Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: How Windows uses the Trusted Platform Module  (Read 3988 times)

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
How Windows uses the Trusted Platform Module
« on: November 06, 2021, 07:48:07 AM »

Stumbled onto this:
https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm

One thing of interest which basically confirms my original theory of why they wanted TPM:

Device Encryption

Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.

For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.


However unless I'm missing something, that does rather suggest law enforcement could demand the key from your Microsoft Account.

Its also curious that this does not specifically mention Windows 11, so was this unique to OEM devices on Windows 10 and how does it work when upgrading to 11 on a device that did not have TPM enabled during the original install?
« Last Edit: November 06, 2021, 07:52:03 AM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Bowdon

  • Content Team
  • Kitizen
  • *
  • Posts: 2395
Re: How Windows uses the Trusted Platform Module
« Reply #1 on: November 09, 2021, 11:56:33 AM »

I'm not sure if this question is answered in your post. I was struggling to take in the information.

What happens if your motherboard faults or you upgrade it. Would you still be able to access the hard drive, or would it be locked by encryption?

I know it said that the code is logged in your account. Does that mean Windows itself won't be locked on an encrypted drive to allow you to login to release the code?

I'm very skeptical about this focus some folks have with encryption at home user level. What happens if some odd ball gets caught with illegal files, can he now lock the encryption on the drive and refuse to hand over his account details?
Logged
BT Full Fibre 500 - Smart Hub 2

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: How Windows uses the Trusted Platform Module
« Reply #2 on: November 09, 2021, 12:41:27 PM »

To me its about if I need to RMA my SSD/HDD or they are stolen. I want to be reasonably sure my data is unreadable.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

parkdale

  • Reg Member
  • ***
  • Posts: 597
Re: How Windows uses the Trusted Platform Module
« Reply #3 on: November 09, 2021, 06:52:20 PM »

I did read that if you've used drive encryption won't stop you getting a ransomware attack.. then you have double encryption of your data  :'(

https://news.ycombinator.com/item?id=27655219
« Last Edit: November 09, 2021, 06:55:09 PM by parkdale »
Logged
Vodafone FTTC ECI cab 40/10Mb connection / Fritz!box7590

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: How Windows uses the Trusted Platform Module
« Reply #4 on: November 09, 2021, 07:52:23 PM »

I also used bitlocker on my laptops and on customers’. Same as Alex, it’s about machines being stolen.

Unfortunately I probably now can’t get into a ten year old Lenovo top-end laptop because I’ve probably forgotten the admin password.

@parkdale - Indeed that’s absolutely true, bitlocker won’t protect you; it’s totally irrelevant. Ransomware will need to be run by an admin to encrypt the whole drive, otherwise it will just encrypt the files the current user has access to, which will typically be a lot so disastrous. It doesn’t matter in the slightest whether or not you have bitlocker turned on as it’s just a normal application modifying files through normal o/s API routines that ordinary users have access to.

Mind you, if you tried to boot ransomware from another removable drive then I’d have to think about that. I suspect bitlocker would protect you, but the ransomware could just burn your file system perhaps, not sure, would have to think about that.

IMPORTANT: If using bitlocker, you should make sure the BIOS settings are such that you can’t boot from any removable drive, and the BIOS UI has a strong password so evildoers can’t get in and modify the settings. But then anyone should always do that! And make sure to record the password on another machine somewhere where you won’t forget it’s location.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: How Windows uses the Trusted Platform Module
« Reply #5 on: November 09, 2021, 08:41:23 PM »

IMPORTANT: If using bitlocker, you should make sure the BIOS settings are such that you can’t boot from any removable drive, and the BIOS UI has a strong password so evildoers can’t get in and modify the settings. But then anyone should always do that! And make sure to record the password on another machine somewhere where you won’t forget it’s location.

How so?  As surely booting into another OS can't get at the files, they're encrypted?

I don't actually use Bitlocker personally as Linux so I use LUKS, although currently its still backed up to an unencrypted drive on my NAS as the idea of encrypting my data is not something I've been thinking about much until recently so wanted to check for an issues before potentially rolling it out wider.  Plus it makes more sense for say my laptop which is far more likely to get stolen than my NAS.

I'm still wary of the potential for not being able to recover from a failing drive because I can't unlock the encrypted partition, vs traditional filesystems where you often CAN recover at least some of the data.  Although that may be moot now with SSDs that often fail suddenly, completely and without warning.  Plus of course I DO keep backups.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: How Windows uses the Trusted Platform Module
« Reply #6 on: November 09, 2021, 09:09:42 PM »

No, the point about booting other code is that it could destroy your main volume. But then an evildoer could use a tool called a hammer anyway.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: How Windows uses the Trusted Platform Module
« Reply #7 on: November 10, 2021, 03:18:24 AM »

No, the point about booting other code is that it could destroy your main volume. But then an evildoer could use a tool called a hammer anyway.

That's what puzzled me as once someone has physical access, all bets are off there anyway.  My biggest worry in that case it like you said, physical damage or someone using a USB killer for the LOLs.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: How Windows uses the Trusted Platform Module
« Reply #8 on: November 10, 2021, 06:55:40 AM »

The other point about setting a BIOS password is that if you don’t, then an evildoer can, and can lock you out of your own machine. Some machines have a BIOS reset link on the board to reset the password and put everything back to factory defaults presumably. Or something.

Anyway, I’ve never left a BIOS UI unprotected by a password.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: How Windows uses the Trusted Platform Module
« Reply #9 on: November 10, 2021, 08:17:03 AM »

That's a good point actually as I hear modern BIOS actually store the password in the chip so it CAN'T be easily reset.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: How Windows uses the Trusted Platform Module
« Reply #10 on: November 10, 2021, 11:27:27 PM »

I was being thick though; I forgot about my original primary, and routinely considered, reason, that of setting the BIOS password so no-one else can do it before you do.
Logged
 

anything