Microsoft has assigned CVE-2026-45585 to a newly disclosed security feature bypass vulnerability that affects BitLocker Drive Encryption when the Windows Recovery Environment (WinRE) is enabled. The flaw allows an attacker with physical access to a device to bypass BitLocker protections by manipulating WinRE components, potentially granting unauthorized access to encrypted data. Microsoft\u2019s mitigation guidance requires administrators to manually modify the BootExecute registry key on each affected system\u2014an offline fix that disables certain recovery tools until a formal update is released.

This vulnerability marks another chapter in the ongoing struggle to balance recovery convenience with strict disk encryption. Unlike many critical vulnerabilities that are patched through Windows Update, CVE-2026-45585 currently relies on a manual workaround because the attacker can modify WinRE files before the operating system loads, circumventing normal security checks. Administrators must act now to lock down systems, especially those in high-risk environments like healthcare, finance, and government, where physical device access is a realistic threat vector.

How the Bypass Works

BitLocker protects data by encrypting entire volumes, requiring a key or PIN before Windows boots. In normal operation, the pre-boot environment checks the integrity of boot components before releasing the encryption key. WinRE, however, is a separate Windows installation on a hidden partition that provides repair and recovery tools, including a command prompt. This command prompt runs with elevated privileges but is supposed to honor BitLocker\u2019s protection rules.

CVE-2026-45585 exploits the way WinRE\u2019s command-line environment interacts with the BootExecute registry value under HKLM\\System\\CurrentControlSet\\Control\\Session Manager. BootExecute contains native applications that run early in the boot process, such as autocheck for chkdsk. An attacker who gains physical access can boot into WinRE, mount the Windows partition after supplying the recovery key (which they may have obtained through social engineering or shoulder surfing), and then modify BootExecute to launch a malicious executable. Once set, that executable runs the next time the system boots normally\u2014before the user logs in and often with system privileges\u2014allowing the attacker to extract BitLocker keys, install backdoors, or exfiltrate data.

Because the manipulation occurs from within WinRE, regular endpoint detection tools are blind to the modification. The attack is entirely offline, requiring no network connectivity and leaving minimal forensic traces on the operating system if the BootExecute entry is cleaned up afterward. Microsoft\u2019s advisory confirms that exploitation requires physical access and the ability to pass the WinRE authentication prompt, but notes that certain misconfigurations allow skipping the recovery key requirement entirely on some hardware.

Affected Windows Versions and Scope

Microsoft rates CVE-2026-45585 as \u201cImportant\u201d with a CVSS score of 6.8, reflecting the physical access prerequisite. The vulnerability impacts all supported editions of Windows 10, Windows 11, and Windows Server that have BitLocker enabled with the recovery environment intact. Windows 10 versions from 21H2 onward and Windows 11 21H2, 22H2, and 23H2 are explicitly listed. Windows Server 2019 and 2022 are also vulnerable if BitLocker is used, particularly on domain controllers or file servers where physical security might be less rigorous than expected.

It\u2019s critical to note that systems without WinRE\u2014either because the partition was removed or never provisioned\u2014are not susceptible. Similarly, devices that use hardware-based TPM-only protectors without a recovery password are harder to exploit but not immune if the attacker can reset the TPM lockout by entering the recovery key, which is the intended recovery flow.

Mitigation Steps: The BootExecute Fix

Until Microsoft releases a security update that hardens WinRE against this manipulation, administrators must manually configure the BootExecute registry value to prevent tampering. The fix essentially locks the BootExecute list so that even if an attacker gains a WinRE command prompt, they cannot alter the early-boot executables.

Step-by-Step Guide

  1. Boot into the installed Windows operating system. You cannot apply this fix from WinRE because the target registry hive is not mounted correctly. If the system is currently compromised, boot from a known-good Windows installation media and enter the recovery environment to perform offline registry edits.

  2. Open Registry Editor (regedit). If you are performing this offline, you will need to load the SYSTEM hive from %SystemRoot%\\System32\\config.

  3. Navigate to:
    HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager
    If offline, you\u2019ll see the loaded hive under a temporary key.

  4. Locate the BootExecute multi-string value. The default value usually contains autocheck autochk *.

  5. Modify the data to remove any unexpected entries and set permissions. The strongest mitigation is to:
    - Set BootExecute to a single entry: autocheck autochk * (assuming that is the only legitimate program needed).
    - Right-click the Session Manager key, choose Permissions, and set ACLs to deny write access to the SYSTEM account and administrators for the BootExecute value itself. This prevents any modification even from WinRE\u2019s SYSTEM context. However, be cautious: this may prevent legitimate recovery tools from updating the value, and Windows Update might fail to install future patches that rely on writing here. Test thoroughly.

A less restrictive but still effective approach is to configure a Group Policy that runs a startup script to overwrite BootExecute to the known-good state on every boot. This script must be placed outside the encrypted volume so that it executes before BitLocker unlocks the drive.

  1. Apply the changes and exit Registry Editor. If you loaded the hive offline, unload it properly to save changes.

  2. Reboot the system and verify that BitLocker protection is active and that Windows boots normally.

For large-scale deployments, Microsoft recommends scripting these changes through Microsoft Endpoint Configuration Manager or by using a WinPE boot image with a script that automates the registry modification. The company\u2019s security advisory (linked below) provides sample PowerShell and batch scripts that can be pushed via Group Policy startup scripts.

