[briHass]

No big deal here. This attack looks like it's using a crusty old TPM 1.2 laptop, so encrypted parameters to the TPM aren't supported. Even with Win11 and TPM2.0 (required for Win11), encrypted parameters to the TPM would just slow down an attacker.

You need to use pre-boot auth, like a PIN. Obviously, the TPM needs to have some kind of authentication to release the key, not just the default mode where Windows just needs to request it. This is all outlined in MS documentation: https://learn.microsoft.com/en-us/windows/security/operating...

[NotPractical]

TPM without PIN is the default configuration, so I'd consider it to be a big deal.

[briHass]

The age old battle of security vs convenience. Most Linux distros don't force you into pre boot, PIN TPM encryption either.

It is controllable through group policy, so orgs that care can force users into it.

[ddtaylor]

I agree. It seems Microsoft wants to get the accolades of solving a hard key exchange problem without actually solving that hard key exchange problem. We see this a LOT in companies that "make it easy" to do cryptography.

[Dowwie]

Interesting...

A PIN auth step eliminates the convenience value proposition of a TPM.

Selling passwordless authentication as a solution requiring a PIN just isn't recognizing that the PIN is now the password.

[briHass]

You're forgetting the other convenience value of the TPM in Windows, which is that it allows you to use a PIN/bio instead of your (hopefully) long and complex account password.

[mathisdiego]

I think that's a bit of an overstatement. You already enter a password to sign in (or not, if you use biometrics). This is just another password that you enter once at boot. Doesn't seem all that bad of a tradeoff for data security.

[i5-2520M]

With an ISO install, only 1.2 is required for Win11. TPM2 ia inly required to get the update offer from 10.

[briHass]

You can also set a registry key to ignore TPM/CPU requirements with the regular upgrade tools.