Windows 11 TPM Protection, Passwordless Sign-In and What You Can Do About Them

March 28th, 2022 by Oleg Afonin
Category: «Tips & Tricks»

Windows 11 introduces increased account protection, passwordless sign-in and hardware-based security. What has been changed compared to Windows 10, how these changes affect forensic extraction and analysis, and to what extent can one overcome the TPM-based protection? Read along to find out!

Windows 11 “passwordless” accounts

Traditionally, Windows users used to sign-in to their computers with a password. A local (or managed, which is another story) Windows account was the only way to authenticate in Windows 7 and earlier versions.

Starting with Windows 8, Microsoft introduced a new way to sign-in by using the online credentials to the user’s Microsoft Account. Microsoft continued pushing these online accounts in subsequent Windows updates, up to the point that certain Windows editions can no longer be installed with a local account. The Microsoft Account credentials can be used to sign-in to Windows to any computer that runs Windows 8, 10, or Windows 11.

The first Microsoft Account sign-in requires an active Internet connection as the account credentials are sent to Microsoft for authentication. The hashed Microsoft Account password is then cached on the local computer to facilitate offline sign-ins. This in turn enables the attacker to brute-force the hashed password and gain access to the entire content of the user’s Microsoft Account complete with pictures and documents they store in their OneDrive account, Skype conversations, browsing history, all passwords kept by the Edge browser and a lot more (Breaking into Microsoft Account: It’s No Google, But Getting Close). Just think about it for a moment: a high-speed offline attack on the computer’s NTLM database can break a password to an online account containing sensitive personal information.

Granted, the use of two-factor authentication may help prevent the worst, but brute-forcing the password also enables access to everything in the user’s Windows account, including the Edge stored passwords. Microsoft attempted to address the issue by introducing PIN and Windows Hello authentication, but the common lack of hardware to back these authentication methods made them comparatively ineffective (more on that below).

The situation was hardly acceptable, and Microsoft started work on an alternative sign-in method that would still make use of a Microsoft Account but mitigate the security risk associated with cached credentials. In September 2021 Microsoft announced the passwordless future of authentication. Windows 11 brings passwordless sign-on to every user, adding a new type of accounts that does not require, does not store, and does not use a password to sign in.

Microsoft considers passwordless sign-in a more secure authentication option compared to passwords. Enabling passwordless authentication automatically disables the possibility of an unauthorized party accessing a local computer by knowing (or brute-forcing) the user’s existing local or cloud-based Microsoft Account password.

“Passwordless solutions such as Windows Hello, the Microsoft Authenticator app, SMS or Email codes, and physical security keys provide a more secure and convenient sign-in method.

While passwords can be guessed, stolen, or phished, only you can provide fingerprint authentication, or provide the right response on your mobile at the right time.”

(Source: How to go passwordless with your Microsoft Account)

For general (non-domain) users there are currently three types of accounts available in Windows 11.

  1. [default] Passwordless Microsoft Account. A password cannot be used to sign in; users authenticate via PIN (TPM), Windows Hello or Microsoft Authenticator app (online).
  2. Microsoft Account (password-enabled). Users can authenticate via PIN (TPM), Windows Hello or their Microsoft Account password.
  3. Local Windows account (password-enabled). Users can authenticate via password, PIN (TPM) or Windows Hello.

Which accounts use passwordless sign-in in Windows 11?

Windows 11 allows both password-based and passwordless sign-in. The passwordless mode is the new default when configuring a new Windows 11 system or adding a new account into existing Windows 11 installation. User accounts that were migrated during the upgrade from Windows 10 retain their existing authentication properties.

While Windows 11 users can manually choose password-based or passwordless sign-in, the default settings are:

  • New Windows 11 installations: Microsoft Account, passwordless sign-in.
  • Windows 10 migration: password-based sign-in carried over; reuses existing authentication method.
  • New accounts created in Windows 11 after Windows 10 migration: Microsoft Account, passwordless sign-in.

Please note that users can switch between password-based and passwordless sign-in at any time by flipping a setting:

Additionally, users can modify a Registry entry to achieve the same effect:

Windows 10 can use TPM, too

Interestingly, Windows 10 can and does use TPM-based sign-in protection. If the computer has a TPM module or TPM emulation provisioned and enabled in the computer’s UEFI BIOS, Windows 10 utilizes the hardware protection for PIN-based authentication. This, however, does not tell the whole story.

Windows 10 can utilize the features of TPM2.0 if the module is installed or emulated in the system. In Why a PIN is better than an online password (Windows) – Windows security, Microsoft claims that PIN-based account protection is “better” than password-based authentication because…

PIN is tied to the device

One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware.

PIN is backed by hardware

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.

