TPM2 and Why it might Matter to You

Scannerman · Jul 12, 2023

Some folks are bypassing the Windows requirements for Windows 11 and making it work on unsupported platforms. Although I fully understand why this is a popular venture, I think it should also be considered before engaging in this procedure regardless of how the tweaking is done. I have elected to share this link and post some of the information here, while crediting the source. Perhaps this will help some to better understand TPM2 and perhaps it will help some to make more informed decisions about it.
What Is a TPM?

At its most basic, the TPM is a tiny chip on your computer’s motherboard, sometimes separate from the main CPU and memory. The chip is akin to the keypad you use to disable your home security alarm every time you walk in the door, or the authenticator app you use on your phone to log in to your bank account. In this scenario, turning on your computer is analogous to opening the front door of your home or entering your username and password into the login page. If you don’t key in a code within a short period of time, alarms will sound or you won’t be able to access your money.

Likewise, after you press the power button on a newer PC that uses full-disk encryption and a TPM, the tiny chip will supply a unique code called a cryptographic key. If everything is normal, the drive encryption is unlocked and your computer starts up. If there’s a problem with the key—perhaps a hacker stole your laptop and tried to tamper with the encrypted drive inside—your PC won’t boot up.
Source: What Is a TPM, and Why Do I Need One for Windows 11?

jimbo45 · Jul 12, 2023

@Scannerman

TPM is essentially "Dinosaur technology" -- it's at least 8 years old and in tech terms that's equivalent to a geological era. There's much better ways of implementing security both by hardware and software, Why on earth Ms is going up that path I haven't a clue. If it's "Bypassable" and it clearly easily is then it's hardly by definition a secure security device is it ??. VM's can also use "Emulated" TPM's which themselves question the whole relibility of the wretched things.

Cheers
jimbo

cereberus · Jul 12, 2023

Scannerman said:
Some folks are bypassing the Windows requirements for Windows 11 and making it work on unsupported platforms. Although I fully understand why this is a popular venture, I think it should also be considered before engaging in this procedure regardless of how the tweaking is done. I have elected to share this link and post some of the information here, while crediting the source. Perhaps this will help some to better understand TPM2 and perhaps it will help some to make more informed decisions about it.
What Is a TPM?

At its most basic, the TPM is a tiny chip on your computer’s motherboard, sometimes separate from the main CPU and memory. The chip is akin to the keypad you use to disable your home security alarm every time you walk in the door, or the authenticator app you use on your phone to log in to your bank account. In this scenario, turning on your computer is analogous to opening the front door of your home or entering your username and password into the login page. If you don’t key in a code within a short period of time, alarms will sound or you won’t be able to access your money.

Likewise, after you press the power button on a newer PC that uses full-disk encryption and a TPM, the tiny chip will supply a unique code called a cryptographic key. If everything is normal, the drive encryption is unlocked and your computer starts up. If there’s a problem with the key—perhaps a hacker stole your laptop and tried to tamper with the encrypted drive inside—your PC won’t boot up.
Source: What Is a TPM, and Why Do I Need One for Windows 11?

This oversimplifies things. You have to understand interaction of TPM with bitlocker.

Firstly, any stolen pc with or without a TPM is as secure as the Windows password used.

However, there are ways of getting around password, so a bios password adds security too.

A pc with bitlocker can made more secure by adding a botlocker which prevents the pc booting until PIN is entered.

With the above in place, it is very difficult for a user to hack the pc.

Without a TPM, user has to enter a password or use a usb key to access bitlocked drives.

If drive is bitlocked, tpm makes it easier to start pc but in a sense reduces security compared with a pc without a TPM but this can be countered by a bitlocker boot PIN.

A TPM adds little security other than if a bitlocked drive is stolen (not pc), thief would need the recovery key.

whether PC has a TPM or not.

The often bandied statement that a TPM adds security is really an overstatement. It only really adds convenience for user to boot without entering passwords.

The only security it really adds if a bitlocked drive is stolen, it cannot be accessed without the recovery key.

The same also applies though to an extent to a bitlocked drive without a TPM but if access password is weak, hacker could get access.

In the end, for best security:

1) Bitlocker PIN (strong access password if no TPM).
2) Strong Windows password (or other Windows Hello methods)
3) Strong bios password

If this is not enough, user will need to invest in 3rd party security tools e.g. token generators.

