Posted on 11/03/2025 6:15:04 PM PST by E. Pluribus Unum
If you're running Windows 11, your computer has a TPM Chip Version 2.0. This is one of the requirements to using Windows 11 and of course Windows 10 has been declared as "End-Of-Life". While you think that Windows 11 is an improvement, wait till you find out what this TPM chip is all about. It is such a giant invasion of privacy that I turned mine off.
(Transcribed by TurboScribe.ai. Go Unlimited to remove this message.)
If you're using Windows 11, your computer has a TPM chip, Trusted Platform Module Version 2. This thing is required now to run Windows 11 and is supposed to be a security feature. But I discovered something that made me turn mine off the same day. This is another one of these moments where cybersecurity is not privacy.
Just remember this. Whoever sets the rules for cybersecurity, big tech in this case, may not have the same priorities as you do. Their cybersecurity may equate to your loss of privacy.
And today, you will hear a pretty solid example of that. This security chip not only erases your privacy, but could become an instrument of control. I'm going to walk you through exactly what I found step by step with the technical details, and you will learn about the APIs involved in this TPM chip, which apparently is tied to the cloud.
I will explain new terms connected to the TPM, like PCRs, PCP, EK, and UUIDs, plus the cloud calls it's connected to. Everything. You will be surprised.
Stay right there. Let me start with what happened to me. I bought a brand new laptop, a Lenovo Thinkpad X1 Carbon Gen 13, the newest model.
It came with Windows 11. First thing I did, like I always do, was dual boot with Ubuntu. I've done this for a dozen years.
Takes me 20 minutes on older Windows for the Ubuntu install. But as always, it takes a long time to restore my data. After all this work, I turned off Secure Boot.
Why? Because I'm a developer. I run custom kernels, I test various software, Secure Boot blocks unsigned bootloaders, and specifically with Secure Boot, you're tied only to operating systems that are signed using Microsoft's keys. To my surprise, without warning, the entire drive locked up.
My Ubuntu partition, inaccessible. Grub. Wiped.
The only way to recover, I had to download a Lenovo Recover USB and start over. I lost not just Ubuntu, but all my data since this Recover USB had to reformat the hard drive. Why did this happen? Because BitLocker's now on by default on Copilot Plus PCs, and BitLocker's hardwired to the TPM.
Now, there's a reason that BitLocker's automatically enabled, and that's because it's tied to Windows Recall, but we'll get back to that later. The digital ID. Endorsement key.
When the drive locked, the bootloader gave me a recovery option. Go to aka.ms bitlocker recovery and sign in with your Microsoft account. This was problematic right there because I actually, with great difficulty, managed to sign in with a local account.
Now, just to get this going, it's forcing me to identify myself. This was very suspicious, but I did it, and there it was in plain text. My device name, my 48-digit BitLocker recovery key, my TPM chips endorsement key, which is a 2048-bit RSA public key.
Pay attention to that. The TPM endorsement key, that's a unique identifier of your machine. Now, it is tied to your Microsoft ID identity.
As it turns out, this EK is burnt into the TPM at the factory. It never changes. It's the internal serial number of the chip.
Once you use BitLocker, this EK becomes your digital passport. You can't change it. You can't delete it.
It's now tied to your Microsoft account, Windows Hello, any cloud service that uses Microsoft APIs for using the TPM, which you'll learn about later, and some Microsoft Azure services. Right now, Microsoft is the main company using the EK at scale. They use it for BitLocker recovery, cloud services, gaming anti-cheat systems, for example, Valorant and Fortnite.
Here's the problem. They expose an open API. Any application can call the TPM and reveal the endorsement key.
And here's a command you can run on PowerShell. And run this yourself as I'm not going to show you my endorsement key. This is not locked down like an iPhone IMEI.
On a phone, only Apple, Google, and the carrier can read it. On your PC, any app with admin rights can pull your EK. And yes, gaming anti-cheat systems are already doing it.
Microsoft Cloud Cryptography, the PCP. Now we enter the rabbit hole. The Microsoft Platform CryptoProvider, PCP, is a version of a cryptography provider that routes all TPM operations through Microsoft's cloud.
It's not just a driver. It's a cloud service. Just to explain this a bit more clearly, Microsoft provides an API for applications to interface with security functions of your TPM.
