How to Secure Windows 10 and Windows 11 PCs: BitLocker, TPM, and Passwordless Login

By Ava McKinneyOnline Safety

Securing Your Windows: Protecting Windows 10 and Especially Windows 11 PCs

Protecting a Windows computer is not just easy—it’s very easy: just a few clicks and your system drive is encrypted with BitLocker. But sometimes, breaking into such a computer can be even easier: if someone knows your Microsoft account password, they can unlock the system despite encryption. Windows 11 takes another step in the ongoing battle between security and convenience: it uses hardware-based security controls, making password cracking not just useless but impossible under certain conditions.

So, how much more secure is Windows 11 compared to Windows 10, and why? Can you secure Windows 10 using built-in tools, without resorting to VeraCrypt or similar utilities? And why is TPM so important for Windows 11?

Why Does Windows 11 Require TPM?

When I started digging into how and why TPM modules are used in Windows 11, I almost got a headache. Microsoft’s documentation is extensive but not always accurate; some statements (which we’ll discuss below) give a false sense of security. Remember the debates about Windows 11’s system requirements? I’m now convinced that the decision to require TPM wasn’t just marketing—it was a demand from the development team: “Either computers without TPM are out, or we’re out!”

Enabling BitLocker

Encrypting your system drive is the first, necessary, but not always sufficient step to securing your system. The security of your encrypted data can depend on something as subtle as how you log into your system.

Let’s assume your computer has a TPM 2.0 module (or its equivalent, like Intel Platform Trust Technology or AMD firmware TPM) installed and enabled in the UEFI BIOS. I’ll discuss what to do if you don’t have TPM later, but for now, let’s focus on modern systems.

Is TPM Banned?

There’s a lot of misinformation online about the legality of TPM. Rumors say that some authorities ban TPM modules because they can be used for encryption without backdoors. Without getting into legal details, here are the key points:

  • Importing hardware TPM modules into some countries requires notification (i.e., importers need permission).
  • Private individuals using TPM inside the country are not breaking any laws.
  • TPM emulation is legal and present in all Intel Core processors from the 8th generation and all AMD Zen and newer CPUs. Using these features in legally imported hardware is not a violation.

To enable system disk encryption, Windows 10 and 11 users (except Home edition) just need to open the BitLocker Drive Encryption applet in the Control Panel. Enable encryption (for SSDs, encrypting just the data is usually enough; the drive will clean free space itself with the trim command), and save or print your recovery key. Encryption happens in the background; after a while, your data will be encrypted, and the drive will look like this:

Encrypted drive screenshot

Why Do You Need the BitLocker Recovery Key?

Without going deep into BitLocker’s encryption mechanics (read more here), the recovery key is what lets you unlock your drive if the TPM module refuses to release the key to the system for any reason.

When might TPM “hold back” the key? This can happen after any firmware or BIOS update, or after changing hardware (like installing a new graphics card), updating Windows, or updating a driver involved in the boot chain. If this happens, the boot chain is disrupted (the PCR registers’ checksums don’t match), and TPM won’t give the OS the key needed to unlock the disk. As a result, you’ll be prompted to enter the recovery key at boot.

Recovery key prompt screenshot

Since TPM-based BitLocker doesn’t provide another unlock method by default, the recovery key is the only way to access your data.

Why doesn’t this happen every time you update Windows via Windows Update? Because the system knows about this BitLocker feature and temporarily suspends protection during updates. You can also do this manually with the Suspend protection command.

Suspend protection screenshot

After this, you can safely update your BIOS, change your graphics card, or update device firmware. After reboot, the system will calculate a new trusted boot chain, and encryption will automatically resume.

Risks of Using BitLocker with TPM

BitLocker encryption is quite reliable, though the default 128-bit key raises some concerns about potential quantum computer vulnerabilities. If this worries you, enable 256-bit encryption in Group Policy settings before encrypting the disk (this setting doesn’t affect already-encrypted disks).

Enabling 256-bit encryption screenshot

Check your settings with manage-bde -status:

Volume C: [NVME]
[OS Volume]
Size: 930.40 GB
BitLocker Version: 2.0c
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 256
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
    TPM
    Numerical Password

Another BitLocker risk: the TPM module will release the encryption key, and Windows will automatically mount the encrypted disk during boot if the trusted boot chain isn’t broken. By the time Windows asks for your password (or Windows Hello authentication), the encrypted disk is already mounted, and the encryption key is stored in RAM in plain, unprotected form (unlike macOS systems with the T2 chip). While an attacker can’t unlock the computer without your password or biometrics, there are ways to extract the encryption key from RAM. However, these methods are highly technical and rarely used outside of major investigations.