The information in this section is not entirely correct and misleading. See, Windows 10 can and does run on computers without a TPM module installed. Moreover, it runs just fine and without a single warning on computers that do have the firmware-based TPM emulation feature, but have that feature disabled in their UEFI BIOS. As an example, this 9th generation Gigabyte Z390 board does support Intel Platform Trust Technology, but the default setting for it is “off”. I had to actively look for it under the ”Miscellaneous” tab, and manually enable the “Intel Platform Trust Technology (PTT)” setting. On a scale of 1 to 10, how likely is an average user to do that on a perfectly working Windows 10 system?

With TPM missing or disabled, Windows can still use PIN-based sign-in, and Microsoft still claims this is more secure than password-based authentication.

Without a TPM or with TPM not explicitly enabled in the computer’s UEFI BIOS and provisioned in Windows, the account PIN code is not “tied to the device” as Microsoft claims in the overly broad statement in Why a PIN is better than an online password (Windows) – Windows security | Microsoft Docs. Additionally, if the computer’s TPM, Intel Platform Trust Technology or AMD fTPM (firmware trusted platform module) is not enabled in the computer’s UEFI BIOS (and there are legitimate reasons to keep that module disabled), the PIN code will be cached in the local credentials database and can be brute-forced in pretty much the same way as the user’s password.

Without a TPM, PIN-based Windows authentication is insecure

We made several tests to verify security of PIN-based authentication by moving a Windows installation between computers and attempting to sign-in with a PIN.

Test 1: A Windows 10 installation with PIN-enabled account moved from one TPM-less system to another TPM-less system (i7-4700S) via physical disk swap. Booting the computer and entering PIN on the new system resulted in successful sign-on.

Test 2: A Windows 10 installation with PIN-enabled account moved from one TPM-less system to another TPM-less system (i7-4700S) via disk clone. No single piece of hardware (not even the boot drive) was left from the original system. Booting the computer and entering PIN on the new system resulted in successful sign-on.

Test 3: A Windows 10 installation with PIN-enabled account moved from the TPM-less system to a system with TPM enabled (i7-9700K) via disk clone. No single piece of hardware (not even the boot drive) was left from the original system. Booting the computer and entering PIN on the new system resulted in successful sign-on.

Test 4: A Windows 10 installation with PIN-enabled account moved from the TPM-enabled system to another system with TPM enabled (i9-12900K) via disk clone. PIN authentication on the new system failed; password-based sign-in was required; PIN code had to be removed and reentered to re-enable PIN sign-in.

These tests allowed us to conclude that the PIN code is not tied to hardware if the source system lacks TPM. If the source system does have TPM enabled and provisioned, the PIN code is then, indeed, tied to hardware.

Do I have a TPM?

Most portable computers (Windows laptops, tablets and 2-in-1 devices) utilizing an 8th generation Intel processor or newer or an AMD Zen and newer are equipped with firmware-based trusted platform, which is enabled by default by most manufacturers. This means that most portable computers can use the TPM for additional protection.

For desktop computers, the firmware-based trusted platform is also available since 8th-generation Intel and AMD Zen. However, the default setting for most AMD boards and Intel chipsets before the 12th generation Alder Lake is disabled. To use TPM, users must manually enable fTPM (AMD) or Intel Platform Trust Technology (PTT) in their computers’ UEFI BIOS.

Most desktop computers with Intel 8th through 11th generation CPUs are equipped with TPM emulation; many have Platform Trust Technology (PTT) disabled by default. Most recent AMD boards also have the fTPM technology but have it disabled by default.

Note: OEMs started enabling firmware-based TPM in BIOS updates in lieu of Windows 11. Example:

Can Windows 10 use passwordless sign-in?

Windows 10 users can indeed make use of passwordless authentication. However, this would become a cloud-based, account-wide setting, removing the user’s ability to use a password when signing-in to their Microsoft Account online.

To use passwordless authentications, users are suggested to edit Advanced Security settings in their Microsoft Account online (How to go passwordless with your Microsoft Account):

How TPM affects Windows authentication

According to Microsoft documentation (How Windows uses the TPM – Windows security | Microsoft Docs), Windows may utilize the security coprocessor for a variety of tasks ranging from key protection to device encryption. According to our tests, real-life use of TPM in Windows is not as widespread as the documentation claims. For example, Microsoft Edge passwords are protected with a key managed via DPAPI (Data Protection API). If that key would be protected with TPM, an intruder would be unable to extract browser passwords by analyzing the disk image even if that disk image was unencrypted. However, even in Windows 11 that DPAPI key is not TPM-protected, and one can extract the user’s passwords kept by Microsoft Edge by unlocking the vault with the user’s Windows account password.

Instead of moving all DPAPI keys into TPM, Microsoft attempts to solve this problem by introducing a new type of Windows authentication that does not use a password. With TPM-protected passwordless authentication, neither passwords nor PIN codes are stored on the computer’s hard drive, hashed or not. Instead, the keys are protected by the TPM module (or its firmware emulation, which is no less secure from what we know).

This results in several important consequences.

