[wolvoleo]

> Not what happened here (I reserve my judgment wrt the promised TPM+PIN exploit).

Yes this is the one I'm referring to.

I have noticed it myself, it has happened to me that my system rebooted to install updates and it did not pass through the blue TPM pin entry screen at that point. That was a big red flag for me. A normal reboot always does that, even a 'hot' reboot.

[anonymars]

Bitlocker can be suspended, and will be unprotected until the next reboot. Then it will resume (and presumably re-lock to the current state)

A good or corporate BIOS/etc. updater will do this to avoid requiring a recovery at the next boot

[ranger_danger]

> Bitlocker can be suspended

But the files on the disk must still be decrypted somehow. The key must be stored somewhere.

According to this: https://windowsforum.com/threads/pause-bitlocker-before-bios...

> BitLocker is now suspended, which means the drive remains encrypted, but Windows temporarily stores the unlock information so firmware changes won’t immediately trigger recovery.

[mananaysiempre]

> A normal reboot always [forces the TPM pin entry screen], even a 'hot' reboot.

In TPM-only mode, I only see the screen—which asks for an recovery key that serves an alternative to the TPM-borne secret, not for whatever you are calling the “TPM PIN” here—whenever I update the firmware or the bootloader (the latter from the other side of the dual-boot setup). Otherwise it boots straight to the login screen, which meshes with the measured-boot-only theory of operation I’ve described above. There’s nothing nefarious in this part, even if I think it exposes an unwisely large attack surface (e.g. the USB stack). I suspect you simply reboot so rarely you’re never hitting the happy path.

[wolvoleo]

No I have the explicit PIN turned on. That means it requires a Pin entry on each boot. It's not the recovery screen though it looks similar. It's also not a password that's then hashed. It unlocks the TPM with a short pin, the number of attempts is limited by the TPM itself so that it doesn't get brute forced.

This is not a standard option, I think it can only be set through a group policy.