Note: Windows Hello can work with fingerprint readers and infrared cameras. Most modern laptops have these, but you can also add them to a desktop.

Finally, there’s a major vulnerability in some TPM modules (specifically, in the communication protocol between the module and the system): data, including the disk encryption key, is transmitted in plain text and can be intercepted. Read more in our article “TPM’s Nightmare: Hacking TPM Modules and BitLocker Encryption”.

This vulnerability only affects external TPM modules connected via a special motherboard header. Intel PTT and AMD fTPM emulators are not affected and are more secure than separate modules.

All these risks are real, but their impact is minimal in practice: when system disk encryption is enabled, page and hibernation files are encrypted along with everything else, and extracting the encryption key from the TPM module is impossible (as is intercepting it when using TPM emulation). If you use a local account with a strong, unique password that’s not used or stored anywhere else, it’s virtually impossible to brute-force it (to crack an NTLM password, you’d first need to extract the SAM database, which is encrypted along with everything else).

However, there’s a different vulnerability related to Microsoft Account logins, which have existed since Windows 8.

The Problem with Microsoft Accounts

Windows 10 supports several account types, but let’s focus on two: local accounts and Microsoft accounts. Local accounts are only as secure as your password. But if you use a Microsoft account, things get more interesting.

Note: For portable devices with BitLocker Device Encryption, Windows automatically creates a recovery key when encrypting the system partition. This key is also automatically uploaded to the Microsoft account of the first administrator who signs in with Microsoft credentials. Anyone who logs into your Microsoft account can access this key at https://account.microsoft.com/devices/recoverykey.

Microsoft accounts are used for logging into Windows, as well as accessing Hotmail, Skype, OneDrive, Office 365, and other Microsoft services. Over time, Microsoft has made it harder to install Windows without a Microsoft account, especially in Home editions.

The first login to a Microsoft account requires an internet connection. The account data is verified on Microsoft’s servers, and then a password hash is cached locally, allowing offline logins. The downside: if the system disk isn’t encrypted, the hash can be extracted and the original password recovered via a fast offline attack.

This means an attacker can recover your Microsoft account password, which can then be used to access not just your PC, but also your online Microsoft services, including email, Skype chats, OneDrive files, and more. Microsoft accounts also store BitLocker recovery keys, which can be used to unlock encrypted disks. Password attacks on Windows are extremely fast, so even complex passwords can be cracked quickly if encryption is not enabled. I wrote about this vulnerability in “Microsoft Account: Convenience or Security Hole?”.

Two-factor authentication can protect your online account, but if someone extracts your Microsoft account password from your phone or another unencrypted device, they can unlock your TPM-protected, BitLocker-encrypted PC as well.

Microsoft introduced additional authentication methods—most notably, PIN login (more on this below). However, even enabling PIN login doesn’t solve two problems: the ability to recover the original Microsoft account password via a fast offline attack (if the system disk isn’t encrypted), and the ability to unlock an encrypted disk with the Microsoft account password if it’s known or extracted from another device.

In summary, the problems with Microsoft account logins in Windows are:

  • If an attacker gets access to any device storing your Microsoft account password, they can log into your Windows 10 PC—even if it has TPM and BitLocker encryption.
  • If any Windows 10 PC with your Microsoft account doesn’t have an encrypted system disk, the online account password can be recovered very quickly via offline attack.

Microsoft addressed these issues in Windows 11 by introducing a new type of Microsoft account that doesn’t require a password for login.

What Changed in Windows 11?

In Windows 11, Microsoft is finally moving away from the old model (dating back to Windows 8) of using your online account password for system login. How can you prevent someone from logging in with your Microsoft account password, which could be stolen or extracted from your phone? By simply not allowing password login! But Microsoft’s solution is more nuanced.

Windows 11 introduces a new type of Microsoft account that doesn’t require your online password for system login. Instead, you use a PIN or Windows Hello biometrics (like an IR camera or fingerprint reader). I’ll explain where the PIN is stored and why this method is more secure below; for now, here are the available login options in Windows 11 for regular (non-domain) users:

  • Passwordless Microsoft Account (default): You cannot enter your Microsoft account password to log in; you use a PIN (protected by TPM), Windows Hello, or Microsoft Authenticator app (online).
  • Microsoft Account with Password: The password hash is stored locally and not protected by TPM. You can log in with a PIN (TPM) or Windows Hello. This is how it worked in Windows 10 and remains after upgrading to Windows 11.
  • Local Windows Account (password login): You can log in with a local password (hash stored locally, not protected by TPM), PIN (TPM), or Windows Hello.