But it is handled through the cloud, through Microsoft. Which means Microsoft knows every security interaction, including every interaction with Windows Hello, booting with BitLocker, or interacting with any application that uses these Microsoft security features, like gaming apps. When you generate a key like this on PowerShell, that key is sealed to the TPM and registered in Microsoft Cloud servers.
The PCP exposes APIs like this. Every call goes through Microsoft's attestation infrastructure. That means Microsoft knows every TPM key you create.
Microsoft knows every device that uses this crypto service. Microsoft can build a database of every Windows 11 machine. Microsoft knows when you are using these keys.
And yes, they are doing it. Platform Configuration Registers, PCRs. This was my second disaster.
I swap SSDs all the time. I have several NVMe drives, several preset dual boot drives, some for backup and some for testing. As a normal thing, I pulled my existing SSD drive out and put in a new one so I can do this video, testing a machine that didn't have my normal data.
This one was dual boot Windows 11 with Ubuntu 24.04. Then when I booted the drive, Grub was gone. Once again, I could only go to Windows, and the Linux setup was gone. What's happening here is something new, and it's called the Platform Configuration Register, PCR.
There's now a mechanism to watch your hardware and record this configuration on the TPM. And this can be queried remotely and locally by the bootloader. The TPM measures your hardware on every boot and stores it in these PCRs.
This registry area is another part of the TPM. So in every boot, the bootloader can query for particular characteristics based on the PCR selected. And here's a list of the different PCR categories, meaning it can give you a response on any of these measures.
PCR 1 is the killer. It includes CPU microcode, motherboard firmware, NVMe drive UUIDs, partition GUIDs. When I swap the SSD, the drive UUID changed.
The TPM saw the mismatch when it queried the PCR using PCR 1 measure. And this apparently sent a signal to the Windows 11 bootloader, which then proceeded to wipe out Grub. And yes, the UUID is stored in PCR 1. You can see it yourself by trying this on PowerShell.
Look at PCR 1. It's different on every machine. If you change one component on your device, PCR 1 changes. If you are using BitLocker, it locks.
I wasn't even using BitLocker. And it still signaled Windows to take over the boot sequence. This is not a bug.
This is by design. Very devious. Remote attestation, the final boss.
Now we get to the scariest part. Using Microsoft's platform crypto provider, PCP Service, any application can remotely query your TPM and get a signed PCR quote. And here's how it works.
An app calls GetTPMAttestationQuote. TPM signs all PCRs with the attestation identity key. That quote is sent to Microsoft Cloud Service called the Azure Attestation Service.
Then Microsoft returns, this device is running Windows 11 24H2. This device has Secure Boot enabled. This device has no Linux bootloader.
This is not theoretical. Microsoft Azure Attestation is live. Windows Device Health Attestation uses it.
And any app can use it. For example, a bank app wants to know if you're running Linux. It calls attestation.
Sees PCR 4 equals grub signature. Then it denies login. By the way, Google does this on Android with the newly announced Play Integrity API.
It is an attestation service. So basically, today, some bank apps will not run in Europe because some of these banks require Google attestation to work. And this is a progression from the Google Safety Net, which before just required the app to be signed.
Now it checks the OS and the Google OS will be rejected by this API. They will require the production OS for their apps to work. Microsoft is building the same capability for PCs.
Can Microsoft see everything? Yes. Every time you use BitLocker, enroll in Windows Hello, use a TPM-protected certificate, run a Copilot PC feature, your EK, endorsement key, and PCRs are sent to Microsoft. They don't need to hack you.
And remember that in order for certain apps to work, those apps that need Microsoft attestation services will require that you be logged in with your Microsoft ID or attestation doesn't work. So you can't just log in with a local account since all the attestation processes need to be signed and verified through the Microsoft PCP. You're sending them the data.
Microsoft is now in the middle of everything. Windows Copilot, the AI that never forgets. You can't talk TPM without Copilot.
Windows Recall takes screenshots every three seconds, stores the analysis of them in encrypted SQLite databases at this address. Guess what encrypts it? The TPM. Guess why they need the TPM and BitLocker to encrypt it.
So now your behavior is logged. Your identity is tied to the TPM. Your configuration is attested.
And Microsoft says we shouldn't worry about this. It's all local. But here's the thing.
There is no technical barrier to sending an instruction to the AI companion to examine your recall database and report findings to HQ. This can be done without any data leaving your computer. Apple already proved it with neural hash.
Apple scans your photos. Then it computes what it perceives as a hash, which is basically turning the observations into some secret digital identifier. Then it is compared to other hashes pre-compiled by Apple that it identified as CSAM.
