[mrsaint]

"By default" means it's just a switch in the Bios to fix this issue? If yes, not a big deal, is it?

[hericium]

For now. And BIOS can be updated.

[bilegeek]

But does the option in question enable third party certificates, or disable UEFI entirely?

[int_19h]

There's a separate option for each.

[bayindirh]

It may come with many secrets baked into the security processor already, like your Windows license, or you may have used your computer for some time, and stored some secrets with keys stored in the processor.

You'll lose these secrets and keys, forever. They may be private keys, decryption tokens and more.

You may not be able to regenerate them and get everything back.

Edit: Windows (license) keys are not in the TPM apparently, my bad, sorry. Keeping the above text for context correctness.

[LeoPanthera]

You've posted this claim repeatedly but I don't think it's true. The Windows keys are not in the TPM.

[danuker]

According to this: https://superuser.com/a/1398914/38072

BitLocker uses TPM to store HDD encryption keys.

I suppose you need it to resize the partition without deleting your encrypted Windows data, at least.

[bayindirh]

Thanks for the info!

I have said may because I'm not using Windows on my systems for the last 20 years. IF they're not doing that, it's great, honestly.

I don't claim to be 100% correct, and kindly pointing that I'm wrong is enough to update my wrinkly muscle.

[Avamander]

Nope, Windows keys are not in the TPM. Only BitLocker uses it in any common scenario and that you can disable before changing UEFI settings (or enter a recovery key), you can also use BL without a TPM.