[yakaccount4]

Deploying some sort of TPM remote attestation for DRM requires every component from every vendor to play nice, so I don't think you'll ever see that rolled out for Windows.

I would guess that the actual push for TPM is to have 'better' BitLocker, and Passkey support.

In practice the default BitLocker+TPM configuration isn't that great (no user entropy/pin, dTPM is basically worthless).

I have no actual understanding for how TPM is involved for Windows Hello/WebAuthn/Passkey or whatever, but at a glance it would seem Biometrics without a TEE seems like a very weak link.

[MBCook]

I figured it’s more about ensuring the kernel and boot loading and OS are 100% unmodified by attackers/malware.

If that helps with bitlocker or passkeys or whatever that’s great. But I assume at its base it’s a pure integrity play.

I would think that would also let you know the public key stuff used to communicate with hardware authentication like a fingerprint reader is secure too, but I don’t know how that stuff works well enough to know if that’s true.

[davidczech]

TPM can measure the Secure Boot state for later reporting (attestation) but when it comes to DRM, that’s not a terribly interesting bit of information, knowing the firmware and kernel are valid, when the configuration of the OS and installed applications is really the important part.

As far as I know there’s no real scalable way for that to work in the Windows ecosystem.

[MBCook]

That makes sense to me. It just doesn’t seem that useful for DRM, seems like kind of a reach.

Especially in modern systems where the graphics card could do all of it and so the host PC never has access to the decrypted data or keys in the first place.