This article is more than 1 year old

Microsoft pushes out PowerShell scripts to fix BitLocker bypass

Attackers exploiting the vulnerability could access encrypted data

Microsoft has fixed a vulnerability in the Windows Recovery Environment (WinRE) for Windows 10 and 11 systems that could allow access to encrypted data in storage devices.

Redmond engineers created a sample PowerShell script to enable enterprises to automatically update WinRE images to protect the Windows devices from a BitLocker security bypass vulnerability tracked as CVE-2022-41099.

There are two versions of the script (KB5025175), which should be run with administrator credentials in PowerShell, the company writes. The more robust version – PatchWinREScript_2004plus.ps1 – is for devices running Windows 10 2004 and later, including Windows 11. The other – PatchWinREScript_General.ps1 – is aimed at those with Windows 10 v1909 and earlier.

Microsoft released an advisory about the vulnerability in November 2022 and updated the notice in February.

It's not easy for attackers to exploit the flaw, according to Microsoft. If the device is protected by the BitLocker TPM+PIN, the crooks would need to know the TPM PIN to get into the system. The TPM+PIN multi-factor authentication (MFA) mode uses the device's TPM (Trusted Platform Module) security hardware and a PIN to authenticate users. In this mode, users must enter the PIN in the Windows pre-boot environment whenever the computer starts.

"The TPM is a hardware component installed in many newer computers by the computer manufacturers," Microsoft writes in a document in February. "It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline."

However, if an attacker does get into the system, they can cause some damage.

"A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," the company writes. "An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

The flaw can only be exploited on systems with the winre.wim on the recovery partition.

The scripts enable organizations to determine the name of the OS Dynamic update package used to update the WinRE image. The OS Dynamic update package, which is available from the Windows Update Catalog, is OS version- and architecture-specific, so choosing the right one is important.

The package should be downloaded before the script is used. Once the script is run, if the BitLocker TPM protector is present, it will reconfigure the WinRE for BitLocker service.

BitLocker is a key tool used by Microsoft to keep data protected.

"BitLocker helps mitigate unauthorized data access by enhancing file and system protections," the company adds. "BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled." ®

More about


Send us news

Other stories you might like