• Competitor rules

    Please remember that any mention of competitors, hinting at competitors or offering to provide details of competitors will result in an account suspension. The full rules can be found under the 'Terms and Rules' link in the bottom right corner of your screen. Just don't mention competitors in any way, shape or form and you'll be OK.

Does CPU-based TPM survive a BIOS reset?

Soldato
Joined
1 Apr 2014
Posts
15,479
Location
Aberdeen
Intel call it PTT and AMD call it FTPM. But suppose you have a TPM-secured OS on your PC and you update or reset your BIOS. Does your OS still boot? Does everything still work?
 
Soldato
Joined
6 Feb 2019
Posts
10,798
Good question, someone with W11 should test it. Enabled tpm, install w11 then disable tpm and see if it boots?

Atm it seems all bios default to tpm off so that's what will happen you update bios and tpm turns off, I assume at some point future bios will default to tpm on
 
Soldato
Joined
1 Feb 2006
Posts
2,574
Hi, I enabled fTPM in BIOS and updated my Win10 Pro VM to Win11 Pro. I just disabled fTPM in the BIOS and Win11 still boots. I dont think the OS needs it, think its more about DRM than security.
 
Soldato
Joined
18 Oct 2002
Posts
11,918
Location
Sandwich, Kent
I would imagine it would only have any effect if you'd enabled BitLocker. Would be interesting to see what happens if you did a BIOS reset with BitLocker enabled on the boot drive. I'm guessing you'd need to do a reinstall at that point.
 
Soldato
Joined
1 Feb 2006
Posts
2,574
I would imagine it would only have any effect if you'd enabled BitLocker. Would be interesting to see what happens if you did a BIOS reset with BitLocker enabled on the boot drive. I'm guessing you'd need to do a reinstall at that point.
The BIOS says, if bitlocker is on and you disable TPM windows will not boot or encrypted data will be lost. If using bitlocker use a dTPM, that way updating/resettng the BIOS does not mess with it.
 
Associate
Joined
1 Mar 2004
Posts
1,822
Location
Kent, UK.
I’ve not tried it, but assuming Bitlocker is enabled, if the TPM was disabled or lost the key would Bitlocker not revert to requiring a recovery code to gain access to the drive, after which if you enabled the TPM you could reinitialise?
 
Soldato
Joined
6 Feb 2019
Posts
10,798
I don't use bitlocker, but that's a pretty big caveat for those who do. I can forsee some people complaining about lost data in the future
 
Associate
Joined
1 Mar 2004
Posts
1,822
Location
Kent, UK.
I supose that depends on if Bitlocker is enabled by default, or if it requires the user to enable it. Atleast on Windows 10 Bitlocker isn't enabled if you use a local account, it's only enabled by default if you use a cloud account and in that event the recovery key is stored in your cloud account. Although I'm not sure your average user would now to look there or where to look...and that assumes they even know there hard drive is encrypted.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker
 
Associate
Joined
4 Jun 2020
Posts
2,401
Everything about bitlocker just makes me wonder why anyone would ever use it.

Motherboard failure = all data lost. What a wonderful security feature!

Locked to the current motherboard too, and can't ever change it.
 
Soldato
Joined
22 Jun 2006
Posts
5,252
AIUI Windows 11 disables TPM anyway if it detects that its in a VM.



So it's not saved in the UEFI. Shame.

I don't know what this means, but my Asus motherboard says in the manual that it is stored in the ME and only says that a ROM replacement would invalidate the key, not a BIOS update or CMOS reset.
 
Man of Honour
Joined
13 Oct 2006
Posts
83,124
Everything about bitlocker just makes me wonder why anyone would ever use it.

Motherboard failure = all data lost. What a wonderful security feature!

Locked to the current motherboard too, and can't ever change it.

Only reason in that respect is for people who handle confidential information, etc. Windows 11 security wise seems to be a lot of high ideals disconnected from the real world. Unfortunately I think people are going to increasingly find though that tweaks to work around requirements in Windows 11 won't be very useful in the longer run as they might allow the OS to install and boot but some features including required ones might not function and/or not function correctly in the longer run without the requirements.

MS need a good slap around the head TBH even the security of any existing TPM implementation is weakened if not exploitable these days. (That isn't to say they should abandon all and every TPM functionality).
 
Last edited:
Associate
Joined
4 Jun 2020
Posts
2,401
Excellent.

Just to clarify that the bios warning on my Asus board also says it only bricks encrypted drive if you replace the bios chip, so just updating the bios or clearing the CMOS shouldn't affect that.

New bios chip or new motherboard locks out any bitlocked drives.
 
Associate
Joined
6 Jun 2016
Posts
1,372
Everything about bitlocker just makes me wonder why anyone would ever use it.
Motherboard failure = all data lost. What a wonderful security feature!
Locked to the current motherboard too, and can't ever change it.

That’s not how it works, you can just use the bitlocker recovery key to access the drive in another machine. It saves the recovery key to your MS account, text file etc when you encrypt the drive.
 
Associate
Joined
15 Mar 2018
Posts
62
Location
Scotland
Everything about bitlocker just makes me wonder why anyone would ever use it.

Motherboard failure = all data lost. What a wonderful security feature!

Locked to the current motherboard too, and can't ever change it.

All my work computers and laptops use bitlocker for drive encryption and although it can be a pain, it does prevent protected data being accessed if a device is lost or stolen
 
Soldato
Joined
18 Oct 2002
Posts
11,918
Location
Sandwich, Kent
I didn't mean for work computers, though I see the use there.

Why is it being forced onto non work / home PCs?
The capability of the hardware is, but using Bitlocker isn't being forced on home users.

Realistically it's probably because Mac's have it, so they're making sure it's on PCs as well.
 
Top Bottom