The TPM is pwned, by default. It's closed, secret, and as the AMT issuws showed, has a lot of software running in it with questionable security.
That's why the whole excercise is meaningless if you leave the keys on the device, and why you should put them on external hardware TPMs or key vaults. Even a YubiKey is better.
Now you just need a system that supports reading keys from such a device during boot.
False. You are given a non-default option to upload a backup of your Bitlocker key to Onedrive. By what evidence are you claiming Microsoft gets to decrypt the drive if this option isn't selected?
TPM and AMT are two entirely different technologies with entirely different classes of security concerns. The Intel management engine (which runs the AMT software) is effectively a separate CPU that runs full programs and has direct memory/hardware access, while the TPM is not.
The TPM is a PKI device, nothing more. It cannot take over your computer.
>MS encrypts your stuff with your AND microsofts key. Look for this "feature" by a if you forget your password, and log into OneDrive.
This statement is misleading. When setting up bitlocker, you have the option of saving your recovery key to onedrive. It's not mandatory or even the default choice.
That's why the whole excercise is meaningless if you leave the keys on the device, and why you should put them on external hardware TPMs or key vaults. Even a YubiKey is better.
Now you just need a system that supports reading keys from such a device during boot.