Frankly, a TPM adds very little, that the insistance by MS that you need one for Windows 11 is just complete nonsense.

jimbo45 · Jul 12, 2023

cereberus said:
This oversimplifies things. You have to understand interaction of TPM with bitlocker.

Firstly, any stolen pc with or without a TPM is as secure as the Windows password used.

However, there are ways of getting around password, so a bios password adds security too.

A pc with bitlocker can made more secure by adding a botlocker which prevents the pc booting until PIN is entered.

With the above in place, it is very difficult for a user to hack the pc.

Without a TPM, user has to enter a password or use a usb key to access bitlocked drives.

If drive is bitlocked, tpm makes it easier to start pc but in a sense reduces security compared with a pc without a TPM but this can be countered by a bitlocker boot PIN.

A TPM adds little security other than if a bitlocked drive is stolen (not pc), thief would need the recovery key.

whether PC has a TPM or not.

The often bandied statement that a TPM adds security is really an overstatement. It only really adds convenience for user to boot without entering passwords.

The only security it really adds if a bitlocked drive is stolen, it cannot be accessed without the recovery key.

The same also applies though to an extent to a bitlocked drive without a TPM but if access password is weak, hacker could get access.

In the end, for best security:

1) Bitlocker PIN (strong access password if no TPM).
2) Strong Windows password (or other Windows Hello methods)
3) Strong bios password

If this is not enough, user will need to invest in 3rd party security tools e.g. token generators.

Frankly, a TPM adds very little, that the insistance by MS that you need one for Windows 11 is just complete nonsense.

I think for some modern high end PC's a thief would just remove the internal HDD / SSD / NVME - possibly re-initialise the internal ROMs and re-flog the PC. The cost of new ssd's is trivial. TPM might stop "casual burglaries" but real pros wouldn't have a problem in making a high end PC operational again.

I do worry about laptops at seemingly total chaos at the security in Airports -- Rome, Barcelona and Gatwick Airports always seem totally mired in Chaos -- as well as the Eurostar terminal at St.Pancras railway station for outbound trips. Seems an opportune thief could easily walk away with a laptop -- I believe Rome airport is particularly prone to this type of incident with Barcelona a close second. Gatwick is also pretty nightmarish especially if you have to use that shed like "South Terminal".

Cheers
jimbo

Fabler2 · Jul 12, 2023

Discussed at length here,

TPM 2.0 is a must - they said, it will improve Windows Security - they said...

It's quite ironic to say the least: all this modern features being implemented as a new standard for improved security - while latter on - the same features turn-up to be a the ones which make it vulnerable. As was the case with Intel SGX (Software Guard Extensions) - or maybe it would be more...

www.elevenforum.com

hsehestedt · Jul 12, 2023

jimbo45 said:
I think for some modern high end PC's a thief would just remove the internal HDD / SSD / NVME - possibly re-initialise the internal ROMs and re-flog the PC. The cost of new ssd's is trivial. TPM might stop "casual burglaries" but real pros wouldn't have a problem in making a high end PC operational again.

That's missing the whole point. I could care less if my laptop is stolen, at least when compared with the data on it. If my laptop is solen, it would be super easy for someone to erase the drive and reuse the laptop. I don't care. What I care about is that my data is secure.

jimbo45 · Jul 12, 2023

hsehestedt said:
That's missing the whole point. I could care less if my laptop is stolen, at least when compared with the data on it. If my laptop is solen, it would be super easy for someone to erase the drive and reuse the laptop. I don't care. What I care about is that my data is secure.

Well you must be wealthier than most if you don't care if a 2,000 USD or more laptop gets stolen !!!. In any case if data is that important then don't store it permanently on a laptop but keep it on an external device and store in the cloud while using it. Remove from cloud after you've finished doing whatever you want with that data.

Most decent cloud services such as AZURE, AWS (Amazon), Microsoft One-Drive etc have really robust security -- Azure's security has passed the USA's military requirements whilst the domestic orientated One-Drive has security based on Azure so good as well. Amazon's AWS also robust security although more expensive than Microsoft's offerings.

I do a bit of e-commerce -- while I'm working I temporarily store data on the cloud - do the invoicing / answer queries etc then the data gets mailed to customer and removed from the cloud and local laptop back to the hosting server.

