What just happened: YellowKey and the BitLocker bypass explained
A researcher using the alias Nightmare-Eclipse published a zero-day exploit this week that breaks BitLocker encryption on default Windows 11 systems. The exploit, called YellowKey, grants complete access to an encrypted drive within seconds. It works reliably against standard Windows 11 deployments, and it is already circulating publicly online.
BitLocker is Microsoft’s full-volume encryption tool, built to make every byte of a drive’s contents unreadable to anyone who lacks the decryption key. That key lives in a Trusted Platform Module, a dedicated security chip soldered onto the motherboard. The entire promise of BitLocker is that a stolen drive, or a stolen machine, yields nothing useful to the person who has it. YellowKey breaks that promise on default configurations.
The attack requires physical access to the target machine. That constraint matters, but it does not make the threat theoretical. Stolen laptops, unattended devices in hotels or offices, and border crossing inspections where authorities can compel device surrender are all scenarios where physical access is exactly what an attacker has. For those cases, BitLocker on default settings no longer provides the protection users and organizations believe it does.
BitLocker is not optional infrastructure for many organizations. Businesses contracting with government agencies treat it as a mandatory baseline control. A reliable, publicly available bypass targeting default deployments is a direct hit to that compliance posture, not a niche researcher curiosity.
Microsoft has not issued a patch. YellowKey is a zero-day, meaning the vulnerability is unresolved and active. Anyone running Windows 11 with BitLocker in its out-of-the-box configuration is currently exposed to this attack vector if an adversary can get their hands on the hardware.
The missing context: ‘Default’ is the word that should alarm you
Most news coverage of YellowKey focuses on the mechanics of the exploit itself. That framing misses the more uncomfortable point buried in every description of what it actually targets: default Windows 11 BitLocker deployments.
That word — default — carries enormous weight. The vast majority of home users and small business owners running Windows 11 have never touched their BitLocker configuration. They installed the operating system, saw that encryption was enabled, and assumed they were protected. That assumption is precisely what YellowKey dismantles. Nightmare-Eclipse built the exploit to work against out-of-the-box BitLocker setups, not exotic or misconfigured ones. Microsoft’s standard installation is the attack surface.
BitLocker stores its decryption key in a Trusted Platform Module, a dedicated hardware chip designed to keep that key secure. In a default deployment, the TPM releases that key automatically during boot without requiring any additional authentication from the user. Microsoft ships it this way deliberately — the goal is a seamless experience where users never have to enter a PIN or insert a recovery key. The cost of that convenience is a measurable reduction in actual security.
Enterprise environments running hardened BitLocker configurations — ones that require a pre-boot PIN or use additional authentication factors — carry significantly different risk exposure. The exploit that defeats a default setup does not automatically defeat a properly configured one. But Microsoft does not advertise that gap to the people who need to hear it most. Ordinary users are told they have encryption. They are not told that the encryption protecting their laptop was configured to prioritize their convenience over their security.
That distinction — between default and hardened — is not a minor technical footnote. It is the entire story. When a researcher publishes a zero-day that defeats BitLocker, the real question is not just how the exploit works. It is why Microsoft’s defaults leave hundreds of millions of Windows 11 devices in a configuration that a public exploit can defeat within seconds.
Who is actually at risk — and who should be most worried
BitLocker ships enabled by default on Windows 11 Home and Pro editions, which means the exploit targets the standard configuration running on hundreds of millions of consumer laptops sold worldwide. The attack does not require a sophisticated laboratory setup — anyone with brief physical access to a device can execute it within seconds.
Physical access sounds like a narrow threat until you list the scenarios where strangers, colleagues, or officials handle your machine. A stolen laptop from a coffee shop qualifies. So does a device seized at a border crossing, handed to an IT technician, or left unattended during a hotel room search. Law enforcement agencies and intelligence services regularly operate under exactly these conditions. The physical-access requirement limits the pool of attackers; it does not shrink it to zero.
The groups with the most to lose are those who depend on encryption specifically because powerful institutions want their data. Journalists protecting source identities, lawyers holding privileged client communications, corporate executives carrying deal documents, and activists working in hostile political environments all treat full-disk encryption as a last line of defense against physical seizure. For those users, the promise of BitLocker is the entire security model. YellowKey breaks that promise against the default configuration that researcher Nightmare-Eclipse confirmed the exploit reliably defeats.
Organizations that mandate BitLocker for government contracts carry additional exposure. A single compromised device in that environment can open access to sensitive project files, personnel records, or classified communications — material that adversaries with the means to steal a laptop absolutely want.
The uncomfortable fact is that Microsoft’s default TPM-only configuration, which stores the decryption key in hardware without requiring a separate PIN at boot, is what makes the exploit work. Users who never changed that default — which is most users — are running exactly the setup YellowKey was designed to defeat.
