Even if you are using Transparent Operation Mode then it still will not work as bitlocker will not decrypt the drive and lock itself into recovery mode if you make changes to the boot order or any other BIOS / UEFI changes.
It uses secure boot and it’s pretty darn decent at detecting any form of tampering.
TPM 2.0 isn’t particularly resilient against physical key extraction attacks but believe it or Microsoft did threat model this…
This happened to me once. Sadly I had wiped the flash drive containing the recovery key months before the lockout without realizing it. Chide me if you must, but I certainly learned my lesson.
I tried a few non-hardware exploits, even CVE-2022-41099 about WinRE but to no avail.
I’m not a security pro, but I assume once it is in recovery mode lockout you’re pretty much out of luck. From what I can tell most other exploits require it to be unlocked in the first place. Even the hardware hacks seem to require a drive being in a non-lockdown state in order to sniff things during boot.
That NVMe drive is just a keepsake now. I plan to frame it and put it on my wall as a memento.
This is why i use the key backup to OneDrive option.
My threat model is a lost or stolen device or RMA/repair.
If someone wants my data so badly that they’ll be able get into my OneDrive account that is protected with a passkey or a 32 char password + MFA and also have physical access to my devices let them have it.
Anyone who is that determined and capable can always resort to rubber hose cryptography and I want none of that in my life.
It uses secure boot and it’s pretty darn decent at detecting any form of tampering.
TPM 2.0 isn’t particularly resilient against physical key extraction attacks but believe it or Microsoft did threat model this…