I have almost nothing on any laptop which would be of the slightest interest to anybody else --even if they could translate it (although google translate is improving by leaps and bounds --A.I there is definitely a huge improvement over even a couple of years ago).

Cheers
jimbo

Scannerman · Jul 13, 2023

jimbo45 said:
@Scannerman

TPM is essentially "Dinosaur technology" -- it's at least 8 years old and in tech terms that's equivalent to a geological era. There's much better ways of implementing security both by hardware and software, Why on earth Ms is going up that path I haven't a clue. If it's "Bypassable" and it clearly easily is then it's hardly by definition a secure security device is it ??. VM's can also use "Emulated" TPM's which themselves question the whole relibility of the wretched things.

Cheers
jimbo

100% Agree. TPM is in fact well over a decade old now. It just used to be an optional feature and was known to be unreliable even then. The reason MS is taking this path to make it compulsory should be obvious: $ Microsoft is part of the TCG (Trusted Computing Group) and they have a ton of moolah invested in keeping it going, not unlike Big Pharma when they know they're selling bad stuff but the profits are good so they keep on selling. In the rare event that they lose a few court battles they'll take the collateral damage and keep on selling. Making TPM compulsory for Microsoft operating systems will also provide incentive for people with older computers to make the move to newer hardware. Everyone in the Consortium wins. No matter how anyone slices or dices it this is planned obsoletion at its finest.

Trusted Platform Module - Wikipedia

en.wikipedia.org

TechnoMage2021 · Jul 13, 2023

All this 'yada, yada, yada' just makes me tickled silly that my PC's don't have TPM or anything like that.
Like a sore tooth, if I had it, I'd probably try to remove it.

And, if I were traveling, I'd certainly NOT be taking a $2000 laptop with me. I'd be taking a Dumpster Find, that cost me nothing, but that I had refurbished for under $100.
I actually have several of those, that run Windows xx just fine, and also use WiFi and access the internet just fine.
And, they all run Open Office or Libre Office, just fine. As well as Firefox, O.E.Classic and Super Anti Spyware.

As for critical data, that can be copied to a tiny little flash card, like a SIM Card, and hidden on one's person.

"Beam me up Scotty! There's no intelligent life down here!"

Scannerman · Jul 13, 2023

TechnoMage2021 said:
All this 'yada, yada, yada' just makes me tickled silly that my PC's don't have TPM or anything like that.
Like a sore tooth, if I had it, I'd probably try to remove it.

And, if I were traveling, I'd certainly NOT be taking a $2000 laptop with me. I'd be taking a Dumpster Find, that cost me nothing, but that I had refurbished for under $100.
I actually have several of those, that run Windows xx just fine, and also use WiFi and access the internet just fine.
And, they all run Open Office or Libre Office, just fine. As well as Firefox, O.E.Classic and Super Anti Spyware.

As for critical data, that can be copied to a tiny little flash card, like a SIM Card, and hidden on one's person.

"Beam me up Scotty! There's no intelligent life down here!"
View attachment 64688

I'm sure there are situations where a $2000 laptop is a needful thing. Fortunately, I can honestly say I've not found myself in one of those predicaments. The most that I've ever paid for a laptop is around 800 Canadian clams and frankly, that was too much already because despite it being on sale and having a good reputation, I really have no use for a touch screen. I do however enjoy the i7 processing power and the NVMe responsiveness. I fail to see how TPM2 in the thing would save it from being brute forced into granting access if someone were to steal it. I fail to see how any PC that was stolen with the TPM device still in it would protect that PC. Perhaps someone here might better explain that to me. As it currently stands I regard TPM to be a waste of time, energy, and resources.

Data can certainly be more valuable than the device that carries it, but when the device is stolen both the data and the device are gone. One might well argue that One Drive will allow one to access that data but this only holds true to an extent. It assumes many things. I love the allusion to TPM being like a sore tooth. What an exquisite comparison! For that matter, critical data could be kept on a USB stick. I marvel that they can have so much capacity these days.

This forum is rich with intelligent people who, I daresay, offer more practical help than a good many of the "certified" Microsnot folk on the official pages I have frequented. I am grateful for the help I've received here and I feel honoured to be part of this fine community.