On the 19th of May, Microsoft released a mitigation guide for the Windows BitLocker Security Feature Bypass Vulnerability, dubbed YellowKey.

YellowKey (CVE-2026-45585) is a Windows BitLocker bypass vulnerability that abuses the Windows Recovery Environment (WinRE) to grant an attacker with physical access unauthorised access to encrypted drives, potentially defeating default TPM-only BitLocker protections. Note. Physical device access is required.

Originally the Microsoft article included a series of manual steps that needed to be performed locally on each device. I personally haven’t administered physically, locally or on a 1:1 basis like this for years. So immediately I set about creating a remediation script for deployment via Intune. I love remediation scripts, because by throwing down a Detection script, you can gather data for reporting purposes – in bulk.

In this instance, following the guidance of the MS article, a detection script alone would be a good way to identify those impacted by the vulnerability. Once you identify your targets, you not only establish your scope and device count, but you can then fire out a remediation action too – if required.

I spent a good few hours on Wednesday evening playing with this, and creating a Detection and Remediation combination. I then woke on Thursday to find Microsoft have published their own script. I should have known better. But this is not a race, nor is it a competition. It’s about ensuring the mitigation reaches as many people as possible, in the quickest time possible, to lessen the impact/risk. Also, as with all of this, the evening spent creation the scripts was a very good educational piece on my part. So all was not lost.

Detection Script: ../CVE-2026-45585/Detect-CVE-2026-45585.ps1

Remediation Script: ../CVE-2026-45585/Remediation-CVE-2026-45585.ps1

As should always be the case, a detection script is a tyre kicking/a poke/an investigation/a WhatIf. Start by running the Detection script manually, on a test device. Understand the outputs, check the logs (which write to the IntuneManagementExtension log dir). Perhaps then run the Remediation script. Verify it works in your environment, and start with a small scale deployment once you’re happy. All scripts are supplied “as-is” and without warranty, so caveat emptor.

It’s worth adding at this moment in time, mitigation involves tweaking the WinRE image to prevent the access. It’s not a complete/total solution/fix to the problem, as such Microsoft now recommend using pre-boot authentication such as a PIN. Which raises the old question of TPM‑Only vs TPM+PIN: Which is right? (an article that pre-dates all of this, and probably needs revisiting now).