Windows recovery environment Archives

Winsage

May 14, 2026

Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation

An anonymous cybersecurity researcher disclosed two new zero-day vulnerabilities affecting Microsoft systems: YellowKey and GreenPlasma. YellowKey is a BitLocker bypass that operates as a backdoor within the Windows Recovery Environment, impacting Windows 11 and Windows Server 2022/2025. Exploiting YellowKey involves copying specially crafted files to a USB drive, connecting it to a Windows computer, and rebooting into WinRE. The researcher expressed skepticism about Microsoft's response time to this vulnerability, noting that using TPM+PIN does not mitigate the risk. GreenPlasma is a privilege escalation vulnerability that allows an unprivileged user to obtain a shell with SYSTEM permissions through arbitrary section creation in Windows CTFMON. The proof-of-concept for this exploit is incomplete but indicates potential manipulation of trusted privileged services or drivers. Additionally, a related attack against BitLocker was detailed by French cybersecurity firm Intrinsec, which exploits a boot manager downgrade using CVE-2025-48804 to bypass encryption protections on fully patched Windows 11 systems. This method allows attackers to boot from a controlled WIM while the boot manager checks the legitimate one, executing with the decrypted BitLocker volume. Despite Microsoft releasing fixes for this defect in July 2025, a flaw in Secure Boot verification allows a vulnerable boot manager to bypass BitLocker safeguards. To mitigate these risks, enabling a BitLocker PIN at startup and migrating to a new boot manager certificate is recommended.

Winsage

May 13, 2026

Windows BitLocker zero-day gives access to protected drives, PoC released

A cybersecurity researcher known as Chaotic Eclipse has released proof-of-concept exploits for two unpatched vulnerabilities in Microsoft Windows: YellowKey, a BitLocker bypass, and GreenPlasma, a privilege-escalation flaw. The YellowKey vulnerability affects Windows 11 and Windows Server 2022/2025, allowing unauthorized access to BitLocker-protected volumes by exploiting the Windows Recovery Environment. The exploit can be executed using specially crafted 'FsTx' files on a USB drive or directly on the EFI partition. Independent researcher Kevin Beaumont has validated the exploit, which can bypass BitLocker protections even in a Trusted Platform Module (TPM) environment. The GreenPlasma vulnerability allows unprivileged users to create arbitrary memory-section objects, potentially leading to privilege escalation. Chaotic Eclipse has expressed dissatisfaction with Microsoft's handling of bug reports, prompting the public disclosure of these vulnerabilities. Microsoft has stated its commitment to investigating security issues and updating affected devices.

Winsage

May 8, 2026

Microsoft Tests Point-in-Time Restore for Windows 11, a Full System Backup Beyond Classic System Restore

Microsoft is testing a recovery feature for Windows 11 called Point-in-Time Restore, which offers a more extensive system snapshot than the traditional System Restore. It was first introduced in the Windows 11 Insider Experimental preview on April 24, 2026. The feature aims to minimize downtime and simplify troubleshooting and can be accessed through the Windows Recovery Environment and the Windows Settings app. Point-in-Time Restore backs up a broader range of data compared to System Restore, including user files, applications, settings, passwords, secrets, certificates, and keys. It restores the entire PC to a previous state, losing any local changes made after the snapshot. The feature operates on an automated schedule, with snapshots retained for up to 72 hours, and users can create new snapshots at specified intervals. For optimal use, Point-in-Time Restore is enabled by default on PCs with at least 200GB of drive space, with a storage cap of 2% of total drive capacity. It remains optional for consumer versions of Windows. A specialized version for Windows 365 Enterprise cloud PCs is always active, retains restore points for up to a month, and uses scalable cloud storage. Remote management support for Point-in-Time Restore is under development and not yet available. Currently, it is limited to builds within the Windows 11 Insider Experimental channel, with broader availability details pending.

Winsage

April 25, 2026

Windows 11 KB5083769 causing a death loop on 24H2 and 25H2 systems

Microsoft's April 2026 Patch Tuesday update, KB5083769, has caused significant boot issues for Windows 11 users on versions 24H2 and 25H2. Users reported problems such as distorted visuals and the Blue Screen of Death after restarting post-update. The issue affects various hardware configurations, including HP and Dell systems. Additionally, the update may trigger BitLocker recovery on some systems, complicating recovery for users without their recovery key. Users have also experienced an increase in the number of restarts required during installation. Microsoft has not yet provided an emergency fix. Affected users are advised to use the Windows Recovery Environment for troubleshooting, including System Restore and Startup Repair. To check if KB5083769 is installed, users can go to Settings → Windows Update → Update history, and if present, it is recommended to uninstall it and pause updates.

Winsage

April 25, 2026

Microsoft Starts Rolling Out New “Experimental” Windows Insider Channel

Microsoft is rolling out a new Experimental Windows Insider channel, transitioning users from the Dev Channel to the Experimental Channel with updates from the 26300 series builds. Over the coming weeks, Canary testers using the 28000 series will be moved to the Experimental (26H1) Channel, while those on the 29500 series will go to the Experimental (Future Platforms) Channel. The latest build for the Dev Channel is 26300.8289, which includes enhancements such as improved Windows Update functionalities and options to skip updates during the out-of-the-box experience. Dev Channel testers can enable the Experimental Channel option through Settings. The Experimental Channel will allow switching between 26H1 builds and future platform builds. Canary Channel testers have access to build 28200.1873, which rebrands the Xbox full-screen experience and improves the Touch Keyboard. Additionally, build 29576.1000 is available for testers on the 29500 series, featuring a redesigned volume slider and new metrics in Task Manager. Beta Channel Insiders can download build 26200.8283, which includes minor adjustments to the Start Menu and print drivers, but the new Beta experience will not be immediately available.

