GreatXML — No Patch: BitLocker Bypass via WinRE Survives Incident Response
Your BitLocker-encrypted Windows devices may not be as protected as your NIS2 compliance report says.
This week a researcher published GreatXML — a technique that achieves a SYSTEM-level shell with full access to a BitLocker-encrypted volume using nothing more than two XML files placed on the recovery partition.
No patch exists. Microsoft is still assessing impact.
Here is how it works. Any Windows machine where Microsoft Defender’s offline scan has been run at least once is affected. An attacker with temporary administrator access places two XML files on the WinRE recovery partition. From that point forward, rebooting into the Windows Recovery Environment triggers a shell with unrestricted access to all data on the encrypted drive.
The uncomfortable part: these files survive credential rotation and standard incident response procedures. If an attacker gains admin access, plants the files quietly, and then loses that access — the backdoor remains active. Your incident response playbook does not remove it.
This is the third BitLocker bypass technique disclosed in 19 days. Where this bites: NIS2 Article 21(2)(h) and ISO 27001 A.8.24 both require demonstrable encryption at rest. With three bypass techniques active in three weeks, TPM-only BitLocker cannot be documented as an effective control for physically accessible devices.
Three things to check: Enable TPM+PIN on all devices with physical access risk. Audit whether any Windows devices have had a Defender Offline Scan run. Document this control gap before your next NIS2 review cycle.
For those who want a deeper dive into this topic:
