[kuschku]

The TPM is pwned, by default. It's closed, secret, and as the AMT issuws showed, has a lot of software running in it with questionable security.

That's why the whole excercise is meaningless if you leave the keys on the device, and why you should put them on external hardware TPMs or key vaults. Even a YubiKey is better.

Now you just need a system that supports reading keys from such a device during boot.

[izacus]

You can use YubiKey to store BitLocker decryption key.

[kuschku]

And? That still allows MS to decrypt the drive.

[Karunamon]

False. You are given a non-default option to upload a backup of your Bitlocker key to Onedrive. By what evidence are you claiming Microsoft gets to decrypt the drive if this option isn't selected?

[Karunamon]

TPM and AMT are two entirely different technologies with entirely different classes of security concerns. The Intel management engine (which runs the AMT software) is effectively a separate CPU that runs full programs and has direct memory/hardware access, while the TPM is not.

The TPM is a PKI device, nothing more. It cannot take over your computer.