And if a match is found, it is sent to Apple. They suspended this project. But they already did the proof of concept that this was doable.
This was already a demonstration of communications between the AI and HQ. All they did was to turn off parts of it. The portion that's doing the scanning of photos, that's the Media Analysis D I keep talking about, it's still running today.
Microsoft can do the same. And Windows Recall is much more capable. And actually they can do it easier because during Apple's time there was no LLM.
But today they can just ask this. Hey Copilot, summarize this user's last week. They visited privacy forms, searched, disabled TPM, opened Tor.
Zero technical difficulty. The Kill Chain. Let's put it together.
Identity. You now have an inescapable identity with the Microsoft key and the permanent TPM endorsement key. Configuration.
Now through PCRs, applications can require very specific configurations of your system and all verified by the TPM with attestation. This can now force you to use those required configurations. Behavior.
Now they can observe what you're doing with Microsoft Recall and Copilot. Control. The next step is to lock you out via policy if they want to shut you down.
This is debanking 2.0. In case you forgot, let me remind you. In the UK, Nigel Farage was debanked for politics. In Canada, truckers were frozen out of their bank accounts.
In China, if you have low social scores, you have no access to WeChat, which is their primary payment method. Now this new sophisticated infrastructure exists in the West. How to fight back.
You don't have to play this game. The only way to beat this is if the market says no and we, the consumers, need to decide that we don't want what they are pushing. Here are important takeaways.
Number one, don't use Windows 11 as your main OS. Stay on Windows 10. Run Windows 11 in a VM or confine your use of this to a minimum.
Use Linux for everything else. Number two, disable or reset the TPM. But with a caveat.
Let me be very clear here because this is important. The endorsement key, EK, cannot be changed. It is burnt into the TPM at the factory.
It is permanent. There is no API, no BIOS setting, no clear TPM command that will ever change it. But here's what you can do.
Option A, disable the TPM and BIOS. Recommended. And these are the steps I had to take on my Lenovo ThinkPad.
I rebooted, then clicked on F1, and then went to security in the BIOS, trusted computing, set the TPM state to disabled, and then I saved and exited. BitLocker will suspend itself. Some apps, maybe TurboTax, may refuse to run.
This depends on which apps start using the attestation service. Option B, reset the TPM ownership, but only if you never log in again to Microsoft. Run this in elevated PowerShell.
Clear TPM. What happens? TPM ownership is removed. All the AIKs, they're called attestation identity keys, are deleted.
All BitLocker protectors tied to the old TPM are invalidated. You are prompted to retake ownership. BitLocker re-encrypts with a new protector.
But if you don't use BitLocker, much of this won't matter. So make sure you don't use BitLocker. But, and this is huge, if you sign back in with the same Microsoft account, Microsoft will read your EK and relink everything.
Because the EK is factory burned. Microsoft already has it in their database. They match it on login.
It's like burning your passport and then walking into the same embassy with your old photo. Same chip, same identity, same tracking. The only way to break the chain permanently is reset TPM using clear TPM.
Create a local account. Never sign in with Microsoft. Suspend BitLocker or don't use it.
Use a different machine for Microsoft services. And yes, you can verify this yourself. After clear TPM, sign in with your Microsoft account.
Go to aka.ms. BitLocker recovery. Your old recovery key is back. Your EK is relinked.
Game over. However, if you don't go to Microsoft again on this device and the keys are gone, it will simulate a new user, like a new user got your computer. It's not too different from selling a phone and the IMEI now belongs to someone else.
Number three, never use embedded AI. So no Copilot, no Apple Intelligence, no Google Gemini. Use Linux on PCs and de-googled OS's on a phone.
Remember that embedded AI is controlled by someone else. It is okay to run AI like local AI you install yourself, like Allama. At least you're the only one giving it instructions.
Number four, boycott attestation apps. If a bank is using attestation, switch. If government services use attestation, demand alternatives.
Social platforms, leave. Final thought. This isn't coming.
It's here. Every new PC ships with TPM 2.0 required. BitLocker on by default.
Copilot watching. You are not the user. You are the product.
Disable your TPM. Switch to Linux. Reject the AI companion.
Because tomorrow, your PC might decide you're not allowed to log in. Folks, thank you for watching my videos. As many of you know, this channel does not have sponsors and we primarily sustain ourselves by just creating products and services that we use to defend our privacy posture.
