switch it on. Sign in. BitLocker auto-enables. The drive is encrypted. The portal turns green. Everyone moves on.
What you have just deployed is BitLocker in TPM-only mode. The Trusted Platform Module, a small chip on the motherboard, checks the boot environment. If the machine looks the way it looked yesterday, it releases the secret that unlocks the drive. Windows starts. You get the login screen. No PIN. No friction. No annoyance.
Marvellous. Very seamless. Bloody convenient.
It protects against one specific attack. Someone removes the drive, plugs it into a different machine, tries to read it. That attack still does not work. The TPM is bolted to the original board. The keys do not travel with the disk.
YellowKey is not that attack. YellowKey has the whole device. The TPM is still there. The motherboard is still the motherboard. The attacker is not smashing the vault door. They are persuading the vault to open because it recognises its own lobby.
That distinction is the entire story, and the industry has been quietly avoiding it for years.
The NCSC Said This. Years Ago.
Here is the bit that should make a few procurement teams uncomfortable.
The National Cyber Security Centre’s Windows device security guidance has, for as long as I can remember, recommended “BitLocker encryption settings to prevent data extraction using physical attacks. Using a TPM with PIN and Full Disk Encryption is recommended.” Not optional. Recommended. As a control against physical attacks.
Microsoft’s own BitLocker countermeasures documentation explains why. TPM with PIN provides preboot authentication, which means the encryption keys are not even loaded into memory until the user has authenticated. The same document specifies that BitLocker with a TPM only mode “trusts the integrity check provided by the TPM” to release the keys, and that “preboot authentication and DMA policies provide extra protection for BitLocker.”
So this is not the NCSC being clever after the event. This is published advice that has been sitting there in plain English, ignored by organisations who decided convenience was a strategy and that the procurement team had bigger battles to fight than asking users to type six digits at boot.
The actual conversation in most companies went something like this. IT says “we should enable TPM plus PIN.” Operations says “users will complain.” Procurement says “the standard build is fine.” A consultant says “the box is ticked, you have BitLocker.” Everyone moves on. The risk register stays green.
And then a researcher drops working exploit code on a Tuesday, and that risk register turns out to have been a sticker over a hole.
Physical Access Is Not Spy Film Nonsense
The first defensive move from the comment section is going to be “the attacker needs physical access, so this is not realistic.” That is wrong, lazy, and corporate backside covering with a meeting invite.
In the real world, “physical access” has a specific name. A stolen laptop.
A finance director’s laptop left in a taxi after a long client dinner. An HR manager’s bag taken from a car at a service station. A solicitor’s device left in a hotel meeting room. A field engineer’s machine lifted from a van. Small businesses lose laptops constantly. The Information Commissioner’s Office sees a steady stream of reports about exactly these incidents, because UK GDPR requires you to notify when a device is lost and the data might be at risk.
The ICO is unambiguous on encryption: it is “especially effective in protecting the information from unauthorised access if the device you use to store the encrypted data is lost or stolen.” That is the entire reason most organisations enable BitLocker in the first place. It is the answer they want to give the regulator. “The data was encrypted. There is no notifiable breach.”
YellowKey changes the calculus for a stolen Windows 11 laptop running default BitLocker. The honest answer is no longer “the data was encrypted, end of conversation.” The honest answer is now “the data was encrypted, in a mode that is publicly known to be defeatable with a USB stick on the original hardware, and we cannot rule out that the device was in attacker hands long enough for that to be tried.”
Try that one on your insurer.
The Backdoor Claim, And Why It Does Not Change The Day Job
The researcher has publicly speculated that YellowKey looks deliberate. They have pointed at the affected component, noted that it is present in WinRE with the abusable behaviour but absent or different in normal Windows installations, and concluded that it cannot easily be explained except as intent. They have credited internal Microsoft groups by name. That is a serious claim.
We are not stating it as fact. We are not doing conspiracy karaoke. The honest position is the boring one. Maybe it is deliberate. Maybe it is a horrible legacy mistake. Maybe Transactional NTFS, a feature Microsoft has said for years it is considering deprecating, ended up in a recovery path that nobody properly threat modelled. Maybe the truth is messier than either side wants it to be.
We do not know, so we say we do not know.
What is not in dispute is that the public proof of concept works, that it has been reproduced by multiple independent researchers, and that the operational risk to a stolen laptop running default BitLocker is now materially higher than it was a week ago. Internet arguments about motives are not a risk treatment plan. They are noise with avatars.
Controls are for now. Controls are not waiting for Microsoft to publish a thoughtful blog post.
Compliance Theatre Has A New Stain
The other thing YellowKey exposes is the green tick problem, and this one is genuinely my fault, your fault, everyone’s fault.
Open Intune. Look at the BitLocker compliance status. It says “compliant.” That is a binary. It does not say “compliant, in TPM-only mode, which is the convenience default and not the configuration the NCSC actually recommends.” It says yes or no. Auditors love yes or no. Boards love yes or no. Regulators initially love yes or no until the moment a breach lands on their desk and the answer is no longer adequate.
Cyber Essentials, the certification scheme the UK government uses as a baseline for procurement, requires “Secure configuration” of devices and encryption where appropriate. It does not, as far as any current published self assessment workbook makes clear, demand TPM plus PIN. So you can hold a Cyber Essentials Plus certificate, your entire fleet on TPM-only BitLocker, and be exposed to a public, reproduced, unpatched bypass that defeats your encryption posture for stolen laptops.
