A new proof-of-concept tool named BitUnlocker has exposed a critical weakness in Microsoft’s BitLocker encryption, allowing a determined attacker to unlock TPM-only protected drives in minutes—even on fully patched Windows 11 systems. Published by researchers at Intrinsec on August 15, 2025, the attack demonstrates that a physical-access downgrade can undermine protections Microsoft attempted to fortify in July with the CVE-2025-48804 security update.

BitLocker, the default full-disk encryption solution built into Windows, relies heavily on the Trusted Platform Module (TPM) when configured in its simplest mode. For many enterprises and individuals, the TPM-only option strikes a balance between security and convenience—the drive decrypts seamlessly at boot, provided the hardware and boot chain pass integrity checks. No PIN to remember, no USB key to lose. But as BitUnlocker shows, that convenience comes at a steep price.

What Is TPM-Only BitLocker?

BitLocker offers several key protectors, each with a different security posture. The TPM-only protector stores the volume master key (VMK) inside the TPM’s non-volatile RAM. During startup, the Windows Boot Manager measures the boot components and compares them against previously recorded Platform Configuration Register (PCR) values. If everything matches, the TPM releases the VMK, and Windows unlocks the drive.

This approach protects against offline attacks where a thief removes the drive and tries to read it on another computer. Without the TPM from the original machine, the data remains inaccessible. However, as long as the drive stays in the original hardware, any operating system that passes the PCR checks can request the key. BitUnlocker exploits exactly that trust.

The BitUnlocker Attack Explained

Intrinsec’s tool, BitUnlocker, is a bootable USB image designed for rapid physical-access attacks. The researchers demonstrated it on fully updated Windows 11 24H2 devices with Secure Boot enabled and TPM-only BitLocker active. In under five minutes, an attacker with temporary unsupervised access to a locked or powered-off machine can bypass the encryption and retrieve the BitLocker recovery key or even gain direct access to the decrypted volume.

The attack hinges on a downgrade of the Secure Boot configuration. Secure Boot relies on a database of trusted certificates (db) and prohibited signatures (dbx). When Windows boots, the TPM verifies that each component—from firmware to bootloader—is signed by a trusted authority. BitUnlocker manipulates the Boot Configuration Data (BCD), which is stored unencrypted on the EFI System Partition, to trigger a “Secure Boot migration” process. This is a legitimate feature designed to help migrate systems between different Secure Boot policies, but the researchers discovered that the migration routine does not adequately validate the incoming policy.

By injecting a custom, downgraded Secure Boot policy into the migration request, BitUnlocker replaces the machine’s hardened policy with an older one that trusts vulnerable bootloaders. The attacker then boots a malicious operating system that exploits those weaker protections to extract the BitLocker key from the TPM or from memory. Because the migration appears to be an authorized administrative action, the TPM’s anti-hammering protections do not block it.

How the Downgrade Works

The attack sequence is straightforward:

  1. Physical Access: The attacker reboots the target machine and boots from a USB drive containing BitUnlocker.
  2. BCD Tampering: BitUnlocker mounts the EFI partition and modifies the BCD file (typically \EFI\Microsoft\Boot\BCD) to set a flag that indicates a pending Secure Boot migration.
  3. Policy Replacement: On the next boot, the Windows Boot Manager checks the BCD flag, reads a new Secure Boot policy provided by the attacker, and sends it to the TPM for storage. The TPM accepts it because the migration command is signed with a platform-specific key that the attacker’s code can generate by exploiting another weakness: the migration key derivation uses values from PCRs that can be forged when booting from an external medium.
  4. Boot with Weak Policy: With the downgraded Secure Boot policy in place, the machine now trusts an old, known-vulnerable boot component. The attacker loads a custom bootloader that captures the BitLocker VMK released by the TPM or directly reads the decrypted drive contents.

The entire process, from initial reboot to full key capture, takes less than five minutes. BitUnlocker automates every step, requiring only that the attacker select the appropriate downgrade policy from a menu. The tool currently ships with 12 prebuilt policy downgrades covering various Windows and firmware combinations.

Why the Patch Fell Short

On July 8, 2025, Microsoft released CVE-2025-48804, described as a “Secure Boot Migration Security Feature Bypass Vulnerability.” The company’s advisory stated that an attacker could manipulate the migration process to “improperly downgrade the Secure Boot policy” and that the update enforces stricter validation of incoming policies. Microsoft assigned it an Important severity rating, noting that exploitation required physical access.

But Intrinsec’s research shows that the patch only addresses one part of the attack chain. The July update added a signature check for the migration policy blob, ensuring it is signed by a trusted root authority. However, BitUnlocker cleverly sidesteps this by leveraging a legitimate, Microsoft-signed downgrade policy from an older configuration that was never adequately revoked. In essence, the patch blocks unsigned blobs but fails to prevent the use of old but still valid signed policies that should no longer be trusted.

The researchers disclosed their findings to Microsoft prior to releasing BitUnlocker, and Microsoft acknowledged the gap. A supplemental fix is expected in the September 2025 Patch Tuesday, which will revoke the vulnerable downgrade policies and implement additional PCR binding to make the migration process more resistant to offline manipulation.

Physical Access Is the Crucial Element

BitUnlocker is not a remote exploit. It requires an attacker to physically interact with the device—plugging in a USB drive and rebooting. In many threat models, physical access equals game over, and organizations often accept that risk. But that calculus changes when the attack only needs a few moments of distraction. A lunch break, a meeting, an unattended laptop in a coffee shop—all become attack windows.

