CISA: Microsoft issues WinRE guidance on UEFI bypass risks
Microsoft Windows 10 and Windows 11 include the Windows Recovery Environment (WinRE), which can enable a bypass of administrator-configured UEFI/BIOS password enforcement under certain platform implementations. With physical or administrative access, an attacker may use WinRE-related boot mechanisms to circumvent firmware protections and obtain unauthorized access to system resources.
Windows 10 and 11 include WinRE as a recovery platform that supports the F11 recovery menu and the Reset this PC functionalities. When WinRE is invoked, the system reboots into a recovery environment that may use an alternate boot path from the standard operating system startup sequence, and the alternate path may not consistently enforce the same UEFI/BIOS security controls as a normal boot process. A security concern has been identified in certain WinRE implementations where administrative UEFI/BIOS passwords may not be enforced during specific recovery operations. In UEFI-based systems, the UEFI boot manager supports the BootNext variable, which specifies a one-time boot target stored in non-volatile memory (NVRAM) and takes precedence over normal BootOrder during the next boot cycle; BootNext is not authenticated, while Secure Boot validates the integrity and signature of the boot application specified by BootNext before execution. The UEFI specification does not explicitly mandate a full platform reset when BootNext is configured, leaving reset-handling and user authentication flows to the specific implementation. The described outcome can include bypassing pre-boot security controls such as UEFI/BIOS password protections and BitLocker full-disk encryption via recovery environments like WinRE, provided a user has the privileges required to initiate the recovery.
An attacker with access to the Windows Recovery Environment may bypass administrator-configured UEFI/BIOS password protections on affected systems. Depending on device configuration and firmware implementation, the attacker may also perform actions that weaken or circumvent BitLocker full-disk encryption protections, potentially resulting in unauthorized access to sensitive data.
Microsoft has published an advisory related to recovery-environment hardening and secure boot configurations, including mitigations for vulnerabilities affecting WinRE mechanisms. Organizations are instructed to review applicable vendor guidance and evaluate whether systems are susceptible to WinRE-based firmware security bypasses. The advisory guidance also includes recommendations to disable or restrict WinRE where recovery functionality is not operationally required, require administrative authorization with ephemeral one-time access before enabling or invoking recovery environments, enable BitLocker with TPM + PIN or TPM + Startup Key for additional authentication during recovery and pre-boot scenarios, enable restrictions of pluggable media with EFI System Partitions (ESP) and restrict modifications to sensitive UEFI NVRAM items such as BootNext and BootOrder, deploy EDR solutions or endpoint restrictions that support pre-boot security with remote attestation and measured boot technologies to detect or block unauthorized boot modifications, and implement physical security controls including device locks, secure storage, tamper-evident protections, and chain-of-custody procedures for high-value systems.
Organizations with high security requirements for their devices should not rely solely on UEFI/BIOS passwords to protect systems where WinRE, or such recovery environments, are accessible to untrusted users, and the advisory states that additional controls should be implemented to protect against physical-access and privileged-user attacks. The recommendations should be evaluated based on organizational recovery requirements and operational constraints, and some recommendations were adapted from an Eclypsium research blog.