Windows 11 Question (TPM? -> External TPM Module = Not Mandatory)

ruzicka4613

Member
PRIVATE FIRST CLASS
Joined
Jul 5, 2020
Messages
34
Thank you. I will double-check all that.

One question though....I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM. If I then at some point upgrade my CPU, replacing it, all the codes are then lost. If so, would that mean that I would be unable to access my hard drive?
 

RemusM

Well-known member
LIEUTENANT COLONEL
Joined
Nov 16, 2006
Messages
2,881
I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM.
Not true.
In both cases (TPM module or firmware) the encryption keys cannot be stored inside of the CPU.
Because if you turn the power off ... :biggrin:
The encryption keys are always stored on the encrypted drive.
 
Last edited:

laurence1211

Well-known member
PRIVATE E-2
Joined
Jun 28, 2020
Messages
1,993
Thank you. I will double-check all that.

One question though....I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM. If I then at some point upgrade my CPU, replacing it, all the codes are then lost. If so, would that mean that I would be unable to access my hard drive?
I would like to point out that if you do this, you will lose access to your hard drive, unless you take careful steps before hand. You can not just change any hardware part without planning, when you use secure boot and bitlocker.
 

ruzicka4613

Member
PRIVATE FIRST CLASS
Joined
Jul 5, 2020
Messages
34
I would like to point out that if you do this, you will lose access to your hard drive, unless you take careful steps before hand. You can not just change any hardware part without planning, when you use secure boot and bitlocker.
What "careful steps" do you recommend?
 

Alan J T

🙈 🙉🐝 🤬😈
Global Moderator
Joined
Sep 11, 2020
Messages
10,635
What "careful steps" do you recommend?
You will need to log in to you MS account on a second device to retrieve the key to activate you computer I think you may also need two factor authorization or to use the Authenticator on your mobile phone. It is a pane it the ass as just plugin you external USB SSD in to a different USB port that has Bit-locker enabled can can trigger the lock out.
So before charging any thing go to MS account and find you Account access keys

I am a big fan of two factor log in due to attempts from other countries to attempt log in to my account
To check your use this link Review account activity

Looking at this you can see why I advise all to use two factor login. I live in Australia and do not use a VPM
1625810284166.png
 
Last edited:

laurence1211

Well-known member
PRIVATE E-2
Joined
Jun 28, 2020
Messages
1,993
What "careful steps" do you recommend?
Well this depends on what exactly you are looking to do. But the general sequence is turn off bitlocker, then turn off secure boot. Update the hardware and or bios. Then you will need to turn on secure boot, maybe making sure default keys are loaded, then turn bitlocker back on when in the system. There will need to be reboots for the steps, dont try and do everything in one go. Whether you need to unencrypt your drive first or just turn off bitlocker for a reboot depends on what you are doing. You dont have to use bitlocker* at all, personally i dont. If you do, make sure you have an account setup with Microsoft so you can recover like @Alan J T says. Also secure boot violation my occur where MS account backup might not help you, as the system could be locked before you even get to that point. Furthermore FYI AFAIK the keys are stored inside the CPU**, when you use a fTPM, which is why i wouldnt use that method.
* For Win 11 it's looking like bitlocker is on by default, not sure if it can be turned off completely or not.
** AMD fTPM is located inside the CPU while intel fTPM is actually inside the chipset on the motherboard.
 
Last edited:

RemusM

Well-known member
LIEUTENANT COLONEL
Joined
Nov 16, 2006
Messages
2,881
** AMD fTPM is located inside the CPU while intel fTPM is actually inside the chipset on the motherboard.
You are talking about the recovery key.
Again: the encryption keys are always stored on the encrypted drive.
You can backup the encryption keys before the hardware change and you don't need the recovery key in this case.
 

