Yes, changing UEFI settings, especially security ones like disabling Device Guard, will change TPM measurements.

You just have to enter your recovery key, that's it.

You can’t be storing irreplaceable keys in the TPM chip, they fail all the time. Either you don’t really need the files on the disk or you need backup keys. And note, you can’t even turn on Bitlocker without being forced to save those backup keys.

Does bitlocker give a copy of your keys to you while encrypting your drive? Asking because I'm not a Windows user.

It does not allow you to turn on until you store the keys on an external disk or print them.

In all practical meanings, yes.

Oh. That's good to know. Thanks.

I don't see any evidence for this claim. My ThinkPad came with Windows and I can turn "secure boot" and the TPM off and on at will. No problems.

From the blog:

> If you want security here you're paying attention to the values measured into the TPM, and thanks to Microsoft's own specification for measurements made into PCR 7, switching from booting Windows to booting something signed with the 3rd party signing key will change the measurements and invalidate any sealed secrets.

This is a new "feature" of Pluton Coprocessor.

It is not a new feature, has been done for at least a decade now. It's intentional however that tampering seals the keys permanently.

At worst you'll have to enter a Bitlocker recovery key...

Yeah but this is pretty bad in itself (really long number) when you're traveling. And needing the recovery key so often will lead to people writing it down and keeping it with the laptop so they're not locked out next time. Which invalidates the whole point of FDE.

The last time I had this the key didn't even work, my work rotates it regularly so something must have been out of sync.. Every Linux update seemed to break bitlocker this way so I stopped dualbooting.

Regular users would probably get their key from their Microsoft account.

But yeah, it takes effort to have a working recovery option if your configuration isn't painfully average.

But this has nothing to do with being able to boot Windows. The license key isn't in there. The TPM is used by apps to store secure data, which you wouldn't necessarily expect to even survive a reboot.

First, this is a feature of TPM (PCR 7 checks), even before Pluton existed. This literally existed in 2008 (and FSF was so scared of it because in theory it can be used for DRM, which is a valid opinion). You're spewing misinformation.

Also, for some people, they will trade-off the possibility of data loss as long as the data can be reliably destroyed if the data falls into the wrong hands. Maybe not for you, but it's there for enterprise.

Wow! So, no more dual-booting?

Well, it depends on if your dual boot changes any of the measurements Bitlocker uses.

You don't have to use TPM-backed BL if you don't want to.