[indigo945]

The point is that the TPM PIN prevents the attack if the system is powered off when the attacker obtains it.

If the TPM doesn't have a PIN, this attack works even if the attacker obtains the system when it's powered off. They can start the computer, proceed to the Windows logon screen (that they can't get past and that hence prevents them from exfiltrating data from the running system), then just reset the computer and perform this attack to obtain the encryption key. This obviously doesn't work if the PIN prevents Windows from ever even starting.

[0xDEADFED5]

I know this is besides the point, but still kinda relevant:

Even on Win11 it's still possible to do the old utilman (or other suitable module) replacement hack from Windows repair (trigger by interrupting boot), from there you can change account passwords at will.

[bmicraft]

You can't change something on an encrypted volume without knowing the encryption key

[Neil44]

I think Windows repair prompts for an admin login and the bitlocker key before allowing you to proceed. Assuming the windows install is intact enough to read the security sam.

[ruthmarx]

> the old utilman (or other suitable module) replacement hack from Windows repair (trigger by interrupting boot),

Can you elaborate on this?