ADVISORY SUMMARY
The June 9, 2026 Patch Tuesday addressed three BitLocker security feature bypass vulnerabilities: CVE-2026-45585 ('YellowKey'), CVE-2026-50507 ('Bitskrieg'), and CVE-2026-45658, all enabling attackers to bypass BitLocker encryption and gain access to protected data — critical risk for stolen or unattended devices and physical-access attack scenarios. The same cycle patched 8 Secure Boot bypass vulnerabilities and multiple UEFI-level bypasses, representing a significant boot-chain security cluster. These were among the 39 Critical-rated vulnerabilities in the record-breaking 206-vulnerability Patch Tuesday.
AFFECTED SYSTEMS
MITIGATION GUIDANCE
Apply all June 2026 Windows cumulative updates immediately via Windows Update, WSUS, SCCM, or Intune. Enable TPM+PIN authentication (instead of TPM-only) to mitigate YellowKey (CVE-2026-45585) and Bitskrieg (CVE-2026-50507) — PIN authentication adds a knowledge factor that these bypasses cannot trivially defeat. Audit BitLocker deployment configurations across the estate and confirm PIN policies are enforced via Group Policy.
DETECTION SIGNATURES
Monitor for unexpected pre-boot environment modifications or Secure Boot policy changes. Alert on BitLocker recovery key requests that do not correlate with known device management actions. Audit TPM event logs for anomalous boot sequence attestation failures. Correlate physical asset access records with BitLocker recovery events.
REFERENCES
- → https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun
- → https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-security-recap-june-2026-edition/
- → https://nvd.nist.gov/vuln/detail/CVE-2026-45585