Why Traditional Patching Isn\u2019t Enough

A typical security fix would involve updating WinRE\u2019s recovery tools to restrict how BootExecute can be modified from the command prompt, or to validate signatures on boot executables. However, because WinRE is effectively a second Windows instance, any patch must be applied to the offline WinRE image as well as the main OS. Microsoft\u2019s current mitigation is a stopgap because the attacker can replace unpatched WinRE files if they have physical access, even after the main OS is updated.

The long-term solution involves implementing a secure boot integrity check that compares the BootExecute value against a signed manifest stored in the TPM or UEFI firmware. This would prevent offline tampering, similar to how Secure Boot enforces driver signature verification. But such a feature requires firmware updates and broad industry coordination, which is likely months or years away.

Community and Administrator Response

Early reactions from IT administrators on forums and social media express frustration that this fix requires \u201ctouching every machine\u201d and cannot be deployed via Windows Update. Since WinRE partition layouts vary by manufacturer and custom images, scripting the change across an estate is non-trivial. \u201cWe got hit by the BootExecute problem with CryptoLocker years ago, now we have to do the same dance again,\u201d one system admin commented, referencing ransomware strains that abused BootExecute for persistence.

Security researchers have also pointed out that this vulnerability is distinct from past BitLocker bypasses that targeted the TPM or DMA attacks over Thunderbolt. By focusing on WinRE\u2019s legitimate repair functionality, attackers have a pathway that leaves BitLocker\u2019s core encryption intact but sidesteps its key protection mechanism. In a proof of concept shared online (though redacted due to responsible disclosure), a researcher demonstrated how a modified WinRE image on a USB drive could be used to inject a malicious BootExecute entry in under five minutes\u2014even on fully patched Windows 11 23H2 with Secure Boot enabled.

Real-World Attack Scenarios

Organizations that deploy laptops to remote employees face the highest risk, as devices may be lost, stolen, or temporarily accessed by untrusted individuals. A attacker who gets 15 minutes with a computer can boot into WinRE (often by repeatedly pressing F11 during startup) and execute the attack, provided they have the recovery key. That key is frequently stored in Active Directory, cloud-based MDM, or printed out\u2014all sources that an insider or sophisticated attacker could compromise.

Data exfiltration from a boot environment is particularly stealthy because the attack can be performed without leaving the decrypted volume mounted. The attacker can inject code that, on normal boot, copies encryption keys to a predetermined location or sends them over a network when the user logs in. Since the malicious action occurs after BitLocker unlocks, full disk encryption offers no protection.

Hardening Recommendations Beyond the Workaround

Microsoft urges customers to consider the following additional measures:

  • Remove the WinRE partition on devices where full disk encryption is paramount and offline recovery is not needed. This eliminates the attack surface entirely but renders the system unrecoverable without reinstallation if critical boot files become corrupted.
  • Employ a Pre-boot BitLocker PIN in addition to the TPM. This makes it harder for an attacker to reach WinRE because they must pass both the TPM check and input a PIN before the recovery environment is accessible.
  • Disable the WinRE command prompt via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Recovery Environment > Disable Command Prompt. However, this does not fully mitigate CVE-2026-45585 because a skilled attacker can still mount the registry hive externally.
  • Monitor registry modifications using endpoint detection and response (EDR) tools that include pre-boot integrity validation, such as Microsoft Defender for Endpoint\u2019s \u2018Early Launch Antimalware\u2019 capability. While this won\u2019t stop the initial offline modification, it can detect malicious BootExecute changes at the next boot and alert defenders.
  • Keep the recovery key secure by storing it only in tamper-resistant hardware or a well-protected cloud vault that requires multi-factor authentication for access.

What Comes Next

Microsoft has committed to issuing a formal security update that will enforce a code-signing requirement for any executable referenced in BootExecute, subjecting them to the same Secure Boot policies as other boot drivers. This change will likely arrive in a Patch Tuesday update for all supported Windows versions by the end of Q2 2025, according to the advisory\u2019s timeline. However, the update will only take effect on systems that have the latest servicing stack updates and may require reinstalling WinRE from updated media.

In the meantime, the manual BootExecute fix remains the primary defense. Administrators who have not yet assessed their WinRE exposure should consider this vulnerability a critical prompt to audit their recovery configurations. \u201cWe\u2019ve relied on BitLocker as a gold standard for years,\u201d said one security engineer at a Fortune 500 firm. \u201cThis bug doesn\u2019t break encryption, but it shows that the recovery environment is an Achilles\u2019 heel that needs constant attention.\u201d

For the broader Windows community, CVE-2026-45585 reinforces the mantra that physical security is an essential layer of defense. As encryption technologies mature, the focus shifts toward validating the components that run before the encryption key is released\u2014and that\u2019s a battle fought in the firmware and pre-boot recovery tools. Microsoft\u2019s move to lock down BootExecute is a necessary step, but it will require widespread administrative effort to realize the full protective benefit.