Use of TPM for automatic booting

The existing automatic booting feature creates a copy of the system's encryption key as a plain-text file in the Pre-Boot File System. With the TPM autoboot feature, Drive Encryption uses TPM to encrypt this file.

The file can only be decrypted on the system that encrypted it and only if the boot path is unmodified from when it was encrypted. This makes sure that only the specific TPM can decrypt the file, and moreover (like SecureBoot) ensures that malware has not changed the boot path. A combination of TPM encryption and boot path measurements allow the user to securely bypass Pre-Boot Authentication (PBA) through to Windows logon, where user authentication occurs.

Note: Any software update that changes the boot path, like a Microsoft update to the UEFI bootloader will result in pre-boot being displayed since the boot path has changed, and therefore the disk encryption key cannot be unsealed.