Any organization running Windows 11 or Windows Server 2025 on devices that could be physically accessed — including offices, remote sites, shared workspaces, or colocation facilities — faces direct risk of data exposure without any credential or network compromise. Regulated data stored on affected endpoints, including financial records, intellectual property, healthcare records, and personally identifiable information, could be read in full by an attacker with minutes of physical access. The absence of an automated patch path means remediation cost scales directly with device count, requiring IT staff to touch every affected machine individually, creating prolonged exposure windows and significant operational burden for large or distributed organizations.
You Are Affected If
You run Windows 11 24H2, 25H2, or 26H1 (x64) or Windows Server 2025 (including Server Core) in production
You have not yet applied Microsoft's manual WinRE image update and TPM configuration change for CVE-2026-45585 on each affected device
Affected devices are physically accessible to individuals who are not authorized IT staff — including shared office spaces, remote offices, colocation facilities, or unattended field deployments
BitLocker is your primary or sole encryption control on affected endpoints without additional pre-boot authentication (e.g., BitLocker PIN or network unlock) as a defense-in-depth layer
You do not have physical access monitoring or alerting (badge logs, camera coverage) for areas where affected devices are located
Board Talking Points
An attacker with minutes of physical access to any unpatched Windows 11 or Windows Server 2025 device can bypass BitLocker encryption entirely and read all data on that device — no password or network access required.
Remediation requires IT staff to manually update every affected device individually; organizations should begin immediately, prioritizing devices in shared or publicly accessible locations, and track completion against a defined deadline.
Organizations that delay remediation face ongoing risk of sensitive data theft from any physically accessible device; if sensitive or regulated data is later confirmed accessed, this exposure could trigger breach notification obligations.
HIPAA — Protected health information stored on affected Windows 11 or Server 2025 endpoints is directly accessible via this bypass; covered entities and business associates must assess whether affected devices constitute a breach under the HIPAA Security Rule (45 CFR § 164.312 — encryption and integrity controls)
GDPR — Personal data of EU residents stored on affected endpoints is at risk of unauthorized access; organizations must assess whether the manual remediation delay constitutes a reportable breach under Article 33
PCI-DSS — Cardholder data stored or processed on affected Windows 11 or Server 2025 systems falls within scope; Requirement 3 (data protection) and Requirement 12 (security policy) apply to unpatched devices
