How Does Windows 11 TPM Protection Provide Security at Login?

Windows 11 offers enhanced account protection, passwordless login, and hardware-based security. So what has changed in Windows 11 compared to Windows 10, how do these changes affect forensic extraction and analysis, and to what extent can TPM (Trusted Platform Module)-based protection be overcome? We will try to convey the answers to all these questions to you based on the article prepared by Elcomsoft on this subject.

If you want to learn more about TPM before reading this article, what is TPM heard with Windows 11 and what does it do? You can also check out our article.

In the past, Windows users used to log on to their computers using a password. The local Windows account was the only way to authenticate in Windows 7 and earlier versions of Windows.

However, starting with Windows 8, Microsoft introduced a new method that allows users to sign in using their Microsoft account’s online credentials. Microsoft continued to update the operating system to a point where certain versions of Windows could not be installed with a local account and online accounts were now mandatory. Today, user information of any Microsoft account can be used to log in to any computer running Windows 8, Windows 10 or Windows 11.

First-time Microsoft account sign-in requires an active internet connection, as account user information is sent to Microsoft for authentication. The Microsoft account password is then cached on the local computer to facilitate offline logins. This allows any hacker to brute-force the password and gain access to the entire contents of the user’s Microsoft account, including pictures and documents stored in their OneDrive account, Skype conversations, browsing history, any passwords held by the Edge browser, and much more. A high-speed offline attack on a computer’s NTLM database can crack the password for an online account containing sensitive personal information.

Of course, using two-factor authentication can help avoid the worst-case scenario. However, a brute-force hacking of the password exposes everything in the user’s Windows account, including any passwords stored in the Edge browser. Microsoft has tried to circumvent this problem by introducing methods such as PIN and Windows Hello authentication. However, the general lack of hardware to support these authentication methods has rendered them relatively ineffective.

Microsoft Hesabi Oturum Acma
Microsoft Account sign-in screen.

This was hardly acceptable, so Microsoft began working on an alternative sign-in method that would still use a Microsoft account, but would reduce the security risk associated with cached user information. On top of that, in September 2021, the company announced the passwordless authentication feature. Currently, Windows 11 adds a new type of account that does not require a password to log in, allowing any user to log in without a password.

Microsoft sees passwordless sign-in as a more secure authentication option than passwords. Enabling passwordless authentication automatically disables the possibility of an unauthorized person gaining access to a local computer knowing (or brute-forced) the user’s existing local or cloud-based Microsoft account password.

Passwordless solutions such as Windows Hello, the Microsoft Authenticator app, SMS or email codes, and physical security keys provide a more secure and convenient sign-in method. While passwords can be guessed and stolen, only you can verify the fingerprint or give the right answer from your mobile phone at the right time.

There are currently three types of accounts available in Windows 11 for general (non-domain) users:

  1. [Default] Passwordless Microsoft Account: Password cannot be used to log in. Users; They authenticate online via PIN (TPM dependent), Windows Hello, or the Microsoft Authenticator app.
  2. Microsoft Account (Password Enabled): Users; They can authenticate using a PIN (TPM), Windows Hello, or Microsoft account password.
  3. Local Windows Account (Password Enabled): Users; They can authenticate via password, PIN (TPM), or Windows Hello.

Windows 11 allows both password and passwordless logins. Passwordless mode is the new default when configuring a new Windows 11 system or adding a new account to an existing Windows 11 installation. User accounts that were migrated during the upgrade from Windows 10 to Windows 11 retain their existing authentication capabilities.

Windows 11 users can manually choose a password-based or passwordless login, and the default settings are as follows:

  • New Windows 11 Installations:Microsoft account and passwordless sign-in.
  • Migrating from Windows 10 to Windows 11:The password-based login is migrated and the existing authentication method is reused.
  • New Accounts Created in Windows 11 After Migrating from Windows 10:Microsoft account and passwordless sign-in.

Let’s also remind that users can easily switch between password and passwordless login by changing only one setting at any time.

Windows 11 Oturum Acma Secenekleri
Windows 11 Logon options.

However, users can also switch between password and passwordless login options by changing an entry in the “Registry”.

Interestingly, Windows 10 can and does use TPM (Trusted Platform Module) based login protection. If the computer has a TPM module or TPM emulation provided and enabled in the UEFI BIOS, Windows 10 takes advantage of hardware protection for PIN-based authentication. However, the event is not limited to this.

Windows 10 can use the features of TPM 2.0 if the module is installed on the system or emulated. “Why is a PIN Better than an Online Password?” on Microsoft’s website regarding Windows security. The article claims that PIN-based account protection is better than password-based authentication. The reasons for this are explained in two ways:

PIN Depends on Hardware: One of the key differences between an online password and a Hello PIN is that the PIN is dependent on the specific hardware it is set on. This PIN won’t work for anyone who doesn’t have that specific hardware.