For enterprise environments, BitUnlocker underscores the need for defense-in-depth. A stolen laptop left in sleep mode (S0 Low Power Idle) might still have its BitLocker key in memory, but a full shutdown or hibernation clears that. BitUnlocker targets cold boot scenarios. However, combining the downgrade with other techniques could potentially extend to warm-boot attacks, though that is not yet demonstrated.

The Real-World Impact

Many organizations deploy Windows 11 with TPM-only BitLocker by default. Microsoft itself recommends this configuration for “new modern devices” in its BitLocker planning guide, citing a seamless user experience. IT administrators often see little reason to enforce a PIN or startup key when the TPM already binds encryption to the hardware.

BitUnlocker shatters that assumption. With the tool publicly available, any moderately skilled threat actor can bypass TPM-only protection on stolen or briefly accessed laptops. The implications for data breach regulations (GDPR, HIPAA, PCI-DSS) are severe: encryption that can be trivially undone during a physical theft may not meet the “reasonable protection” standard required by law.

Intrinsec tested BitUnlocker against:
- Windows 11 24H2 with Secure Boot and TPM 2.0
- Various OEM firmwares from Dell, Lenovo, HP
- Both Intel and AMD platforms
- Systems with and without Microsoft’s July 2025 patch applied

In all cases, BitUnlocker succeeded within 2 to 5 minutes, provided the attacker could boot from USB. Many corporate laptops restrict USB boot via BIOS passwords or manage BCD access through measured boot policies, but such lockdowns are often inconsistently applied. And for consumer devices, USB boot is typically wide open.

Microsoft’s Upcoming Countermeasures

Microsoft is working on a more comprehensive mitigation. In addition to revoking old downgrade policies, the planned update will:
- Require that any Secure Boot migration be authenticated with a TPM-bound confirmation key stored in a non-migrateable TPM area.
- Extend PCR 7 measurements to include the BCD’s own integrity, so tampering with the BCD before migration invalidates the TPM’s trust.
- Introduce a time-limited lockout after failed migration attempts, making brute-force policy injection harder.

These changes will likely roll out as part of a cumulative update and will not require any user action beyond installing patches. However, after the update, systems that currently use a migrated Secure Boot policy—a rare scenario—may need to reconfigure their boot setup. Microsoft is expected to publish detailed guidance ahead of the release.

How to Protect Yourself Now

Waiting for the September patch is not the only option. Organizations can take immediate steps to defeat the BitUnlocker attack:

  • Switch to TPM+PIN or TPM+Startup Key: These protectors require secondary authentication, so even if the attacker downgrades Secure Boot, they cannot obtain the key without the PIN or USB key. Windows 11 supports a minimum PIN length of 4 digits, but longer alphanumeric PINs are recommended.
  • Configure pre-boot authentication: Enforcing a PIN entry before the operating system loads adds a crucial barrier.
  • Lock down USB boot: Set a strong BIOS/UEFI password and disable boot from external devices unless a supervisor password is provided.
  • Use BitLocker Network Unlock (for domain-joined PCs): This allows automatic unlocking on a trusted corporate network without a PIN, but remains secure offline.
  • Employ device encryption policy in Intune or Group Policy: Require “TPM+PIN” for all mobile devices and gradually phase out TPM-only.

Enterprises should also audit their current BitLocker configuration. The PowerShell cmdlet Get-BitLockerVolume shows the key protector type; replace any “Tpm” only volumes with at minimum “TpmPin”.

The Broader Security Landscape

BitUnlocker is the latest in a series of BitLocker bypasses that rely on physical access. In 2024, researchers disclosed a similar downgrade attack that exploited an older Boot Manager, and the “bitpixie” attack in 2023 used a TPM vulnerability in Intel firmware. Each time, Microsoft has incrementally improved the protection, but the fundamental tension between convenience and security remains.

What sets BitUnlocker apart is its speed and simplicity. The tool packages a complex downgrade chain into a one-click script, drastically lowering the skill barrier. Combined with the public nature of the release, security teams must assume that criminals will quickly adopt the technique.

Some security experts argue that physical attacks cannot be entirely prevented on general-purpose PCs. An attacker with unlimited physical access could desolder the TPM, use bus sniffing, or even employ electron microscopy to read keys directly. But the goal of disk encryption is to raise the cost and risk for an attacker. TPM-only BitLocker, as BitUnlocker shows, fails miserably at this goal for skilled opponents.

The Timeline and Next Steps

  • July 8, 2025: Microsoft releases CVE-2025-48804 as part of monthly security updates.
  • August 15, 2025: Intrinsec publishes BitUnlocker tool and detailed technical paper.
  • September 2025 (expected): Microsoft to release supplementary update that fully mitigates the downgrade vector.

Until that full mitigation lands, Windows 11 users relying solely on TPM for BitLocker protection should consider themselves virtually unprotected against a physical attacker. The convenience of seamless boot is not worth the exposure—enabling a PIN or startup key is a simple configuration change that can be deployed across entire fleets in hours.

Conclusion

BitUnlocker is not a theoretical risk. It is a published, working tool that demonstrates how a few minutes of physical access can unravel years of trusted security assumptions. For enterprises, it should prompt an immediate review of encryption settings. For consumers, it’s a reminder that a laptop left unattended is a laptop potentially compromised. Microsoft’s upcoming patch will help, but the long-term solution lies in moving away from TPM-only protectors and embracing multi-factor authentication for full-disk encryption.

The researchers at Intrinsec have done the security community a service by shining a light on this weakness before malicious actors could exploit it en masse. Now it’s the responsibility of every organization and individual to act on that knowledge before the next generation of laptop thieves upgrades their toolkit.