Windows 11 Question (TPM? -> External TPM Module = Not Mandatory)

[ruzicka4613]

Thank you. I will double-check all that.

One question though....I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM. If I then at some point upgrade my CPU, replacing it, all the codes are then lost. If so, would that mean that I would be unable to access my hard drive?

 

[RemusM]

I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM.

Not true.
In both cases (TPM module or firmware) the encryption keys cannot be stored inside of the CPU.
Because if you turn the power off ...
The encryption keys are always stored on the encrypted drive.

 

[ruzicka4613]

Thanks for all the help!

 

[laurence1211]

Thank you. I will double-check all that.

One question though....I think I read somewhere that when using a firmware TPM, the security codes reside on in the CPU rather than on a physical TPM. If I then at some point upgrade my CPU, replacing it, all the codes are then lost. If so, would that mean that I would be unable to access my hard drive?

I would like to point out that if you do this, you will lose access to your hard drive, unless you take careful steps before hand. You can not just change any hardware part without planning, when you use secure boot and bitlocker.

 

[ruzicka4613]

I would like to point out that if you do this, you will lose access to your hard drive, unless you take careful steps before hand. You can not just change any hardware part without planning, when you use secure boot and bitlocker.

What "careful steps" do you recommend?

 

[Alan J T]

What "careful steps" do you recommend?

You will need to log in to you MS account on a second device to retrieve the key to activate you computer I think you may also need two factor authorization or to use the Authenticator on your mobile phone. It is a pane it the [***CENSORED***] as just plugin you external USB SSD in to a different USB port that has Bit-locker enabled can can trigger the lock out.
So before charging any thing go to MS account and find you Account access keys

I am a big fan of two factor log in due to attempts from other countries to attempt log in to my account
To check your use this link Review account activity

Looking at this you can see why I advise all to use two factor login. I live in Australia and do not use a VPM

 

[laurence1211]

What "careful steps" do you recommend?

Well this depends on what exactly you are looking to do. But the general sequence is turn off bitlocker, then turn off secure boot. Update the hardware and or bios. Then you will need to turn on secure boot, maybe making sure default keys are loaded, then turn bitlocker back on when in the system. There will need to be reboots for the steps, dont try and do everything in one go. Whether you need to unencrypt your drive first or just turn off bitlocker for a reboot depends on what you are doing. You dont have to use bitlocker* at all, personally i dont. If you do, make sure you have an account setup with Microsoft so you can recover like @Alan J T says. Also secure boot violation my occur where MS account backup might not help you, as the system could be locked before you even get to that point. Furthermore FYI AFAIK the keys are stored inside the CPU**, when you use a fTPM, which is why i wouldnt use that method.
* For Win 11 it's looking like bitlocker is on by default, not sure if it can be turned off completely or not.
** AMD fTPM is located inside the CPU while intel fTPM is actually inside the chipset on the motherboard.

 

[RemusM]

** AMD fTPM is located inside the CPU while intel fTPM is actually inside the chipset on the motherboard.

You are talking about the recovery key.
Again: the encryption keys are always stored on the encrypted drive.
You can backup the encryption keys before the hardware change and you don't need the recovery key in this case.

 

[RemusM]

To make it clear, if you want to upgrade/change the motherboard, CPU, etc:
- you will need the current recovery key to suspend BitLocker
- if suspended, you can shut down and replace the component you want
- after restart you will log in as administrator and enable again BitLocker
But this time it won't ask for the recovery key!
And even more: it will update all the existing encryption keys based on the current hardware.

 

[ruzicka4613]

Thanks all

 

[Alan J T]

Well dang lets toss some fuel on the fire
Win 11 Installed
On this build

MSI MAG B550M MORTAR WIFI AM4 Micro-ATX Motherboard
AMD Ryzen 9 3900X 12 Core Socket AM4 3.8GHz CPU Processor
G.Skill Ripjaws V 32GB (4x 16GB) DDR4 3200MHz Memory
Radeon RX 5700 Has been flashed with the Radeon 5700 XT Bios
OS Drive PCIE 3x4 Patriot P300 1TB M.2
Game Drive Pioneer 2TB NVMe PCIe M.2 2280 Gen 3x4
Game Drive WD Blue 3D NAND 1TB PC SSD - SATA
Enermax REVOLUTION D.F Series 850W 80+ Gold Fully Modular Power Supply


and I get this

All setting in BIOS are correct

 

[dvair]

Its a known bug in the Insider build.

 

[Alan J T]

Its a known bug in the Insider build.

Have been looking in to it looks like it is not recognising the Virtualisation-based security for some reason.
And since it is a option in the BIOS I all ways had disabled I not know all that much about what it is for or how it works, UEFI and Secure Boot was all I ever had turned on in the BIOS security wise up till now.

 

[dvair]

I get the same standard hardware security box on my Insider build, but when I boot back into 10 on the same machine with the same BIOS settings the item you highlighted in System Info shows as enabled. Just a bug right now, should be fixed in the future.

 

[Acenewton156d02de]

Not sure why people panic. Win10 will keep getting support and updates until 2025..

May I ask where you got this info? tbh, i'm just afraid because Windows is known for forcing us to upgrade and I don't want to be forced into an update I can't do.

 

[Acenewton156d02de]

Is there a list of all of the motherboards which have the bios TPM option? I have an MSI Z370 SLI PLUS (MS-7B46).

This would be awesome. I have a X570 Pro Carbon Wifi.

 

[citay]

May I ask where you got this info? tbh, i'm just afraid because Windows is known for forcing us to upgrade and I don't want to be forced into an update I can't do.

Windows 10 Home and Pro - Microsoft Lifecycle

Windows 10 Home and Pro follows the Modern Lifecycle Policy.

docs.microsoft.com

Retirement Date Windows 10 Home and Pro 10/14/2025

This would be awesome. I have a X570 Pro Carbon Wifi.

All mainboards from the last few years support it. A recent BIOS is advised for best function (they found some bugs in the TPM code a while back). A list of sorts is here:

How to Enable TPM on MSI Motherboards Featuring TPM 2.0

Microsoft recently announced Windows 11 and one of its system requirements is TPM 2.0. Thus, many people are now asking questions like “does my PC support TPM 2.0?” or “is a discrete TPM 2.0 module mandatory for installing Windows 11?”

www.msi.com

 

[steven_gilshenan]

Your system looks to be too old to be supported.

I don't like that answer. I have an older X79 system that runs really nice. It has a header for a TPM so therefore, you would think, they made the chip/board to plug to that header that works with the chipset.

I have had a read of the manual and it says to refer to the TPM security platform manual for more information. I don't think that was supplied on purchase. Information is really scarce. Of course, I want to keep up with Windows 11.

 

[laurence1211]

I don't like that answer. I have an older X79 system that runs really nice. It has a header for a TPM so therefore, you would think, they made the chip/board to plug to that header that works with the chipset.

I have had a read of the manual and it says to refer to the TPM security platform manual for more information. I don't think that was supplied on purchase. Information is really scarce. Of course, I want to keep up with Windows 11.

Microsoft are setting the min spec and they have so far said no to a lot of computers out there. X79 will not be supported.

 

[Encryptme]

I have a MEG Z590 ACE and I was unsure whether to enable fTPM or PTT for Windows 11? (I have secure boot enabled)