First, the obvious: if passwordless sign-in is enabled on a Windows 11 PC, offline brute-force becomes unavailable for passwords and PINs for affected accounts.

It is technically possible to convert a passwordless account into a local Windows account and assign a known password to that account. However, once this is done, the DPAPI keys are lost, which means that a lot of protected information (including Edge passwords and NTFS-encrypted files) will be rendered permanently unavailable after such conversion. Nevertheless, “we have a tool for that”, and in a moment I will demonstrate how to do the conversion.

More information: How to Enable or Disable Password-less Sign-in for Microsoft Accounts in Windows 11?

Will it work on BitLocker volumes?

Yes and no. Before answering this question, I’d like to clear a common misconception that the Windows 11 TPM requirement is based on the premise of automatic BitLocker encryption of the system partition. This is not the case. Windows 11 default encryption policies differ very little from what we’ve seen in Windows 10 (and Windows 8.1 before it). While most portable devices such as laptops and 2-in-1 devices are automatically encrypted with BitLocker Device Encryption on all Windows editions, this is not the case for desktops regardless of the TPM or whether Windows 11 was an upgrade or a new install. Users of Windows 11 Pro, Enterprise, and Education editions can manually encrypt the system partition, while Home edition users will not have this option.

If BitLocker encryption is enabled on the Windows system partition, you will need to unlock the BitLocker volume first to access the required account database files. Since Windows 11 does require TPM by default, I will assume that the TPM module is installed (there is no practical difference between dedicated and integrated TPM devices or CPU emulation), and the encryption key is stored in the TPM. When you boot the computer into a different system (which, in this case, is Elcomsoft System Recovery), the TPM will not release the encryption key (here’s why: Understanding BitLocker TPM Protection). You won’t be able to attack the password because the ‘password’ protector (what’s that? Unlocking BitLocker: Can You Break That Password?) is not used for TPM-based system drive encryption.

The only option to unlock such BitLocker volumes is by using the BitLocker Recovery Key. For portable devices with BitLocker Device Encryption, Windows creates a recovery key automatically when encrypting the system partition; the recovery key will be automatically (and silently) uploaded into a Microsoft Account of the first user who signs in on that computer with administrative privileges and uses their Microsoft Account credentials (as opposed to a local Windows account). You may be able to request that key from Microsoft or download it by signing in to the user’s Microsoft Account and visiting the following link: https://account.microsoft.com/devices/recoverykey

For desktops, the recovery key may still be found in the user’s Microsoft Account. If it is not, you’ll need to find that key to mount the affected volume. There is a very small chance that the user enabled one or more additional protectors (such as ‘password’); you can check that by using Elcomsoft System Recovery to extract encryption metadata from the affected volume.

Once you have the BitLocker Recovery Key, mount the encrypted volume in Elcomsoft System Recovery to proceed:

Note: the disk will be mounted as a new drive letter.

After the system disk is successfully mounted, you will be able to access the list of Windows accounts.

How to unlock Windows 11 passwordless accounts

A passwordless Windows 11 account can be converted into a local password-protected account with Elcomsoft System Recovery. To launch the tool, boot the computer being investigated from a dedicated USB media with Elcomsoft System Recovery 8.20 or newer. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery, you will need to accept the license agreement and make the choice between read-only forensically sound processing and regular mode. To deal with account conversions, you must opt out of the forensically sound mode as it mounts the disk(s) read-only, while resetting Windows account passwords requires full read-write access to system files.

To convert a passwordless Windows account with Microsoft Account authentication into a local Windows account, follow these steps.

Select the user account to convert.

Type a new account password (optionally assign administrative privileges).

Make sure to backup the SAM database before conversion.

The tool automatically detects the “passwordless” option and prompts to remove it.

Elcomsoft System Recovery will display one final warning, then proceed with account conversion.

Note: after converting the account and assigning a known password, you will be able to boot the computer and sign-in to the user’s account. However, you will not gain access to NTFS-encrypted files (if any), as well as any DPAPI-protected items including but not limited to Edge stored passwords.

Conclusion

Despite the controversy surrounding Windows 11 elevated system requirements, Microsoft did the right thing. The use of passwordless authentication combined with TPM protection does a lot to secure Windows accounts. At the same time, we have not seen a change to default encryption policies. BitLocker Device Encryption is still a thing on portable devices only; on desktops, BitLocker encryption is not enforced and not automatically enabled. If enabled on a system partition, you will still require the correct BitLocker Recovery Key to unlock and decrypt the volume, same as in Windows 10.


REFERENCES:

Elcomsoft System Recovery

Reset passwords to local Windows accounts and Microsoft Account and perform a wide range of administrative tasks. Assign administrative privileges to any user account, reset expired passwords or export password hashes for offline recovery, and create forensic disk images. Elcomsoft System Recovery is ready to boot thanks to the licensed Windows PE environment, allowing administrators to access locked computers.

Elcomsoft System Recovery official web page & downloads »