[tallanvor]

The Bitlocker + TPM without PIN model is primarily aimed at preventing the contents of a drive from being accessed from a different system - you can send your old drive to the recycler without worrying about someone hooking it up to a different computer to scan for financial information or passwords.

For businesses that need to protect internal or customer data, the correct answer is requiring a PIN on boot, as this prevents the TPM from sending the key without receiving the PIN.

And it really shouldn't be surprising that if a computer doesn't require any user interaction before decrypting a drive that retrieving the encryption key is going to be relatively trivial if you're willing to put in some time and money.

[gtsteve]

I suppose in retrospect it shouldn't be surprising. I just thought it would be a lot harder than this. I imagined that the communication between the TPM chip and the CPU would be encrypted somehow; I should have verified that.

Does the TPM have a mechanism to lock out if the PIN is entered incorrectly? That sounds like a good move to me.

[tallanvor]

Yes. By default you get 3 or 5 chances and then you have to use the recovery key. In corporate environments the recovery key is often stored in AD or another location by default so it's retrievable by IT (whether because the user entered the wrong PIN or because they quite /were fired and you still need to be able to get data off the computer.