Affected Windows versions
CVE-2026-45585 is a BitLocker security feature bypass with a physical attack vector. The relevant operating scenario is a lost, stolen, unattended, repaired, or traveling device - not a remotely exposed Windows service.
Windows 11 24H2, 25H2, and 26H1 on x64 systems are in scope, as is Windows Server 2025 including Server Core. The June 2026 Windows security update includes the fix. The previously recommended mitigation does not need to be reverted after the update is installed.
What should be documented now
- Verify patch level: Compare Windows 11 and Windows Server 2025 systems against the current June builds or newer cumulative updates.
- Record BitLocker state: Document protection state, encryption state, and key protector type per volume.
- Check WinRE state: Review
reagentc /infofor samples and risk groups, especially where recovery images were customized manually. - Prove recovery key escrow: Check storage in Entra ID, Active Directory, MDM, or another approved process. Do not treat isolated local copies as sufficient evidence.
- Prioritize high-risk devices: Executive laptops, admin workstations, developer systems, field devices, travel devices, and systems with sensitive local data should close first.
For mobile and high-risk devices
TPM-only remains convenient, but it is a weaker operating choice for devices with elevated physical exposure. TPM+PIN should be reviewed again for selected groups, including helpdesk workflow, recovery key handling, and user communication.
During the ongoing Secure Boot certificate update rollout, some devices might restart one additional time in the update window. Plan for that in deployment so BitLocker recovery events are not created by an incomplete update process.
If only one step can be done immediately: prove patch level, BitLocker protector type, WinRE state, and recovery key escrow for mobile Windows 11 devices.