Breaking
New York Times defends journalist after Israel threatens to sueNew Zealand firms have grown more cautious about investment in recent years, NZIER report findsBangladesh tests its India ties by seeking China's aid for Teesta RiverMahmoud Khalil asks court to halt deportation, citing new evidenceNew York Times defends journalist after Israel threatens to sueNew Zealand firms have grown more cautious about investment in recent years, NZIER report findsBangladesh tests its India ties by seeking China's aid for Teesta RiverMahmoud Khalil asks court to halt deportation, citing new evidence
Vesper
ENESFRTR
Log inSign up
Charts
Articles:SportsHealthHistoryTech
Markets
EUR/USD1.1630 0.02%GBP/USD1.3337 0.16%USD/JPY158.65 0.06%USD/CHF0.7865 0.02%AUD/USD0.7155 0.08%USD/CAD1.3748 0.06%USD/CNY6.8229 0.18%USD/INR96.01 0.04%USD/BRL5.0187 0.27%USD/ZAR16.65 0.08%USD/TRY45.56 0.03%Gold$4,541.20BTC$78,363 2.69%ETH$2,194 2.69%SOL$87.44 4.20%
Tech

Zero-day exploit defeats default Windows 11 BitLocker protections

Ars Technica1 d ago
ShareXWhatsAppTelegramLinkedIn
Computer security concept with a lock and circuit board
Photo: Pok Rie / Pexels

Independent security researcher Rafał Wolnik has presented a zero-day exploit that defeats default Windows 11 BitLocker disk encryption. The demonstration was given at the ConfidenceConf security conference in Poland; Wolnik subsequently published a technical write-up on his blog.

BitLocker is Microsoft's built-in full-disk-encryption tool. The company first introduced it in 2007 with Windows Vista, and it has been enabled by default on enterprise workstations across Windows 10 and 11 for many years. The exploit specifically targets the "autounlock" component, which removes the requirement for users to enter a password at every system start.

Wolnik's method requires physical access. The attacker plugs a tampered USB device into a powered-down machine; the device intervenes in a memory window during the Windows Boot Manager's start sequence. The technique bypasses TPM (Trusted Platform Module) verification and runs without administrative privileges on the target machine.

Wolnik wrote in the published proof-of-concept that the technique "directly attacks the theoretical threat model of Microsoft's default BitLocker configuration." The researcher argued that the underlying issue is the absence of a platform configuration register (PCR) check during the TPM's start phase.

The Microsoft Security Response Center said it had "confirmed the issue and is actively investigating." MSRC has assigned the issue CVE-2026-32147 and confirmed that all Windows 11 versions using the BitLocker "autounlock" component are affected.

Microsoft said a patch will ship in next Tuesday's Patch Tuesday release. As an interim mitigation, Microsoft is advising users to disable "autounlock" in BitLocker and switch to a configuration that requires a PIN at every startup. The company noted that for enterprise IT administrators, this change can be deployed centrally through Group Policy.

Microsoft Configuration Manager documentation has, for some time, recommended a BitLocker TPM+PIN configuration under the "Enhanced Sign-in Security" guidance for enterprise customers. Wolnik's research provides concrete proof of why that recommendation is technically necessary.

Tavis Ormandy of Google's Project Zero security group called Wolnik's research "a real-world demonstration of a structural weakness that has lived inside BitLocker's default threat model for the past decade." Ormandy said similar structural weaknesses might be found in other disk-encryption tools during the corporate review that this disclosure is likely to trigger.

For end users, the practical guidance is clear: keep using BitLocker, but disable the "autounlock" component and enable a TPM+PIN configuration. The change can be made on Windows 11 Pro and Enterprise through Group Policy, and on home installations through the BitLocker control panel.

The exploit and the coming patch are expected to trigger a fresh review of BitLocker configurations in enterprise IT security teams. After the TPM-bound disk vulnerabilities disclosed last year, this is the third major vulnerability directly affecting Windows full-disk encryption in the past 18 months.

This article is an AI-curated summary based on Ars Technica. The illustration is a stock photo by Pok Rie from Pexels.