Author Topic: Windows 11  (Read 5221 times)

October 24, 2021, 09:50 AM
Reply #50
  • Global Moderator
  • *****
  • Posts: 915
  • Gender: Male
What W11 wants TPM is to enable Disk Encryption, handle password generation/random numbers using discrete TPM used in Business class desktops/laptops. I do have TPM, Secure boot but CPU is 6700 which is unsupported.

In your case it's just the CPU. TPM and secure boot have been out for quite a while now.

I'm not too clear about the part regarding password generation. Does this mean every password we use must be generated by the TPM in the motherboard? If in order the enter the BIOS (or UEFI), will we now be forced to use a password to get in, and, will TPM generate it?

Sadly we still don't have an answer to my primary question. Say you have secure boot enabled but your OS won't boot and you must boot from Sergei Strelec's ISO to restore a Macrium Reflect image. If we are prevented from doing that, then how do we rescue our system?
We can switch Secure to custom mode and add our USB boot media and it works even with Secure boot enabled since it whitelists our device.
Password generation is similar to how mobile or ARM64 does same concept which resides outside the control of OS and most attempts to read/write the data from those chips/regions are blocked. So not connected to BIOS password generation.

October 24, 2021, 09:20 PM
Reply #51
  • Global Moderator
  • *****
  • Posts: 2384
  • Gender: Male
We can switch Secure to custom mode and add our USB boot media and it works even with Secure boot enabled since it whitelists our device.

So to do this you'd have to boot into the BIOS and then insert the flashdrive?

Also, does secure boot authorize the device itself or the OS that's on it? Say the flashdrive you authorized had Strelec's PE on it. If I reformatted that same device and installed Parted Magic, would it boot?

Password generation is similar to how mobile or ARM64 does same concept which resides outside the control of OS and most attempts to read/write the data from those chips/regions are blocked. So not connected to BIOS password generation.

Are you saying this is the password that gets you into the BIOS and not related to anything done on the OS? Also, when secure boot and TPM are enabled, are you forced to use a password to get into the BIOS? If you lose the password must you open the case and remove the coin battery or something similar?

October 26, 2021, 01:47 PM
Reply #52
  • Global Moderator
  • *****
  • Posts: 915
  • Gender: Male
We can switch Secure to custom mode and add our USB boot media and it works even with Secure boot enabled since it whitelists our device.

So to do this you'd have to boot into the BIOS and then insert the flashdrive?

Also, does secure boot authorize the device itself or the OS that's on it? Say the flashdrive you authorized had Strelec's PE on it. If I reformatted that same device and installed Parted Magic, would it boot?

Password generation is similar to how mobile or ARM64 does same concept which resides outside the control of OS and most attempts to read/write the data from those chips/regions are blocked. So not connected to BIOS password generation.

Are you saying this is the password that gets you into the BIOS and not related to anything done on the OS? Also, when secure boot and TPM are enabled, are you forced to use a password to get into the BIOS? If you lose the password must you open the case and remove the coin battery or something similar?
I use Ventoy nowadays so while you reformat the drive you may need to whitelist it again!
With newer TPMs even removing coin-cell won't erase the data since it will be stored on EEPROM. If the TPM can store password securely if vendors have implemented it; otherwise the BIOS and OS might use the hardware acceleration to generate a password which cryptographically secure.

October 26, 2021, 10:24 PM
Reply #53
  • Global Moderator
  • *****
  • Posts: 2384
  • Gender: Male
I use Ventoy nowadays so while you reformat the drive you may need to whitelist it again!

I was looking at their site but I'm not too clear what Ventoy does. Is this another Rufus or different?

With newer TPMs even removing coin-cell won't erase the data since it will be stored on EEPROM. If the TPM can store password securely if vendors have implemented it; otherwise the BIOS and OS might use the hardware acceleration to generate a password which cryptographically secure.

What happens if you lose your password or simply sell your board?