• Competitor rules

    Please remember that any mention of competitors, hinting at competitors or offering to provide details of competitors will result in an account suspension. The full rules can be found under the 'Terms and Rules' link in the bottom right corner of your screen. Just don't mention competitors in any way, shape or form and you'll be OK.

Does CPU-based TPM survive a BIOS reset?

Soldato
Joined
1 Apr 2014
Posts
19,040
Location
Aberdeen
Intel call it PTT and AMD call it FTPM. But suppose you have a TPM-secured OS on your PC and you update or reset your BIOS. Does your OS still boot? Does everything still work?
 
Good question, someone with W11 should test it. Enabled tpm, install w11 then disable tpm and see if it boots?

Atm it seems all bios default to tpm off so that's what will happen you update bios and tpm turns off, I assume at some point future bios will default to tpm on
 
Hi, I enabled fTPM in BIOS and updated my Win10 Pro VM to Win11 Pro. I just disabled fTPM in the BIOS and Win11 still boots. I dont think the OS needs it, think its more about DRM than security.
 
I would imagine it would only have any effect if you'd enabled BitLocker. Would be interesting to see what happens if you did a BIOS reset with BitLocker enabled on the boot drive. I'm guessing you'd need to do a reinstall at that point.
 
I would imagine it would only have any effect if you'd enabled BitLocker. Would be interesting to see what happens if you did a BIOS reset with BitLocker enabled on the boot drive. I'm guessing you'd need to do a reinstall at that point.
The BIOS says, if bitlocker is on and you disable TPM windows will not boot or encrypted data will be lost. If using bitlocker use a dTPM, that way updating/resettng the BIOS does not mess with it.
 
I’ve not tried it, but assuming Bitlocker is enabled, if the TPM was disabled or lost the key would Bitlocker not revert to requiring a recovery code to gain access to the drive, after which if you enabled the TPM you could reinitialise?
 
I don't use bitlocker, but that's a pretty big caveat for those who do. I can forsee some people complaining about lost data in the future
 
I supose that depends on if Bitlocker is enabled by default, or if it requires the user to enable it. Atleast on Windows 10 Bitlocker isn't enabled if you use a local account, it's only enabled by default if you use a cloud account and in that event the recovery key is stored in your cloud account. Although I'm not sure your average user would now to look there or where to look...and that assumes they even know there hard drive is encrypted.

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker
 
Everything about bitlocker just makes me wonder why anyone would ever use it.

Motherboard failure = all data lost. What a wonderful security feature!

Locked to the current motherboard too, and can't ever change it.
 
AIUI Windows 11 disables TPM anyway if it detects that its in a VM.



So it's not saved in the UEFI. Shame.

I don't know what this means, but my Asus motherboard says in the manual that it is stored in the ME and only says that a ROM replacement would invalidate the key, not a BIOS update or CMOS reset.
 
Everything about bitlocker just makes me wonder why anyone would ever use it.

Motherboard failure = all data lost. What a wonderful security feature!

Locked to the current motherboard too, and can't ever change it.

Only reason in that respect is for people who handle confidential information, etc. Windows 11 security wise seems to be a lot of high ideals disconnected from the real world. Unfortunately I think people are going to increasingly find though that tweaks to work around requirements in Windows 11 won't be very useful in the longer run as they might allow the OS to install and boot but some features including required ones might not function and/or not function correctly in the longer run without the requirements.

MS need a good slap around the head TBH even the security of any existing TPM implementation is weakened if not exploitable these days. (That isn't to say they should abandon all and every TPM functionality).
 
Last edited:
Everything about bitlocker just makes me wonder why anyone would ever use it.
Motherboard failure = all data lost. What a wonderful security feature!
Locked to the current motherboard too, and can't ever change it.

That’s not how it works, you can just use the bitlocker recovery key to access the drive in another machine. It saves the recovery key to your MS account, text file etc when you encrypt the drive.
 
Everything about bitlocker just makes me wonder why anyone would ever use it.

Motherboard failure = all data lost. What a wonderful security feature!

Locked to the current motherboard too, and can't ever change it.

All my work computers and laptops use bitlocker for drive encryption and although it can be a pain, it does prevent protected data being accessed if a device is lost or stolen
 
Back
Top Bottom