In this video, Rob Braxman discusses the privacy implications of the TPM (Trusted Platform Module) chip in Windows 11 computers, arguing that it poses a significant threat to user privacy and control. Rob Braxman shares his experience of data loss and explains how the TPM, BitLocker, and Microsoft’s cloud services work together to create a system where Microsoft has extensive access to user data and system configurations.
Key Points:
- TPM Chip & Windows 11 Requirement: Windows 11 requires a TPM chip (version 2.0), which Rob Braxman argues is not just a security feature but also a privacy risk.
- BitLocker Enabled by Default: BitLocker, a drive encryption feature, is now automatically enabled on new Windows 11 PCs and is tied to the TPM.
- Endorsement Key (EK): The TPM has a unique, factory-burned-in endorsement key (EK) that acts as a digital passport for the machine. This EK is tied to the user’s Microsoft account and cannot be changed or deleted.
- Microsoft Platform Crypto Provider (PCP): The PCP routes all TPM operations through Microsoft’s cloud, giving Microsoft access to all security interactions, including Windows Hello, BitLocker, and other application interactions.
- Platform Configuration Registers (PCRs): PCRs record hardware configurations, and changes (like swapping SSDs) can trigger Windows to lock the drive or alter the boot sequence.
- Remote Attestation: Applications can remotely query the TPM and get a signed PCR quote, allowing them to verify the device’s configuration and potentially deny access based on the results. Microsoft’s Azure attestation service is already live.
- Windows Copilot & Recall: Windows Recall takes screenshots every few seconds, storing them in an encrypted database, with the TPM used for encryption. This raises concerns about potential data collection and analysis by Microsoft.
- Kill Chain: Rob Braxman outlines a “kill chain” where Microsoft can identify, configure, observe, and ultimately lock users out of their systems based on their identity, configuration, behavior, and policies.
Fighting Back:
- Don’t use Windows 11 as your main OS: Stick with Windows 10 or use Linux.
- Disable or reset the TPM: Disable in BIOS or reset using Clear-TPM in PowerShell (but only if you never log in again to Microsoft).
- Never use embedded AI: Avoid Copilot, Apple Intelligence, and Google Gemini.
- Boycott attestation apps: Switch banks or services if they use attestation.
Highlighted Information:
- “Cyber security is not privacy.” Rob Braxman emphasizes that security measures implemented by tech companies may not align with user privacy interests.
- The EK (Endorsement Key) is permanent and unchangeable, acting as a permanent identifier for your machine.
- Microsoft can build a database of every Windows 11 machine and track user activity through the TPM and cloud services.
- Rob Braxman draws parallels to debanking and social credit systems, suggesting that this infrastructure could be used to control user access to services based on their system configuration or behavior.
- “You are not the user. You are the product.” Rob Braxman concludes by urging viewers to take action to protect their privacy and control over their devices.





Leave a Reply