3 min read

Your Laptop Is Encrypted. A New Windows Exploit Can Unlock It Anyway.

A new unpatched Windows exploit bypasses BitLocker with physical access. Here's what Louisville and Southern Indiana SMBs should do now.
Share
Your Laptop Is Encrypted. A New Windows Exploit Can Unlock It Anyway.
Photo by Sasun Bughdaryan / Unsplash

If your business uses Windows laptops — and most businesses in Louisville and Southern Indiana do — you've probably heard that BitLocker protects your data if a device is lost or stolen. Turn on BitLocker, and anyone who grabs your laptop is locked out. That's the promise.

A security researcher just proved that promise has a hole in it.

A new unpatched exploit called YellowKey can bypass BitLocker on Windows 11 and Windows Server systems — no password required, no special software needed. A proof-of-concept has been publicly released, which means it's not theoretical. Anyone motivated enough can pick up this technique today.

Here's what small and mid-sized business owners need to understand — and what to do about it.

What the YellowKey Exploit Actually Does

The attack works like this: an attacker plugs a specially crafted USB drive into your device, reboots it, and enters the Windows Recovery Environment. From there, the exploit triggers a command shell that gains unrestricted access to your storage volume — while BitLocker's protection is effectively bypassed.

No brute force. No cracking encryption keys. The attack works around BitLocker entirely.

The critical detail: this requires physical access to the device. An attacker can't do this remotely over the internet. They need to physically have your laptop, desktop, or server in front of them.

That might sound reassuring. It shouldn't be.

Physical Access Is More Common Than You Think

Think about how many devices leave your office. Laptops go home with employees, travel to client meetings, get left in cars. A device doesn't need to be stolen long-term to be compromised — a few minutes of physical access is enough.

Now think about your office itself. Visitors come through. Contractors work on-site. There are moments every day when devices are unattended.

The same week this exploit was released, the FBI issued a separate warning about criminals physically entering law firm offices — posing as IT staff — to copy data from devices onto USB drives. Physical access as an attack vector is not hypothetical. It's happening.

Who Is Affected

If your business uses any of the following, this affects you:

  • Windows 11 on any device
  • Windows Server 2022 or 2025
  • BitLocker in its default TPM-only configuration

That last point matters. Most businesses that use BitLocker at all are using it in the default TPM-only mode — because that's the easiest way to set it up. That's exactly the configuration this exploit targets.

What You Can Do Right Now

There's no patch from Microsoft yet. But there are concrete steps that close or significantly narrow this exposure.

Add a BitLocker PIN. The exploit targets TPM-only BitLocker. If your devices require a PIN at boot — in addition to the TPM chip — the attack fails. The PIN adds a second factor that can't be bypassed with this technique. Enabling this requires a group policy change and a quick rollout to your devices.

Set a BIOS/UEFI password. This prevents an attacker from changing the boot order to enter the recovery environment in the first place. It's a simple setting, and it adds meaningful friction.

Control physical access. Review who has access to devices and when. Devices shouldn't be left unattended in shared spaces. Traveling employees should treat their laptops like they'd treat a wallet — because that's effectively what they are.

Know what's actually protected. Most businesses assume their IT security is in better shape than it is. BitLocker being "on" is not the same as BitLocker being configured correctly. If you don't know exactly how your devices are set up, you don't know what's protected.

The Bigger Picture

This exploit is a good reminder that encryption is not a set-it-and-forget-it control. The configuration matters. How it's deployed matters. Whether employees understand physical security matters.

BitLocker is still worth using — it's not broken across the board. But the default configuration has a meaningful gap, and right now there's no patch coming from Microsoft to close it. That makes it your problem to address.

For a business running 20 or 50 devices, making these changes consistently — and verifying they actually took effect — is not a small lift. It's exactly the kind of thing that falls through the cracks when IT is handled reactively.

Find Out Where You Stand

Not sure how your Windows devices are configured? The fastest way to get a clear picture of your Microsoft environment — including how your devices and data are protected — is a free automated M365 Security Assessment.

It takes about ten minutes and gives you a straightforward readout of what's configured correctly, what isn't, and where your biggest exposures are.

Run yours at audit.blackbirditsolutions.com.

Published by:

Matthew Williams