Rebuild WinRE trust after CVE-2026-33825 changes
BitLocker zero-day mitigations have landed in awkward territory again: the exposed path sits in WinRE, not in some dramatic front-end exploit chain. A crafted FsTx file, a reboot into recovery, and a CTRL-triggered shell are enough to put protected drives within reach on unpatched Windows hosts. TPM-only setups are the obvious weak spot.
Remove the boot-time path that lets WinRE hand over the keys
The main Microsoft mitigation is blunt. Remove autofstx.exe from the Session Manager\BootExecute REG_MULTI_SZ value so the FsTx Auto Recovery Utility does not start when the WinRE image launches.
That matters because the exploit path depends on WinRE starting the utility at boot. Once that hand-off is gone, the Transactional NTFS replay that deletes winpeshl.ini no longer happens, and the recovery flow loses the behaviour the bypass needs. The protected drive is still encrypted, but the access control boundary is no longer being flattened by the same boot-time sequence.
The practical boundary is simple: if a device is still running a TPM-only BitLocker setup, this mitigation should not be treated as enough on its own. Microsoft also advises moving encrypted devices from TPM-only to TPM+PIN, or requiring startup PINs through policy on devices that are not yet encrypted. That adds a pre-boot check the recovery path cannot wave through.
Re-establish the WinRE trust relationship after autofstx.exe is gone
Removing autofstx.exe is only half the job. WinRE trust has to be rebuilt using the mitigation process already published for CVE-2026-33825, or BitLocker may keep behaving as if recovery has the same old trust chain.
That step sounds dull because it is dull, which is usually a good sign in security work. The image should no longer auto-start the recovery utility, but the system still needs a clean trust relationship with WinRE after the change. Skip that part and you can end up with a hardened-looking machine that still trusts the wrong recovery state.
For devices managed through policy, the cleanest route is startup authentication, not wishful thinking. On unencrypted endpoints, Require additional authentication at startup in Intune or Group Policy can be used to enforce TPM startup PIN settings. On encrypted devices, shifting from TPM-only to TPM+PIN closes off the easiest path the bypass relies on. It is not elegant. It is just less embarrassing than leaving a known boot-time bypass sitting on a laptop with a BitLocker badge on the lid.




