[SOLVED] Couple of TPM questions.

[H4X0R46]

Hey guys, I haven't been here on the forums in some time, but got questions and this community is my go to! So I've got a windows 10 desktop right now and I'm going to "clean" my drive with diskpart and install a fresh Windows 11 install.

So my questions:
1) Does my motherboard have a hardware tpm chip? (ASRock x570 Pro 4)

2) If it doesn't and I'm gonna use fTPM with my Ryzen processor, will a bios update lock me out of my C drive? Would cleaning my C drive with diskpart and reinstalling windows 11 in the future lock me out of my C drive?

3) Does disabling a tpm chip while in windows 11 open my drive up without destroying my data?

Thanks guys! 😁

 

[Ralston18]

Full disclosure - not a direct answer.

However I am compelled to ask is there a pressing reason to go to Windows 11?

If not, just stay with Windows 10.

Microsoft has software that will test your system's ability to support Windows 11/TPM. Run that software to find out what Microsoft "sees and says".

As for your specific questions, I will defer to the more specialized members using Windows 11 and working with the details of TPM.

 

[hotaru.hino]

1) Does my motherboard have a hardware tpm chip? (ASRock x570 Pro 4)

No, but it has a header for one.

2) If it doesn't and I'm gonna use fTPM with my Ryzen processor, will a bios update lock me out of my C drive? Would cleaning my C drive with diskpart and reinstalling windows 11 in the future lock me out of my C drive?

No. BIOS doesn't lock you out of anything if you enable TPM except if you need to update BIOS because enabling TPM requires being in a certain security mode, but updating BIOS requires you to not be in that mode. The closest maybe you're concerned about is if you do OS based full-disk encryption, as that uses TPM. But that's just because the data contents are encrypted.

3) Does disabling a tpm chip while in windows 11 open my drive up without destroying my data?

You can't disable TPM while in Windows.

 

[H4X0R46]

No, but it has a header for one.


No. BIOS doesn't lock you out of anything if you enable TPM except if you need to update BIOS because enabling TPM requires being in a certain security mode, but updating BIOS requires you to not be in that mode. The closest maybe you're concerned about is if you do OS based full-disk encryption, as that uses TPM. But that's just because the data contents are encrypted.


You can't disable TPM while in Windows.

Alrighty! For my question you answered up there, the 2nd one, I'm understanding that if I update my bios, my C drive may not be accessible after and may need to be formatted? I read something somewhere that updating a bios while using fTPM changes a security key or something?

And if I were to reinstall windows 11 later or downgrade to Windows 10, wiping my C drive with diskpart and installing either operating system should just work as expected?

Thanks again, I have NEVER bothered with TPM until now, I've never needed it lol

 

[H4X0R46]

Full disclosure - not a direct answer.

However I am compelled to ask is there a pressing reason to go to Windows 11?

If not, just stay with Windows 10.

Microsoft has software that will test your system's ability to support Windows 11/TPM. Run that software to find out what Microsoft "sees and says".

As for your specific questions, I will defer to the more specialized members using Windows 11 and working with the details of TPM.

As for a reason? I'll be honest. It just looks nicer, I like how they rearranged the OS, new clean system sounds, etc. I played around with it in VMWare and really loved the aesthetic. As for a REAL technical reason? I wish I could say I had one haha

 

[hotaru.hino]

Alrighty! For my question you answered up there, the 2nd one, I'm understanding that if I update my bios, my C drive may not be accessible after and may need to be formatted? I read something somewhere that updating a bios while using fTPM changes a security key or something?

According to https://media.defense.gov/2020/Sep/...FI-Secure-Boot-Customization-UOO168873-20.PDF and https://support.microsoft.com/en-us...e-device-01973e22-1b57-f0db-6f33-03f62127831e , yes, updating UEFI may revoke the keys used to decrypt the storage. However:

• Bitlocker (the storage encryption system Windows uses) can be set up with recovery keys
• If firmware updates are done through Windows Updates, Windows can apply them without the user needing to do anything.
• Otherwise Bitocker can be suspended so you can update the firmware.

I would also argue though:

• 9 times out of 10, motherboard firmware updates aren't needed. Unless it's to fix a serious bug or it provides hardware compatibility, there's no real reason to update the firmware.
• You should have a back up plan anyway for data you cannot have wiped.

And if I were to reinstall windows 11 later or downgrade to Windows 10, wiping my C drive with diskpart and installing either operating system should just work as expected?

Yes.

 

[H4X0R46]

According to https://media.defense.gov/2020/Sep/...FI-Secure-Boot-Customization-UOO168873-20.PDF and https://support.microsoft.com/en-us...e-device-01973e22-1b57-f0db-6f33-03f62127831e , yes, updating UEFI may revoke the keys used to decrypt the storage. However:

• Bitlocker (the storage encryption system Windows uses) can be set up with recovery keys
• If firmware updates are done through Windows Updates, Windows can apply them without the user needing to do anything.
• Otherwise Bitocker can be suspended so you can update the firmware.

I would also argue though:

• 9 times out of 10, motherboard firmware updates aren't needed. Unless it's to fix a serious bug or it provides hardware compatibility, there's no real reason to update the firmware.
• You should have a back up plan anyway for data you cannot have wiped.

Yes.

Alright thanks for the extensive help on this topic, I really appreciate you! So that brings this question. So bitlocker and TPM encryption is basically one and the same? I know windows has always had bitlocker as an option, but by this logic, I'm understanding that it's bitlocker that utilizes a TPM chip and encrypts?

Second part of what you said, I'm thinking if I kept recovery keys for bitlocker or suspended it, THAT would get me back in if I got locked out? Sorry for all the questions, curious mind and genuinely intrigued.

 

[hotaru.hino]

Alright thanks for the extensive help on this topic, I really appreciate you! So that brings this question. So bitlocker and TPM encryption is basically one and the same? I know windows has always had bitlocker as an option, but by this logic, I'm understanding that it's bitlocker that utilizes a TPM chip and encrypts?

Yes, Bitlocker can use TPM features to perform its function.

Second part of what you said, I'm thinking if I kept recovery keys for bitlocker or suspended it, THAT would get me back in if I got locked out? Sorry for all the questions, curious mind and genuinely intrigued.

Read through https://docs.microsoft.com/en-us/tr...nd-bitlocker-protection-non-microsoft-updates

 

[Colif]

I think if your PC can run windows 11 now, there is no reason to stay on windows 10.
Sure, the changes aren't massive but upgrading to it is the same as running a windows 10 version update.
Okay, you might need to turn on fTPM in bios but most boards now being sold with that enabled, and it doesn't take much to set up.

its only after using a VM of windows 10 a few days ago I did notice differences again