PIN Supported by Hardware: The Windows Hello PIN is powered by the TPM (Trusted Platform Module) chip, a secure encryption processor designed to perform encryption operations. This chip includes multiple physical security mechanisms to resist unwanted tampering, and malware cannot interfere with the TPM’s security functions. Many modern devices have a TPM. Windows 10, on the other hand, has the flaw of not binding local passwords to the TPM. This is why PINs are considered more secure than local passwords by Microsoft.

Windows 10 can run on computers that do not have the TPM module installed. It also works just fine and without a single warning on computers that feature Firmware-based TPM emulation but have this feature disabled in their UEFI BIOS. For example, the 9th generation Gigabyte Z390 motherboard supports the “Intel Platform Trust Technology” feature, but the default setting for this feature is “off”. To take advantage of this feature, you need to manually activate the “Intel Platform Trust Technology (PTT)” setting in the “Other” (Miscellaneous) section of the “Settings” tab in the BIOS settings.

Intel Platform Trust Technology
On the Gigabyte Z390 motherboard, the Intel Platform Trust Technology (PTT) feature can be enabled under the BIOS.

Windows can still use PIN-based login even if the TPM is missing or disabled. Microsoft claims this is more secure than password-based authentication.

Without a TPM, or unless the TPM is explicitly enabled in the computer’s UEFI BIOS and provided to the Windows operating system, the account PIN is Microsoft’s “ Why is a PIN Better than an Online Password? It is not connected to the device as it claims in its article ”. Additionally, if the computer’s TPM, Intel Platform Trust Technology, or AMD fTPM (firmware Trusted Platform Module) is not enabled in the computer’s UEFI BIOS and there are reasonable reasons to disable this module, the PIN code is cached in the local user information database. and can be captured by brute-force attack, almost the same as a user password.

Elcomsoft ran several tests to confirm the reliability of PIN-based authentication by moving the Windows installation between computers and attempting to log in via a PIN. We share the results of these tests with you below.

1. Test: A Windows 10 installation with a PIN-enabled account was migrated from one TPM-less system to another TPM-less system (i7-4700S) using the physical disk swap method. Restarting the computer and entering the PIN on the new system resulted in successful login.

2. Test: A Windows 10 installation with a PIN-enabled account was migrated from one TPM-less system to another TPM-less system (i7-4700S) using disk cloning. Neither a single piece of hardware nor a boot drive remained from the original system. Restarting the computer and entering the PIN on the new system resulted in successful login.

3. Test: Moved a Windows 10 installation with a PIN-enabled account from a TPM-less system to a TPM-enabled system (i7-9700K) using disk cloning. Neither a single piece of hardware nor a boot drive remained from the original system. Restarting the computer and entering the PIN on the new system resulted in successful login.

4. Test: A Windows 10 installation with a PIN-enabled account was migrated from a TPM-enabled system to another TPM-enabled system (i9-12900K) using disk cloning. The new system failed to authenticate with PIN, required password-based login, and removing and re-entering the PIN code to re-enable PIN login.

These tests show that if the source system does not have a TPM, the PIN is not hardware dependent. If TPM is enabled and enabled on the source system, the PIN is indeed hardware dependent.

Most portable computers (Windows laptops, tablets, and 2-in-1s) with an 8th generation or newer Intel processor or an AMD Zen or newer AMD processor are Firmware-based, which is enabled by default by most hardware manufacturers. Equipped with reliable platform. This means that most portable computers can use the TPM for added protection.

Firmware-based reliable platform has been available for desktop computers since 8th generation Intel and AMD Zen, just as for laptops. However, it is disabled by default for most AMD motherboards and Intel chipsets prior to 12th generation Alder Lake. Users with such motherboards must manually enable fTPM (AMD) or Intel Platform Trust Technology (PTT) in their computer’s UEFI BIOS to use the TPM feature.

Most desktop computers with 8th to 11th generation Intel processors are equipped with TPM emulation. Intel Platform Trust Technology (PTT) is disabled by default on many of these desktops. The latest AMD motherboards also feature fTPM technology, but this feature is also disabled by default.

Note: Original equipment manufacturers (OEMs) have started enabling firmware-based TPM in BIOS updates as per Windows 11.

Windows 10 users can also use the passwordless authentication feature just like Windows 11 users. However, this feature will become a cloud-based, account-wide setting, eliminating the need for users to use passwords when signing in to their online Microsoft account.

