A public proof-of-concept named YellowKey claims a BitLocker bypass path on Windows 11 and Windows Server systems where the drive unlocks through TPM-only protection. The researcher published the repository on May 12, 2026, and says the issue can expose a protected volume through the Windows recovery path when physical access is available [1]. Public reporting on May 13 framed it as a zero-day because no Microsoft fix or CVE was available at publication time [2].
The practical risk is not “BitLocker is useless.” It is narrower and more important: a laptop or workstation that silently unlocks with the TPM may be weaker against an evil-maid, service-desk, stolen-device, or insider scenario than owners assume. BitLocker still raises the cost of offline disk theft, but this report puts pressure on environments that depend on TPM-only unlock without a startup PIN or startup key.
Where the Exposure Really Sits
YellowKey is especially relevant because many Windows 11 deployments use the convenient BitLocker mode where users never see a pre-boot prompt. That improves usability, but it also means the encryption key can become available during the boot and recovery flow if the platform measurements are accepted. Microsoft’s BitLocker countermeasure guidance describes pre-boot authentication with a PIN, startup key, or both as the mechanism that keeps the system drive inaccessible until the user supplies another factor [3].
The triage question is simple: which protected devices can boot unattended? Prioritize executive laptops, shared office PCs, repair-depot devices, travel machines, and systems that store browser sessions, VPN profiles, crypto wallets, source code, or customer data. If a device can be restarted into recovery paths by someone standing at the keyboard, treat the recovery key, BIOS/UEFI setup, boot order, and USB boot policy as part of the same exposure surface.
Admins should check whether BitLocker is using TPM-only, TPM+PIN, startup key, or a combined protector; whether recovery keys are escrowed and audited; whether users can boot from external media; and whether firmware setup is protected from casual changes. On high-value laptops, a startup PIN is inconvenient but turns a silent unlock into a user-presence decision. That is the difference between “the drive unlocks because the machine looks normal” and “someone must know a separate secret before Windows can read the volume.”
The report also arrives in a familiar boot-chain pattern. Previous bootkit stories such as BlackLotus bypassing protections on Windows systems showed why firmware, recovery, and encryption boundaries should be reviewed together rather than as separate checkboxes. The right response is not panic, but a short audit: find TPM-only BitLocker devices, harden the boot path, and watch for a vendor advisory or servicing guidance before assuming the risk is theoretical.
References
- Nightmare Eclipse, YellowKey BitLocker bypass repository, published May 12, 2026. Repository
- BleepingComputer, Windows BitLocker zero-day gives access to protected drives, May 13, 2026. Coverage
- Microsoft Learn, BitLocker countermeasures, updated Microsoft documentation. Guidance