Winsage

April 14, 2026

Microsoft confirms old Windows 8 UI elements are being replaced in Windows 11, but there is more work to be done

Microsoft is updating the input method switcher on the Windows 11 login screen to align with the operating system's modern design, responding to user feedback about its outdated appearance. The input switcher, which has a rigid, square design, contrasts with the rounded aesthetics of Windows 11. Other legacy UI elements from Windows 8 and earlier versions, such as the Windows Recovery Environment and the Control Panel, remain present in the system. Microsoft is gradually migrating functionalities from the Control Panel to the Settings app, but inconsistencies persist in various system tools like File Explorer, the Run dialog, Registry Editor, and Device Manager. The company is actively addressing these legacy UI issues to enhance the user experience and achieve a more unified design language in Windows 11.

Winsage

March 27, 2026

Microsoft Issues Windows 11 Preview Updates for Week D

Microsoft is rolling out a preview of April's Patch Tuesday updates for Windows 11, specifically for versions 24H2, 25H2, and 26H1. The Preview Update KB5079391 is available for versions 24H2 and 25H2, updating them to builds 26100.8116 and 26200.8116, respectively. Key improvements include rich image descriptions in Narrator, a toggle for Smart App Control, updates to pen settings, adjustments to the Settings interface, enhancements to voice typing, display reliability improvements, upgrades to natural voice in Narrator, and stability enhancements for the Windows Recovery Environment. For version 26H1, Preview Update KB5079489 is available, upgrading the system to build 28000.1764 and introducing features like Emoji 16.0, Quick Machine Recovery improvements, and a built-in network speed test, though many features have been seen in previous versions.

Winsage

March 15, 2026

Microsoft Updates Windows 11 ISO Tool, How To Install It Without A Microsoft Account Or Internet Connection

A clean install of Windows can improve system performance and resolve issues. To begin, back up important files to a NAS, secondary PC, external storage, or cloud service. Wipe the system disk and start fresh. For installing Windows 11, options include performing a Cloud Download reinstall via the Windows Recovery Environment or using external storage with Microsoft's Media Creation Tool or an ISO. Microsoft updates installation ISOs monthly, reducing the need for additional driver installations. Download necessary drivers beforehand, focusing on graphics and chipset drivers. To perform a clean installation, download the latest Windows 11 Disk Image (ISO) from Microsoft's website and use Rufus to write it to external storage. Rufus allows bypassing certain Windows 11 requirements, such as Secure Boot and TPM 2.0, and can facilitate creating a local account instead of using a Microsoft account. Ensure updated BIOS installations are checked if applicable. After writing the installation media, boot from it by accessing the boot menu or adjusting the UEFI setup. During installation, delete existing partitions and select empty space to proceed. Finally, install drivers post-installation.

Winsage

March 12, 2026

Windows 11’s March Optional Update is Now Available for Release Preview Insiders

The March optional update for Windows 11 versions 25H2 and 24H2, identified as KB5079387, has been released for Insiders on the Release Preview Channel. Key enhancements include: - Narrator improvements: Enhanced reliability for setting up Natural Voices, access to rich image descriptions via shortcuts, and instant on-device descriptions for Copilot+ PC users. - Settings improvements: Increased reliability for downloading updates in the Settings menu. - Smart App Control improvements: Users can toggle this security feature on or off without a clean installation. - Modern pen setting experience: Digital pen users can configure the pen tail button to launch the same application as the Copilot key. - Display improvements: Enhanced reliability of auto-rotation after sleep and external monitors connected via USB4 can operate at a low power level during sleep. - File Explorer improvements: Ability to rename files using Voice Typing and sort permissions entries in Advanced Security Settings by ‘Principal’. - Windows Recovery Environment improvements: x64 applications are expected to perform better on ARM64 devices. The update will be available to non-Insiders as an optional update in the last week of March, with a broader public rollout expected in April.

Winsage

March 6, 2026

Microsoft finally gets around to fixing Windows 10 Recovery Environment after breaking it in October

Microsoft addressed an issue in the Windows Recovery Environment (WinRE) that arose after the final update for Windows 10 on October 14, 2025, which disrupted WinRE functionality on some devices. The same update also caused accessibility issues for USB devices in Windows 11's recovery environment. Microsoft released an out-of-band patch, but some Windows 10 users continued to experience WinRE problems. The fix, KB5068164, targets Windows 10 versions 21H2 and 22H2 and aims to resolve the issue preventing WinRE from starting after the October 14 update. Concerns about Microsoft's quality control have been raised due to the timing of the failure and the delay in providing a solution. Users of Windows 10 can rely on Microsoft's Extended Security Updates program, although the situation has caused doubts about the reliability of Microsoft's updates.