Mitigate YellowKey Exploit – CVE-2026-45585 – Using Intune

14/06/26 – Update: Installing the June 2026 Updates will now “protect” you from the YellowKey vulnerability. At least to the point whereby the remediation script I/Microsoft released is no longer required. Read my post on the June patch release for further information.

On the 19th of May, Microsoft released a mitigation guide for the Windows BitLocker Security Feature Bypass Vulnerability, dubbed YellowKey.

YellowKey (CVE-2026-45585) is a Windows BitLocker bypass vulnerability that abuses the Windows Recovery Environment (WinRE) to grant an attacker with physical access unauthorised access to encrypted drives, potentially defeating default TPM-only BitLocker protections. Note. Physical device access is required.

Originally the Microsoft article included a series of manual steps that needed to be performed locally on each device. I personally haven’t administered physically, locally or on a 1:1 basis like this for years. So immediately I set about creating a remediation script for deployment via Intune. I love remediation scripts, because by throwing down a Detection script, you can gather data for reporting purposes – in bulk.

In this instance, following the guidance of the MS article, a detection script alone would be a good way to identify those impacted by the vulnerability. Once you identify your targets, you not only establish your scope and device count, but you can then fire out a remediation action too – if required.

I spent a good few hours on Wednesday evening playing with this, and creating a Detection and Remediation combination, and I’ll not lie, I had AI troubleshoot and resolve an issue I was having with the script timing out during the mount process… I then woke on Thursday to find Microsoft have published their own script. I should have known better. But this is not a race, nor is it a competition. It’s about ensuring the mitigation reaches as many people as possible, in the quickest time possible, to lessen the impact/risk. Also, as with all of this, the evening spent creation the scripts was a very good educational piece on my part. So all was not lost. [14/06, links removed as resolved with June 2026 patch release]

Detection Script: ../CVE-2026-45585/Detect-CVE-2026-45585.ps1

Remediation Script: ../CVE-2026-45585/Remediation-CVE-2026-45585.ps1

As should always be the case, a detection script is a tyre kicking/a poke/an investigation/a WhatIf. Start by running the Detection script manually, on a test device. Understand the outputs, check the logs (which write to the IntuneManagementExtension log dir). Perhaps then run the Remediation script. Verify it works in your environment, and start with a small scale deployment once you’re happy. All scripts are supplied “as-is” and without warranty, so caveat emptor.

Enabling the Pre-remediation detection output column, should give you a nice friendly message in the console, without needing to poke around exporting data, or retrieving data using other means.

It’s worth adding at this moment in time, mitigation involves tweaking the WinRE image to prevent the access. It’s not a complete/total solution/fix to the problem, as such Microsoft now recommend using pre-boot authentication such as a PIN. Which raises the old question of TPM‑Only vs TPM+PIN: Which is right? (an article that pre-dates all of this, and probably needs revisiting now).

James avatar

11 responses to “Mitigate YellowKey Exploit – CVE-2026-45585 – Using Intune”

  1. Michel Wijnstekers

    Hi , i tested your detection and Remediation script but i get on mine test-devices Recurred any idea what the issue is or how or what to check ?

    1. James

      Hi Michel, Thanks for the comment.

      What happens if you manually run the Detection Script on the device? What does the PowerShell console give you?

      I did tweak the logging details shortly after posting, I’ve just updated the Detection Script to this newer version. See if that helps?

  2. Michel Wijnstekers

    James ,
    Super it works great now . Thanks for this

  3. Mike

    Hi James,

    Thanks for sharing this.

    Just to let you know, the pre remediation output provides this for devices with App Control for Business turned on:

    C:\Windows\IMECache\HealthScripts\f8794f9c-e9db-4c9e-bd64-aa9ed98638b7_2\detect.ps1 : Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the ‘.’ operator. + CategoryInfo : InvalidOperation: (:) [detect.ps1], NotSupportedException + FullyQualifiedErrorId : DotSourceNotSupported,detect.ps1

    I had a quick look online in regard to the different language mode and the search results referenced App Control for Business which sounds correct on the basis the scripts work in one tenant without App Control for Business but fail with the above in another tenant with App Control turned on.

    I’m just trying to get the logs to see what I require to allow in a supplemental policy.

    Kind regards

    1. James

      Nice find, I guess it’ll be the Constrained Language Mode imposed by WDAC. I’ve reworked some bits that might improve compatibility with CLM. It’s completely untested however; https://github.com/jamesvincent/Intune/blob/main/CVE-2026-45585/Detect-CVE-2026-45585-CLM.ps1

      Detection only for now, to see how it goes.

      1. Mike

        Thanks for your prompt reply and creating a new script.

        Error is now

        Detection failed: You cannot call a method on a null-valued expression.

        1. James

          Made a small tweak, but again, untested in a WDAC environment. Script does run for me, however.

  4. Cray Cook

    Hi James.

    I was testing this and was able to run detect and remediate but some of those remediated are now returning the error below. On my own computer, I was able to run the remediation script directly earlier this week but today, it returned the same error as below. There was a Windows Update that ran yesterday though and wondered if that update contained Microsoft’s fix for this CVE.

    REAGENTC.EXE: Operation failed: c142011c

    REAGENTC.EXE: An error has occurred.

    Detection failed: reagentc.exe failed with exit code -1052638937. STDERR: REAGENTC.EXE: Operation failed: c1420127

    1. James

      Take Intune/the script(s) out of the scene. What happens if you perform the actions manually on a device…

      1. Cray Cook

        Running detection now gives me this:
        REAGENTC.EXE: Operation failed: c142011c

        REAGENTC.EXE: An error has occurred.

        Detection failed: reagentc.exe failed with exit code -1052638937. STDERR: REAGENTC.EXE: Operation failed: c1420127

        Running remediation gives me this:
        Remediation failed: reagentc.exe failed with exit code -1052638937

        1. James

          What do you get if you run “reagentc /info” on one of the error’ing devices?

          Take Intune/the script(s) out of the scene. What happens if you perform the actions manually on a device…

          1. Verify WinRE is enabled
          2. Mount the WinRE image via reagentc
          3. Load the offline SYSTEM registry hive
          4. Read BootExecute and remove autofstx.exe if present
          5. Unload the offline hive
          6. Unmount the WinRE image with commit
          7. Disable and re-enable WinRE to re-seal BitLocker trust chain

          Where do you get to? Where does it fail?

Leave a Reply

Your email address will not be published. Required fields are marked *