RemusM

Well-known member
LIEUTENANT COLONEL
Joined
Nov 16, 2006
Messages
2,881
To make it clear, if you want to upgrade/change the motherboard, CPU, etc:
- you will need the current recovery key to suspend BitLocker
- if suspended, you can shut down and replace the component you want
- after restart you will log in as administrator and enable again BitLocker
But this time it won't ask for the recovery key!
And even more: it will update all the existing encryption keys based on the current hardware.
 

Alan J T

🙈 🙉🐝 🤬😈
Global Moderator
Joined
Sep 11, 2020
Messages
10,635
Well dang lets toss some fuel on the fire
Win 11 Installed
On this build

MSI MAG B550M MORTAR WIFI AM4 Micro-ATX Motherboard
AMD Ryzen 9 3900X 12 Core Socket AM4 3.8GHz CPU Processor
G.Skill Ripjaws V 32GB (4x 16GB) DDR4 3200MHz Memory
Radeon RX 5700 Has been flashed with the Radeon 5700 XT Bios
OS Drive PCIE 3x4 Patriot P300 1TB M.2
Game Drive Pioneer 2TB NVMe PCIe M.2 2280 Gen 3x4
Game Drive WD Blue 3D NAND 1TB PC SSD - SATA
Enermax REVOLUTION D.F Series 850W 80+ Gold Fully Modular Power Supply


and I get this

All setting in BIOS are correct
Win confused .jpg

win confused 2.jpg

bang.gif
 
Last edited:

Alan J T

🙈 🙉🐝 🤬😈
Global Moderator
Joined
Sep 11, 2020
Messages
10,635
Its a known bug in the Insider build.
Have been looking in to it looks like it is not recognising the Virtualisation-based security for some reason.
And since it is a option in the BIOS I all ways had disabled I not know all that much about what it is for or how it works, UEFI and Secure Boot was all I ever had turned on in the BIOS security wise up till now.
1626319566525.png
 

dvair

Active member
SECOND LIEUTENANT
Joined
Nov 4, 2009
Messages
643
I get the same standard hardware security box on my Insider build, but when I boot back into 10 on the same machine with the same BIOS settings the item you highlighted in System Info shows as enabled. Just a bug right now, should be fixed in the future.
 

Acenewton156d02de

New member
Joined
Jul 14, 2021
Messages
2
Not sure why people panic. Win10 will keep getting support and updates until 2025..
May I ask where you got this info? tbh, i'm just afraid because Windows is known for forcing us to upgrade and I don't want to be forced into an update I can't do.
 

citay

Pro
SERGEANT
Joined
Oct 12, 2016
Messages
9,782
May I ask where you got this info? tbh, i'm just afraid because Windows is known for forcing us to upgrade and I don't want to be forced into an update I can't do.
Retirement Date Windows 10 Home and Pro 10/14/2025

This would be awesome. I have a X570 Pro Carbon Wifi.
All mainboards from the last few years support it. A recent BIOS is advised for best function (they found some bugs in the TPM code a while back). A list of sorts is here:
 

steven_gilshenan

New member
PRIVATE E-2
Joined
Jun 21, 2020
Messages
4
Your system looks to be too old to be supported.
I don't like that answer. I have an older X79 system that runs really nice. It has a header for a TPM so therefore, you would think, they made the chip/board to plug to that header that works with the chipset.

I have had a read of the manual and it says to refer to the TPM security platform manual for more information. I don't think that was supplied on purchase. Information is really scarce. Of course, I want to keep up with Windows 11.
 

laurence1211

Well-known member
PRIVATE E-2
Joined
Jun 28, 2020
Messages
1,993
I don't like that answer. I have an older X79 system that runs really nice. It has a header for a TPM so therefore, you would think, they made the chip/board to plug to that header that works with the chipset.

I have had a read of the manual and it says to refer to the TPM security platform manual for more information. I don't think that was supplied on purchase. Information is really scarce. Of course, I want to keep up with Windows 11.
Microsoft are setting the min spec and they have so far said no to a lot of computers out there. X79 will not be supported.
 
Top