Computer Software > Windows 11
How Windows uses the Trusted Platform Module
Alex Atkin UK:
Stumbled onto this:
https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm
One thing of interest which basically confirms my original theory of why they wanted TPM:
Device Encryption
Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
However unless I'm missing something, that does rather suggest law enforcement could demand the key from your Microsoft Account.
Its also curious that this does not specifically mention Windows 11, so was this unique to OEM devices on Windows 10 and how does it work when upgrading to 11 on a device that did not have TPM enabled during the original install?
Bowdon:
I'm not sure if this question is answered in your post. I was struggling to take in the information.
What happens if your motherboard faults or you upgrade it. Would you still be able to access the hard drive, or would it be locked by encryption?
I know it said that the code is logged in your account. Does that mean Windows itself won't be locked on an encrypted drive to allow you to login to release the code?
I'm very skeptical about this focus some folks have with encryption at home user level. What happens if some odd ball gets caught with illegal files, can he now lock the encryption on the drive and refuse to hand over his account details?
Alex Atkin UK:
To me its about if I need to RMA my SSD/HDD or they are stolen. I want to be reasonably sure my data is unreadable.
parkdale:
I did read that if you've used drive encryption won't stop you getting a ransomware attack.. then you have double encryption of your data :'(
https://news.ycombinator.com/item?id=27655219
Weaver:
I also used bitlocker on my laptops and on customers’. Same as Alex, it’s about machines being stolen.
Unfortunately I probably now can’t get into a ten year old Lenovo top-end laptop because I’ve probably forgotten the admin password.
@parkdale - Indeed that’s absolutely true, bitlocker won’t protect you; it’s totally irrelevant. Ransomware will need to be run by an admin to encrypt the whole drive, otherwise it will just encrypt the files the current user has access to, which will typically be a lot so disastrous. It doesn’t matter in the slightest whether or not you have bitlocker turned on as it’s just a normal application modifying files through normal o/s API routines that ordinary users have access to.
Mind you, if you tried to boot ransomware from another removable drive then I’d have to think about that. I suspect bitlocker would protect you, but the ransomware could just burn your file system perhaps, not sure, would have to think about that.
IMPORTANT: If using bitlocker, you should make sure the BIOS settings are such that you can’t boot from any removable drive, and the BIOS UI has a strong password so evildoers can’t get in and modify the settings. But then anyone should always do that! And make sure to record the password on another machine somewhere where you won’t forget it’s location.
Navigation
[0] Message Index
[#] Next page
Go to full version