Solved Heads up: Before you update your BIOS

Apparently this is known, but it was news to me, so here goes:

Before you update the BIOS, if you use a pin to login to Windows (with a Microsoft account).

• Have your account password ready!
• Make sure you have access to the alternative email stored in your Microsoft account

You will need it. Because here is what happens: When you reboot the computer after the BIOS update, you won't be able to log in. Windows will tell you that your pin is invalid and you must set a new pin. In order to set a new pin, you will then need your account password and a code that will be sent to your alternate email (not the main outlook.com email address that belongs to your Microsoft account but the other email address that is stored in case you forget your password and have to reset it).

After that, there will be an ominous warning that resetting the pin will have consequences, like getting signed out of applications. Only then will you be able to log in. Presumably this is because updating the BIOS might reset the TPM which then invalidates the pin but I don't know the technical details of this.

Also, if this is related to the TPM, you might run into issues later even if you don't use a pin to login but again, I'm not an expert on this either.

Fair enough warning but my pc recently updated bios and I never needed to reset pin.

Me... I don't have an MS account associated with Windows, I don't use a pin, I don't use Outlook.
I use a regular password like back in the XP days.

No issues what-so-ever, flashing the BIOS.

Sometimes, new things... aren't well thought out. ^^

It depends on the computer brand and/or the bios maker
Some turns off the TPM during bios update. Windows Hello is then unable to gather the information.
In Settings - Accounts - Signin Options is a Setting "User must use Windows Hello..."
If this is enabled, and TPM off or (worse) cleared, Windows sign in is blocked.
In most cases I have seen the TPM is just turned off, enter the bios and turn it on again.
But the given Warning is not wrong. This points can be the couse to get locked out.
My advice, never turn on "User must use Windows Hello..."

Or... put a discreet chip on motherboards for MS's "security"... if MS continues to insist on tying everything to the motherboard.
A motherboard that very realistically, will need it's BIOS flashed, multiple times over it life.

Additionally, the alternative email comment depends on how you set up your MSA - my security codes go to my MSA email address.

I am far more likely to forget an alternative email address than my MSA account email. Besides my mobile phone is set up for gmail, so I do not get in to trap, I cannot logon if I have forgotten MSA account.

syntoh said:

It depends on the computer brand and/or the bios maker
Some turns off the TPM during bios update. Windows Hello is then unable to gather the information.
In Settings - Accounts - Signin Options is a Setting "User must use Windows Hello..."
If this is enabled, and TPM off or (worse) cleared, Windows sign in is blocked.
In most cases I have seen the TPM is just turned off, enter the bios and turn it on again.
But the given Warning is not wrong. This points can be the couse to get locked out.
My advice, never turn on "User must use Windows Hello..."

Click to expand...

It didn't turn off the TPM. I did load the default/optimized defaults after flashing the BIOS, as I always do and then change the settings back to what I need them to be. But this is a fairly new mainboard (Gigabyte Z690 Elite) and it is Win 11 compatible by default and it never turns off the TPM unless the user does it (which I did not do because I know that Win 11 has an issue with that).

Btw, isn't 'user must use Windows Hello' on by default now?

Plus this whole security idea is silly, the way they're trying to implement it.
It won't be long before someone comes up with a software tool to hack a BIOS chip (aka the firmware).
If you can flash the BIOS... you can flash a hack through all that security.

They already have a tool to do that for Nvidia's vid card firmware. It even has a nice GUI.

Ghot said:

Plus this whole security idea is silly, the way they're trying to implement it.
It won't be long before someone comes up with a software tool to hack a BIOS chip (aka the firmware).
If you can flash the BIOS... you can flash a hack through all that security.

They already have a tool to do that for Nvidia's vid card firmware. It even has a nice GUI.

Click to expand...

To be fair, the TPM concept seems fairly secure and work as intended overall. An attacker with physical access to the computer can always reset the TPM of course but not 'hack' into the TPM and read out the encryption keys stored in it.
For instance, if BitLocker is used and it is backed up by TPM, an attacker is pretty much screwed as far as I understand it, even if they manage steal the laptop and have physical access to it.

The warning, although valid, should include a caveat that the user should research the BIOS upgrade first to see what other people have encountered.
My motherboard is new, Windows 11 compatible, Asus ProArt B660, I use a PIN to login to Windows and run with an MS account.
I have updated the BIOS twice now, by USB flash drive (once for 13th Gen CPU compatibility and once for memory timing stability), on both updates were included revisions to Intel ME and firmware.

After each update I set optimised defaults as instructed by the BIOS procedure, both times I could log into Windows using my PIN with no issues. I then re entered the BIOS to set my preferences and settings, no issues at all.