That is not Cyber Essentials being broken. That is the gap between a baseline certification and a real risk posture. The certificate proves you passed a defined test on a defined day. It does not prove your assurance is current.
The right response is not to throw out the certification. The right response is to stop treating it as evidence of anything more than what it is. A floor, not a ceiling. A starting line, not a finish line. A useful conversation with procurement, not a substitute for the actual conversation about what you are protecting and how.
If a vendor or a consultant looks you in the eye and says “you are encrypted, you are fine,” ask them what configuration. Ask them whether they have run the protector inventory. Ask them whether the firmware is locked and the recovery keys are escrowed. If they cannot answer in five minutes, they are selling you comfort, not assurance.
How to Turn This Into a Competitive Advantage
There is a real edge available to any business that takes the next two weeks seriously.
Defensible assurance. Most of your competitors will do nothing. They will read a headline, decide it sounds technical, and move on. The first business in your sector that can answer “yes, we have audited the BitLocker protector state across our fleet, moved high-risk devices to TPM plus PIN, locked the firmware, and tested recovery key escrow” has a genuinely defensible position. That answer is gold in client due diligence questionnaires, insurance applications, and supplier audits. It says you treat security as a posture, not a screenshot.
A better answer to the regulator. A defensible answer to “is your encryption fit for purpose” is a competitive moat in regulated sectors. Legal, financial services, healthcare suppliers, anyone holding sensitive customer data: clients are increasingly asking these questions and most suppliers cannot answer them. Be the one that can.
A grown-up incident response. When the next laptop goes missing, the business that can produce a five minute response, “device X, protector state Y, recovery keys escrowed in Entra ID, firmware locked, boot from USB disabled, low likelihood of data extraction,” wins the moment. The one that says “we think it had BitLocker” loses it.
How To Sell This To Your Board
If you need to make the case for an unbudgeted security review this quarter, here are the arguments that actually land.
Notification risk. UK GDPR requires personal data breach notification to the ICO within 72 hours where the breach is “likely to result in a risk to the rights and freedoms of natural persons.” A laptop that was encrypted in a mode now publicly known to be bypassable has a worse legal position than one encrypted in a mode that is not. The board needs to understand that the encryption status of a lost laptop is no longer a binary.
Insurance position. Cyber insurance underwriting has hardened. Insurers are denying claims more aggressively where security hygiene was demonstrably inadequate. “Default encryption” against a known, public, unpatched bypass is the kind of detail that will end up in a denial letter.
Reputational asymmetry. A breach announcement that says “the device was encrypted with the NCSC-recommended preboot authentication” lands very differently from one that says “the device was encrypted with the default vendor setting.” Same data, very different story.
Cost of action versus cost of inaction. Enabling TPM plus PIN across a fleet of fifty Windows 11 laptops is a project of weeks, not months, and largely a Group Policy and user communication exercise. The cost is helpdesk hours and user grumbling. The cost of a notifiable breach is the regulator response, the insurance position, the client conversations, the legal advice, and the brand. The asymmetry is enormous and obvious.
What This Means For Your Business
Here is the practical agenda for the next fortnight. None of it requires a vendor. None of it requires a six figure project. It requires a couple of evenings, a willing IT lead, and a board that is prepared to ask one specific question.
-
Inventory your BitLocker protector state. Do not guess. Use
manage-bde -statusor your management platform’s BitLocker reporting to get the actual configuration. You need to know which machines are TPM-only, which are TPM plus PIN, and which are something else. -
Prioritise by risk class. Directors, finance, HR, legal, sales, field staff and anyone who travels. Devices with sensitive data cached locally. Anything that has ever left a building.
-
Move high-risk devices to TPM plus PIN. The Group Policy path is
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup. Set “Configure TPM startup PIN” to “Require startup PIN with TPM.” Apply the protector withmanage-bde -protectors -add c: -tpmandpin. You do not need to decrypt and re-encrypt the drive. -
Lock the firmware. Set BIOS or UEFI passwords. Disable boot from external media where the business model allows. Control boot order changes. This is the second half of the defence; without it, TPM plus PIN does less than it should.
-
Verify recovery key escrow. Make sure recovery keys are escrowed in Microsoft Entra ID, Active Directory, or your endpoint management platform. Test the recovery process for at least one device per class. Lose your recovery keys and you have invented ransomware with your own logo on it.
-
Update your lost-device playbook. The first hour after a device goes missing should produce a documented protector state, a confirmed recovery key location, and a regulatory exposure assessment. If that information is not available in under sixty minutes, your playbook is wallpaper.
-
Watch Microsoft. The 2022 BitLocker bypass tied to WinRE, CVE-2022-41099, required a separate update to the recovery partition itself, not just a normal cumulative patch. If Microsoft follows the same pattern for YellowKey, applying the fix will be a project, not a click. Have your endpoint team ready.
That is the plan. It is not glamorous. It will not feature in anyone’s vendor keynote. It will however give you a defensible answer the next time a laptop disappears, and that is the only metric that matters.
Stop worshipping the green tick. Stop assuming default settings match your risk. And stop pretending physical access only matters in spy films.
When the laptop goes missing, you do not get to rewrite the policy. You get to live with the one you had.
Related reading on this site:
- Stolen Credentials Are the New Normal
- Cyber Insurance Claims Are Being Denied And It’s Your Fault
- You’ve Got a Flood Plan, But No Cyber Plan?