When Is Passwordless Login Used in Windows 11?

Windows 11 supports both password and passwordless login. Passwordless login is used by default for new Microsoft accounts during Windows 11 installation or when creating a new account on a PC upgraded from Windows 10. Existing Windows 10 accounts that used passwords remain unchanged after upgrading. To enable passwordless login, select the appropriate option in system settings (Sign-in options).

Passwordless login option screenshot

You can also enable this via the Windows Registry.

Passwordless login via Registry screenshot

In summary:

  • Installing Windows 11 on a new PC: Microsoft Account, passwordless login is used.
  • Upgrading from Windows 10: The same login method as in the original Windows 10 is used.
  • New accounts created in Windows 11 (any installation method): Microsoft Account, passwordless login is used.

What About BitLocker in Windows 11?

The BitLocker mechanism and encryption policies in Windows 11 haven’t changed significantly compared to Windows 10. After Windows 11’s announcement, some reviewers thought Microsoft would encrypt the system partition by default, like smartphones do. That didn’t happen. By default (via BitLocker Device Encryption), only portable devices with TPM—laptops, tablets, and 2-in-1s—are encrypted, just as in Windows 8 and 10. On desktop PCs, encryption is not enabled by default; to use BitLocker, you need Windows 11 Pro, Enterprise, or Education. Home edition users still don’t have access to BitLocker.

Is PIN Login Really More Secure?

Now, let’s talk about PINs—the “new” authentication method Microsoft recommends instead of the “outdated and insecure” password. Why is password login suddenly considered “outdated and insecure”? Here’s what Microsoft says:

PIN is tied to the device: Unlike an online password, a Hello PIN is tied to a specific device. It can’t be used elsewhere. If someone steals your password online, they can log in from anywhere, but if they steal your PIN, they also need your physical device!

PIN is hardware-backed: The Hello PIN is protected by the Trusted Platform Module (TPM), a secure cryptographic processor. TPM has several physical security mechanisms to prevent tampering, and malware can’t bypass TPM security. Many modern devices have TPM. Windows 10, on the other hand, doesn’t tie local passwords to TPM. That’s why PINs are considered more secure than local passwords.

If you take this literally, it sounds like PINs are a panacea, always stored in TPM and unbreakable. That’s not true. Windows 10 works on PCs with or without TPM, and users aren’t always told whether TPM is present. Even on PCs with firmware TPM emulation, it’s often disabled by default—you have to enable it in UEFI BIOS (look for Intel Platform Trust Technology or similar). How many users will do this, and how many will leave it off or never know it exists?

Intel Platform Trust Technology (PTT) screenshot

If TPM is missing or disabled, Windows 11 simply won’t install. But Windows 10 will still offer PIN login, and Microsoft will still claim it’s more secure than a password. This isn’t true. The password hash is still stored on disk, and the PIN on a non-TPM computer can be brute-forced easily (even six-digit PINs can be cracked in seconds).

Without TPM, PIN Login in Windows Is Not Secure

Things are different if you have a physical or emulated TPM 2.0 module enabled. Here’s what we found in our lab:

  • Scenario 1: Windows 10 (PIN login) without TPM is moved to another PC without TPM (physical disk transfer). Result: PIN login works on the new PC.
  • Scenario 2: Windows 10 (PIN login) without TPM is cloned to another PC without TPM (hardware is completely different). Result: PIN login works on the new PC.
  • Scenario 3: Windows 10 (PIN login) without TPM is cloned to a PC with TPM enabled (hardware is completely different). Result: PIN login works on the new PC.
  • Scenario 4: Windows 10 (PIN login) with TPM enabled is cloned to another PC with TPM enabled (hardware is different). Result: PIN login does not work; password is required; to use PIN, you must remove the old PIN and set up a new one.

Only the fourth scenario matches Microsoft’s security model.

Can You Use Passwordless Login in Windows 10?

You can—but should you? In September 2021, Microsoft announced its vision for a passwordless future. Windows 10 users could change their Microsoft account settings to disable password login. This removed the local password hash from the PC. However, you could no longer log into your Microsoft account via browser with a password; you needed access to a trusted phone number or a previously authorized device with the Microsoft Authenticator app. Since the app is only available for iOS and Android (not Windows PCs), the practicality of this feature is questionable. Read more here. The feature didn’t gain much traction due to unclear benefits and significant inconvenience.

Passwordless account screenshot

Leave a Reply