If your organisation relies on BitLocker for device encryption, this week’s news needs your attention.
A security researcher published a tool called BitUnlocker that demonstrates a practical attack against BitLocker on fully patched Windows 11 devices. An attacker with physical access to a device can decrypt a BitLocker-protected drive in under five minutes — no specialist hardware, no complex setup.
This is not a flaw in BitLocker itself. It is a gap between patching and certificate revocation that leaves most enterprise Windows 11 devices exposed right now.
What the vulnerability is
The underlying issue is CVE-2025-48804, a flaw in the Windows Recovery Environment patched by Microsoft in July 2025.
Microsoft shipped the fix. Most organisations applied it. The problem is that patching alone does not close the attack surface.
Secure Boot — the technology that validates what loads during boot — checks a binary’s signing certificate, not its version number. All Windows boot managers before the July 2025 fix were signed under a certificate called Microsoft Windows PCA 2011. That certificate is still trusted on virtually every Windows device in production today.
This means an attacker can load an older, vulnerable boot manager, have it pass Secure Boot validation, and use it to access the BitLocker-encrypted drive — bypassing the patched version entirely.
Until the PCA 2011 certificate is revoked from Secure Boot databases through the KB5025885 migration, the patch alone is not sufficient.
Is your organisation affected
The short answer: probably yes, if you haven’t completed KB5025885.
Vulnerable: Any device running BitLocker with TPM-only protection that hasn’t completed the KB5025885 migration. This covers the majority of enterprise Windows 11 estates.
Protected:
- Devices with TPM + PIN pre-boot authentication configured — the user must enter a PIN before the device boots, which prevents the attack from succeeding even if someone has physical access
- Devices that have completed the KB5025885 migration — this updates the boot manager signing to a newer certificate that isn’t affected by the downgrade
If you’re not sure where your estate stands, you can check by mounting the EFI partition and running sigcheck against the active boot manager. If it shows Microsoft Windows PCA 2011, the device is exposed. If it shows Windows UEFI CA 2023, it’s protected.
What to do
Step 1 — Enable TPM + PIN on all managed devices
This is the most immediate control available. With TPM + PIN configured, a PIN is required before the device will boot. Without it, the attack cannot proceed even if someone has physical access to the machine.
In Intune, configure this under: Endpoint security → Disk encryption → BitLocker policy → Require startup PIN with TPM
This protects devices while you work through the longer-term fix.
Step 2 — Deploy KB5025885
This is the proper remediation. KB5025885 migrates boot manager signing to the newer Windows UEFI CA 2023 certificate, which permanently closes this attack path.
The migration has multiple phases and needs to be worked through carefully. Simply installing the KB is not sufficient — you need to follow Microsoft’s full guidance at support.microsoft.com/kb/5025885.
Step 3 — Prioritise high-risk devices
Focus first on devices that are regularly taken out of the office — laptops used by field staff, executives, finance teams, or anyone handling sensitive data. These are the devices most likely to be physically accessed by an unauthorised person.
The bigger picture
This vulnerability highlights something we’ve seen across multiple security incidents: patching is necessary but not always sufficient.
BitLocker is a solid encryption solution when configured correctly. TPM + PIN has always been the recommended configuration for environments with real security requirements. The issue is that TPM-only is the default in most deployment guides, and many organisations have never revisited that decision.
This is also directly related to the Secure Boot certificate expiry timeline we’ve covered previously on this site. The underlying problem — slow certificate revocation — is the same. KB5025885 addresses both issues, which is another reason to prioritise it.
Summary
BitLocker on Windows 11 can be bypassed on devices running TPM-only protection that haven’t completed KB5025885. The fix involves two steps: enable TPM + PIN via Intune now, and work through the KB5025885 migration to permanently close the gap.
If your organisation handles sensitive data and your devices leave the office, this needs to be on your remediation list this week.