I doubt that loading optimised defaults would reset the TPM, the same way it shouldn't clear an admin BIOS password or any other password used in the BIOS settings, these should be user managed in seperate settings.
It is possible however that the BIOS update cleared the TPM keys, which it should not do, Gigabyte should be made aware, and maybe a reddit thread needs to be started for that.

The TPM keys can be read by a malicious software that has previously 'hacked' the firmware, but they would still need decrypting to be of any use, although it would also, theoretically, be possible to lock a user out of their system by modifying said keys, if the system is already compromised.
MS is working on it's own security on a chip system to be included on motherboards as part of the Windows security ecosystem.

I disabled by discrete TPM and had to reset my PIN.
Wasn't a problem, I just used my password and got the code via an email on my phone. The TPM is remaining off for now

I used to have a latop and that would occasionally not except my pin number. When this happened, I was always given the option of using my password. I did fix the probem by resetting the TPM in the BIOS. I also just went through something like this on my old computer. I was trying to upgrade the OS from my main user account, and it kept failing. I decided to try my other user account that I setup just to have another account with Admin permission. I couldn't remember the pin number or password I had used to set it. I think I was given three tries each. After I reached the total numbers of log-in attempts, I got a screen with my three security questions. I'll never complain about having to setup three security questions when doing a clean install again.

Ben Hastings said:

Apparently this is known, but it was news to me, so here goes:

Before you update the BIOS, if you use a pin to login to Windows (with a Microsoft account).

• Have your account password ready!
• Make sure you have access to the alternative email stored in your Microsoft account

You will need it. Because here is what happens: When you reboot the computer after the BIOS update, you won't be able to log in. Windows will tell you that your pin is invalid and you must set a new pin. In order to set a new pin, you will then need your account password and a code that will be sent to your alternate email (not the main outlook.com email address that belongs to your Microsoft account but the other email address that is stored in case you forget your password and have to reset it).

After that, there will be an ominous warning that resetting the pin will have consequences, like getting signed out of applications. Only then will you be able to log in. Presumably this is because updating the BIOS might reset the TPM which then invalidates the pin but I don't know the technical details of this.

Also, if this is related to the TPM, you might run into issues later even if you don't use a pin to login but again, I'm not an expert on this either.

Click to expand...

Yes, this is standard and now appears to be by design. No you won't run into TPM issues. My experience: Windows Hello pin issue?

I think the valid point of this OP's warning is not that updating bios will cause a problem,but that it can. The regulars here already know my opinions against using any kind of Windows Hello as well as bitlocker. I refuse to use either. Early on a bios update caused me problems with TPM as well. After going back to nothing but a password, I've updated bios at least 5 times without any problem. I believe in security, but TPM or bitlocker is not for me.

Ben Hastings said:

To be fair, the TPM concept seems fairly secure and work as intended overall. An attacker with physical access to the computer can always reset the TPM of course but not 'hack' into the TPM and read out the encryption keys stored in it.
For instance, if BitLocker is used and it is backed up by TPM, an attacker is pretty much screwed as far as I understand it, even if they manage steal the laptop and have physical access to it.

Click to expand...

If they steal the entire laptop, then why wouldn't they be able to simply hack into Windows as an administrator and turn bitlocker off?

Yup makes sense to be honest, Wouldn't expect anything less, Standard practice nowadays to remember you're email address and a password.

ShamrockRig said:

Yup makes sense to be honest, Wouldn't expect anything less, Standard practice nowadays to remember you're email address and a password.

Click to expand...

Just keep them written on a piece of tape on the back side of the keyboard.

NavyLCDR said:

If they steal the entire laptop, then why wouldn't they be able to simply hack into Windows as an administrator and turn bitlocker off?

Click to expand...

Because Windows won't boot without the BitLocker pin/password. Also, if they use a thumb drive to boot from (or remove the disk and put it in another computer), they still wouldn't be able to see the contents of the hard drive because it is encrypted.

edit: I should add: BitLocker can also run in 'TPM only' mode. In such a case, it is more complicated. No pin is needed to boot. If the attacker has the computer, they can boot Windows as usual, but they cannot login (because they don't have the Windows password). They'd need to 'hack the admin account' first. But that usually involves booting from a thumb drive first. But they can't do an offline password reset because the encrypted volume does not unlock when a different OS from a thumb drive is booted up.

glasskuter said:

I think the valid point of this OP's warning is not that updating bios will cause a problem,but that it can.

Click to expand...

I will update the first post accordingly. I will also mark it as solved as there doesn't seem to be a 'solution' to this. It just seems to be like this by design. It is also not well understood why it happens to some but not to others.
edit: It seems like I can't edit the first post anymore.

NavyLCDR said:

Just keep them written on a piece of tape on the back side of the keyboard.

Click to expand...

Unless its a wireless travel keyboard hahaha, Mine isn't so that'd be fine but my memory is decent enough that i can remember all of mine and they're variations, If it aint one..it'll be another.