Why a zero-day published online is a uniquely urgent problem
When Microsoft has not yet issued a patch, users have no official remedy. That is the situation right now with YellowKey. The exploit is a zero-day, meaning it targets a vulnerability Microsoft has not fixed. Anyone running a default Windows 11 deployment with BitLocker enabled is exposed, and no update from Microsoft will close that gap until the company ships a patch.
The problem compounds because the exploit code is already circulating publicly online. Nightmare-Eclipse, the researcher who built YellowKey, published it earlier this week. Before that publication, exploiting this vulnerability required the technical skill to independently discover and weaponize it — a high bar that kept the threat largely theoretical for most attackers. Now the bar has collapsed. Any attacker with physical access to a Windows 11 machine can download the existing exploit code and run it. The work of discovery is done for them.
That shift from private knowledge to public availability changes the threat landscape immediately and sharply. Security researchers have documented repeatedly that the period between public disclosure of a vulnerability and the deployment of a vendor patch is when opportunistic attacks spike. Attackers who previously had no path to a target now have a ready-made tool. Corporate laptops left in cars, devices seized at borders, machines accessed during a hotel room break-in — all of these scenarios become meaningfully more dangerous the moment working exploit code is freely available online.
BitLocker is not a niche protection. Microsoft mandates it for organizations contracting with governments, and it is the default encryption layer on Windows 11 machines across enterprises worldwide. The gap between disclosure and patch is not a brief technical inconvenience. For every day that gap stays open, millions of devices running default configurations sit exposed to an attack that now requires no specialized skill to execute.
What you can actually do right now while Microsoft works on a fix
Microsoft has not patched YellowKey yet, but you are not powerless in the meantime.
The single most effective step any Windows 11 user can take right now is enabling a BitLocker PIN or startup password. By default, BitLocker relies entirely on the TPM chip to release the decryption key at boot — no password required, no user interaction needed. That is exactly the gap YellowKey exploits. Forcing BitLocker to require a pre-boot PIN means the drive will not decrypt even if an attacker has the physical machine in front of them. Microsoft does not enable this configuration out of the box. You have to set it manually through Group Policy: navigate to Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives, enable “Require additional authentication at startup,” and set a PIN from there. This takes under ten minutes and closes the attack vector YellowKey depends on.
Physical custody of your device is now a genuine security control, not just common sense. YellowKey requires physical access to execute. A laptop left unattended in a hotel room, a shared office, or a checked bag is a target. Lock devices in secure locations, configure sleep and hibernate states to require a password immediately on resume, and treat unattended access as the threat it is.
IT administrators cannot wait for a patch. Organisations with BitLocker deployments — especially those handling government contracts, where BitLocker is often a compliance requirement — need to audit endpoint configurations today. The default TPM-only policy is demonstrably insufficient against this exploit. Pushing hardened Group Policy configurations that enforce pre-boot PINs across all endpoints is a concrete, deployable fix that does not depend on Microsoft’s patch timeline. Pull an inventory of machines running default BitLocker settings, prioritise endpoints that travel outside controlled environments, and treat this as a mandatory remediation task rather than a scheduled review item.
The patch will come. Until it does, the PIN requirement is your actual defence.
The bigger question: Has Microsoft been underselling BitLocker’s limitations?
YellowKey is not an anomaly. Security researchers have previously demonstrated TPM-sniffing attacks against BitLocker’s default configuration — intercepting the Volume Master Key as it travels unencrypted between the TPM chip and the CPU during boot. The architectural weakness those attacks exploited is the same one YellowKey now targets. Microsoft has known about this class of vulnerability for years.
That context matters because Microsoft ships Windows 11 with BitLocker active and positions it as a flagship security feature. The company requires TPM 2.0 as a baseline hardware specification for Windows 11, and it markets that requirement as a meaningful security guarantee. For most users, that messaging lands as: your drive is protected. What Microsoft does not prominently communicate is that the default TPM-only configuration skips PIN authentication entirely, creating a setup where a determined attacker with physical access needs no password, no credentials, and no special knowledge — just a tool like YellowKey and a few seconds.
The fix exists. Enabling a BitLocker pre-boot PIN closes the attack vector by requiring something the TPM cannot supply on its own. But Microsoft does not enable this by default, and navigating to that setting is not obvious to ordinary users. The burden of closing a known security gap falls entirely on the person who almost certainly does not know the gap exists.
This is the real story behind YellowKey. It exposes a deliberate design choice: Microsoft prioritized frictionless boot experiences over the protection BitLocker is supposed to deliver. Organizations that contract with government agencies are required to use BitLocker — those users especially deserve a default configuration that reflects the threat model BitLocker was built to address.
Tech companies routinely argue that stronger defaults hurt usability. That argument has limits when the product is explicitly a security feature. Shipping BitLocker in a configuration researchers have repeatedly shown to be bypassable, without prominent disclosure of what the default actually protects against, is not a usability tradeoff. It is a trust gap — and YellowKey makes it impossible to ignore.
