YellowKey Bitlocker Bypass Vulnerability

It should because that WinRE isn't extracted by default on some OEM vendor machine.

Yeah this checks out - reagentc /enable is what actually copies winre.wim`onto the unencrypted recovery partition and registers the BCD recoverysequence entry, so until that runs there's nothing on the unencrypted side to parse the FsTx folder... reagentc /info will tell you what state you're in, the location field comes back empty when it's not staged. One gotcha worth flagging: if winre.wim is sitting in %SystemRoot%\System32\Recovery\ instead of out on the recovery partition, it lives inside the BitLocker volume and can't be reached pre-boot anyway, so the trigger surface only exists when WinRE is actually staged on its own partition. A lot of OEM Win11 images ship it staged but never extracted, which is probably why this looks intermittent. If anyone needs a temporary mitigation while waiting for a patch, reagentc /disable does the job - you lose recovery functionality but the attack surface goes with it.

> If anyone needs a temporary mitigation while waiting for a patch, reagentc /disable does the job - you lose recovery functionality but the attack surface goes with it. I assume it is alternatively possible to change to TPM + boot PIN instead of just TPM?

> Yeah this checks out - reagentc /enable is what actually copies winre.wim`onto the unencrypted recovery partition and registers the BCD recoverysequence entry, so until that runs there's nothing on the unencrypted side to parse the FsTx folder... reagentc /info will tell you what state you're in, the location field comes back empty when it's not staged. > > One gotcha worth flagging: if winre.wim is sitting in %SystemRoot%\System32\Recovery\ instead of out on the recovery partition, it lives inside the BitLocker volume and can't be reached pre-boot anyway, so the trigger surface only exists when WinRE is actually staged on its own partition. A lot of OEM Win11 images ship it staged but never extracted, which is probably why this looks intermittent. > > If anyone needs a temporary mitigation while waiting for a patch, reagentc /disable does the job - you lose recovery functionality but the attack surface goes with it. I assume that there's another way to mitigate the issue without ...

@0xMohammedHassan Even when `reagentc /info` outputs `Enable`, it sometimes still doesn't work. The purpose of running `reagentc /enable ` is to update the digital signature of winre.wim in TPM; otherwise, TPM will not unseal the key when booting winre.wim.