To use passwordless authentications, Windows 10 users need to set up additional security settings online in their Microsoft account. For this, you need to go to the account settings by clicking on the “My Microsoft account” option that appears when you click on your profile picture while your Microsoft account is open, and click on “Additional Security Options” under the “Security” section here. Afterwards, you will see the page with the “Additional Security” section in the image we have shared below. You can activate the passwordless login feature from the “Passwordless Account” section here.

Parolasiz Oturum Acma
Additional security settings in Microsoft Account.

To learn more about the passwordless sign-in option, see “How to Use a Password with Your Microsoft Account” on Microsoft’s website. Check out the article.

“How Windows Uses the Trusted Platform Module (TPM)” in the “Documentation” section of Microsoft’s website. Windows can use the security coprocessor for a variety of tasks, from key protection to device encryption. However, according to the impressions Elcomsoft has obtained from the tests it has done, the practical use of TPM technology in Windows is not as widespread as Microsoft has claimed.

For example, Microsoft Edge passwords are protected with a key managed through DPAPI (Data Protection Application Programming Interface). If this key was protected by TPM, an intruder would not be able to analyze the disk image and obtain passwords in the web browser, even if the disk image was not encrypted. However, even in Windows 11, this DPAPI key is not TPM protected, and any attacker could use a user’s Windows account password to obtain all of that user’s passwords stored by Microsoft Edge.

Instead of moving all DPAPI keys to the TPM, Microsoft is trying to solve this problem by introducing a new option for Windows authentication that does not use passwords. With TPM protected passwordless authentication, passwords or PIN codes are not stored on the computer’s hard drive whether or not the hash function (hash function or hash function: function used to map variable length data to fixed length data) is implemented. Instead, the keys are protected by the TPM module—or firmware emulation, which is no less secure as we know it.

This leads to several important consequences. First, the obvious thing is that if a computer running Windows 11 is enabled with passwordless login, the offline brute-force attack becomes inapplicable for passwords and PINs of linked accounts.

It is technically possible to convert a passwordless account to a local Windows account and assign a known password to that account. However, once this is done, the DPAPI keys are lost, meaning that many protected information (including Edge passwords and NTFS-encrypted files) will become permanently unusable after such conversion. However, there is a tool to overcome this problem, and we will talk about it in the next section.

Both yes and no. Before fully answering this question, we need to clear up a common misconception that the TPM requirement in the Windows 11 operating system is based on automatic BitLocker encryption of the system partition. In reality this is not the case at all.

Windows 11’s default encryption policies are a little different from what we’ve seen in Windows 10 (and Windows 8.1 before that). While most portable devices such as laptops and 2-in-1s with any version of Windows are automatically encrypted with BitLocker Device Encryption, this is not the case for desktops regardless of TPM or upgrade or fresh install of Windows 11. . Users of Windows 11 Pro, Enterprise and Education editions; While they can manually encrypt the system partition, users with Windows 11 Home edition will not have this option.

Windows BitLocker
BitLocker can encrypt drives with TPM.

If BitLocker encryption is enabled on the Windows system partition, you will first need to unlock the BitLocker volume to access the database files of the required account. Since the Windows 11 operating system requires TPM by default, we can assume that the TPM module is installed (there is practically no difference between dedicated and integrated TPM devices or processor emulation) and that the encryption key is stored in the TPM. The TPM encryption key is not revealed when you start the computer with a different operating system. Since no password guard is used for TPM-based system drive encryption, no attack can be made to obtain the password.

The only way to unlock such BitLocker volumes is to use the “BitLocker Recovery Key”. For portable devices with BitLocker Device Encryption, Windows automatically generates a recovery key when encrypting the system partition. This recovery key is automatically installed in the Microsoft account of the first user who logs on to that computer with administrative privileges and uses the Microsoft account credentials – rather than a local Windows account. You can request this key from Microsoft, or you can download it by visiting the page in the link we shared here, after logging in to the Microsoft account of the user in question.

However, for desktop computers, the recovery key can still be found in the user’s Microsoft Account. If not, you need to find that key to be able to access the affected volume. It is very unlikely that the user has one or more additional protectors (such as “passwords”) enabled; You can check this using Elcomsoft System Recovery to extract encryption metadata from the affected volume.

Despite the controversy regarding the high system requirements of the Windows 11 operating system, Microsoft did the right thing. Using passwordless authentication along with TPM protection will be a huge benefit for securing Windows accounts.

However, no changes were observed in the default encryption principles. BitLocker Device Encryption is still only available on portable devices. BitLocker encryption is not implemented on desktop computers and is not automatically enabled. If BitLocker encryption is enabled on a system partition, you will still need the correct BitLocker Recovery Key to unlock and decrypt the volume, as in Windows 10.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *