Update for May 21, 2026: Microsoft is tracking YellowKey as CVE-2026-45585, a Windows BitLocker security feature bypass vulnerability. This is separate from MiniPlasma. YellowKey is about BitLocker and the Windows Recovery Environment; MiniPlasma is about local privilege escalation after code runs inside Windows.
YellowKey matters because BitLocker is supposed to protect data on stolen, lost, or unattended devices. Microsoft says an attacker with physical access to an affected system could bypass BitLocker Device Encryption on the system drive and gain access to encrypted data. Microsoft currently rates the issue Important with CVSS 6.8, lists it as publicly disclosed, and says exploitation is more likely while a full security update is still pending.
Affected Windows Versions
Microsoft’s affected-product API and NVD list the following affected products for CVE-2026-45585:
- Windows 11 version 24H2 for x64-based systems
- Windows 11 version 25H2 for x64-based systems
- Windows 11 version 26H1 for x64-based systems
- Windows Server 2025
- Windows Server 2025 Server Core installation
During this pass, CVE-2026-45585 was not listed in the CISA Known Exploited Vulnerabilities catalog. That can change quickly, so do not use KEV status as the only priority signal. Public disclosure plus BitLocker impact is enough to justify fast review.
Who Should Prioritize This
- Admin and support laptops: especially machines used to access hosting panels, RMM tools, customer files, backup portals, VPNs, Hyper-V, Proxmox, VMware, Plesk, cPanel, DNS, or billing systems.
- Windows Server 2025 systems with BitLocker: especially co-located, branch, edge, lab, or customer-accessible hardware.
- RDS and terminal servers: review any system drive encryption, console access, and remote hands procedures.
- Hyper-V hosts and backup servers: physical access to the wrong host can become access to many customer workloads.
- Domain controllers and file servers: prioritize systems that store credentials, shares, profiles, backups, or sensitive business records.
What Microsoft Recommends
Microsoft currently gives two mitigation paths. Use the official MSRC guidance for the exact steps and test on a pilot machine before rolling out broadly.
- Mitigate through Windows Recovery Environment servicing. Microsoft describes mounting the WinRE image, changing the relevant Session Manager boot behavior, committing the image, and then reestablishing BitLocker trust for WinRE. This is powerful maintenance work. Back up the system first and do not improvise registry edits from memory.
- Move BitLocker from TPM-only to TPM plus startup PIN where operationally possible. Microsoft lists PowerShell, command-line, Control Panel, Intune, and Group Policy methods. Make sure recovery keys are escrowed and tested before changing protector policy, especially for remote users and servers that may reboot unattended.
For devices that are not encrypted yet, Microsoft points admins toward Intune or Group Policy settings that require additional authentication at startup and require a startup PIN with TPM. This is a security gain, but it changes the reboot workflow. Do not surprise users or remote server teams with a PIN prompt during off-hours maintenance.
Safe Verification Commands
These commands help verify status. They do not reproduce the issue.
winver
reagentc /info
manage-bde -status
powershell -NoProfile -Command "Get-BitLockerVolume"
powershell -NoProfile -Command "Get-ComputerInfo | Select-Object WindowsProductName, OsVersion, OsBuildNumber"
powershell -NoProfile -Command "Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10"
For Intune, WSUS, and RMM environments, turn those checks into inventory fields where possible: Windows version, build number, BitLocker protector type, WinRE enabled state, recovery key escrow status, and last successful update/reboot.
Patch Planning
At publication time, Microsoft’s CVE entry provides mitigation guidance but no KB article list for a final security update. Watch Windows Update, WSUS, Intune, your RMM patch catalog, and the Microsoft Update Catalog. When Microsoft publishes a fix, plan for reboots and post-reboot verification rather than assuming the mitigation remains the final state.
For hosting and business environments:
- patch admin workstations and laptops first;
- confirm BitLocker recovery keys are escrowed before making protector changes;
- stage RDS and Windows Server 2025 changes in a maintenance window;
- coordinate physical-access procedures for co-located and branch hardware;
- verify WinRE and BitLocker status after changes;
- record which systems still need a Microsoft final update once one ships.
Role-Specific Notes
- IIS hosting servers: do not make BitLocker protector changes without confirming remote reboot access and customer maintenance windows.
- RDS servers: review who can reach the console, whether the OS drive is encrypted, and whether emergency remote hands can handle a startup PIN.
- Hyper-V hosts: prioritize host boot planning, VM backups, cluster drain order, and console access before protector changes.
- Domain controllers: make sure system state backups, recovery keys, and out-of-band access are documented before touching boot or recovery settings.
- Backup servers: treat these as sensitive even when they are not internet-facing. Physical compromise of a backup server can become data compromise.
- Admin workstations: these should be first in line because they often hold browser sessions, VPN profiles, customer files, SSH keys, and RMM access.
Logs And Evidence To Review
If you are investigating a lost, stolen, or tampered Windows device, review BitLocker management events, Windows Security events, recent local logons, device boot/recovery history where available, RMM check-ins, EDR timeline data, and any evidence of offline handling. For servers, include remote hands tickets and access-control records for the rack, office, or equipment room.
Customer Communication
Keep it calm and practical: “Microsoft has published mitigation guidance for a BitLocker recovery-environment issue affecting specific Windows 11 and Windows Server 2025 versions. We are checking affected systems, confirming recovery-key escrow, and staging any required mitigation or update work with reboot planning.” That is enough for most customers.
Related Fix I.T. Phill Windows Notes
- Microsoft Secure Boot Certificate Warning: What To Do Before June 2026
- Microsoft Defender CVE-2026-33825: Windows Patch Guide
- Microsoft Defender CVE-2026-41091 and CVE-2026-45498: CISA KEV Patch Guide