I'd like to invite you to visit our community site, BraxMe, which has a growing group of privacy enthusiasts. They're people from various walks of life and beliefs converged together in the mutual support of privacy issues. We have a store there with products ranging from the Brax virtual phone service, BraxMail, BytesVPN, the Google phones and other services like flashing an OS.
All these are tools used by the privacy aware and you can even talk to the actual users of the products directly. Join us. We'd love to have you there and you don't even have to identify yourself to be part of the community.
The very successful Brax 3 phone is available for pre-order on a second batch. The first batch has been sold out. Information about that is on Braxtech.net. Thanks also to those who donate to us on Patreon, Locals and YouTube memberships.
You are all appreciated. See you next time.
(Transcribed by TurboScribe.ai. Go Unlimited to remove this message.)
Dear FRiends,
We need your continuing support to keep FR funded. Your donations are our sole source of funding. No sugar daddies, no advertisers, no paid memberships, no commercial sales, no gimmicks, no tax subsidies. No spam, no pop-ups, no ad trackers.
If you enjoy using FR and agree it's a worthwhile endeavor, please consider making a contribution today:
Click here: to donate by Credit Card
Or here: to donate by PayPal
Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794
Thank you very much and God bless you,
Jim
Now they can observe what you're doing with Microsoft Recall and Copilot. Control. The next step is to lock you out via policy if they want to shut you down.
This is debanking 2.0. In case you forgot, let me remind you. In the UK, Nigel Farage was debanked for politics. In Canada, truckers were frozen out of their bank accounts.
In China, if you have low social scores, you have no access to WeChat, which is their primary payment method. Now this new sophisticated infrastructure exists in the West.
Not so crazy to use Linux anymore, is it?
Excellent post.
I’m sold on the first sentence. Cant you just say how to turn the effing thing off in one small paragraph? Good grief!
W7 MAX here.
Some VMs with XP.
Otherwise Linux Mint, though I think I like 21 better than 22.
Bkmrk
TPMs are perfect for IoT devices, but I don’t see the appeal for one’s personal computer.
Regardless of platform & OS, full disk encryption for commercial reasons when necessary, but not for personal reasons including laptops. Instead for personal bank data etc., use spot/file encryption.
This is good info, thanks for posting. I’ll have to watch the video, bookmarked it. I have avoided windows 11 so far. This will be just in case. It all seems way too above my head and hope the how to turn it off is an easily shown process.
Unless things have changed drastically, the federal government runs Windows on a lot of their computers, particularly those used for administrative purposes, which is most of them.
I doubt they will accept spyware on their computer systems.
More spy crap from Microsoft...............
Thanks for posting.
Microsoft Windows is now just a surveillance tool. Linux is now dirt simple to get into. Modern distributions practically walk you by the hand for a clean install. And that comes from someone whose first install was Slackware on 3.5 in. floppies downloaded over a dialup modem over the course of days.
How about a 5 bullet summary instead of 20 paragraphs?
It's a word-for-word transcript of the video.
I have no idea how to condense it to five bullet points.
I dare you to do it.
BFL
Chip multiprocessors
Chip multiprocessors (CMPs) are a type of microprocessor that integrates multiple processing cores onto a single chip, allowing for improved performance and scalability. They are essential in modern computing systems, enabling parallel execution of multiple threads and improving throughput. CMPs can be classified into homogeneous (identical cores) and heterogeneous (cores with different architectures), each offering unique advantages for specific workloads. Key components of a CMP include multiple processing cores, a cache hierarchy for efficient data access, and interconnects for communication between cores. CMPs have become a standard in high-performance computing, addressing the limitations of traditional uniprocessors and enabling the development of more efficient and powerful processors.
The University of Rhode Island
+4
Whole disk encryption using the TPM keys. If you decide to donate the disk to a charity, they will not be able to read your data. They will be able to wipe the disk contents and replace with their own.
I read the above, and for good measure watched the video too. I’ve watched other videos by Braxman, also.
My comprehension in these matters runs about 45-50%. That’s where you read, but come away understanding pretty much nothing of any practical use.
The upside of that is, I am able to ask very simple questions.
Here’s one. Say I buy a Win11 (or a Mac) and I have no internet connection, no ISP, nada. The new computer is just for playing with Blender, CAD, and music software that needs no subscription. Do I have anything to worry about?
Yes/no — what say ye?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.