URGENT WARNING: Microsoft is pure nazi-dom far beyond Hitler

[AribertDeckers]

19.11.2025
URGENT WARNING: Microsoft is pure nazi-dom far beyond Hitler

Anyone still using something made by Microsoft can be called utterly clueless. The threat and the dangers by Microsoft are far beyond what their under-powered brains can handle.

Microsoft must be eliminated.


To make this video READABLE I had to take the transcript.

https://www.youtube.com/watch?v=t1eX_vvAlUc

[*quote*]
-----------------------
Your Windows 11 Computer's Hidden Spy: The Dark Truth About TPM Chips

Rob Braxman Tech
664K subscribers
461,156 views  Oct 29, 2025




If you're running Windows 11, your computer has a TPM Chip Version 2.0. This is one of the requirements to using Windows 11 and of course Windows 10 has been declared as "End-Of-Life". While you think that Windows 11 is an improvement, wait till you find out what this TPM chip is all about. It is such a giant invasion of privacy that I turned mine off.

----------------------------------
BraX3 Privacy Phone is on https://braxtech.net
-----------------------------------
Brax Virtual Phone, De-Googled Phones, BytzVPN, BraxMail, BraxRouters are available on https://brax.me
-----------------------------------
Merch Store
https://my-store-c37a50.creator-sprin...
-----------------------------------

I'm the Internet Privacy Guy. I'm a public interest technologist. I'm here to educate. You are losing your Internet privacy and Internet security every day if you don't fight for it. Your data is collected with endless permanent data mining. Learn about a TOR router, a VPN , antivirus, spyware, firewalls, IP address, wifi triangulation, data privacy regulation, backups and tech tools, and evading mass surveillance from NSA, CIA, FBI. Learn how to be anonymous on the Internet so you are not profiled. Learn to speak freely with pseudo anonymity. Learn more about the dangers of the inernet and the dangers of social media, dangers of email.


I like alternative communication technology like Amateur Radio and data communications using Analog. I'm a licensed HAM operator.


Support this channel on Patreon! https://www.patreon.com/user?u=17858353

Contact Rob on the Brax.Me App (@robbraxman) for encrypted conversations (open source platform)

https://brax.me/home/rob Store for BytzVPN, BraxRouter, De-googled Privacy AOSP Phones, Linux phones, and merchandise

https://bytzvpn.com Premium VPN with Pi-Hole, Cloud-Based TOR Routing

https://whatthezuck.net Cybersecurity Reference

https://brax.me Privacy Focused Social Media - Open Source


Please follow me on
Odysee
https://odysee.com/$/invite/@RobBraxm...
Rumble
https://rumble.com/c/robbraxman
How this was made
Auto-dubbed
Audio tracks for some languages were automatically generated. Learn more
Transcript

Follow along using the transcript.
Rob Braxman Tech
664K subscribers
Videos
About
Patreon
4,368 Comments
[...]

Transcript
0:00
If you're using Windows 11, your
0:02
computer has a TPM chip, trusted
0:05
platform module version two. This thing
0:08
is required now to run Windows 11 and is
0:10
supposed to be a security feature. But I
0:13
discovered something that made me turn
0:16
mine off the same day. This is another
0:19
one of these moments where cyber
0:20
security is not privacy. Just remember
0:23
this. Whoever sets the rules for cyber
0:26
security, big tech in this case, may not
0:29
have the same priorities as you do,
0:32
their cyber security may equate to your
0:35
loss of privacy. And today you will hear
0:37
a pretty solid example of that. This
0:40
security chip not only erases your
0:42
privacy, but could become an instrument
0:44
of control. I'm going to walk you
0:47
through exactly what I found step by
0:50
step with the technical details and you
0:52
will learn about the APIs involved in
0:54
this TPM chip which apparently is tied
0:57
to the cloud. I will explain new terms
1:00
connected to the TPM like PCRs, PCP, EK
1:05
and UU IDs plus the cloud calls is
1:08
connected to everything. You will be
1:11
surprised. Stay right there.
1:24
Let me start with what happened to me. I
1:27
bought a brand new laptop, a Lenovo
1:29
ThinkPad X1 Carbon Gen 13, the newest
1:32
model. It came with Windows 11. First
1:36
thing I did, like I always do, was dual
1:38
boot with Ubuntu. I've done this for a
1:40
dozen years. which takes me 20 minutes
1:42
on older Windows for the Ubuntu install.
1:45
But as always, it takes a long time to
1:47
restore my data. After all this work, I
1:50
turned off secure boot. Why? Because I'm
1:52
a developer. I run custom kernels. I
1:55
test various software. Secure boot
1:57
blocks unsigned bootloadaders. And
1:59
specifically with secure boot, you're
2:02
tied only to operating systems that are
2:04
signed using Microsoft's keys. To my
2:07
surprise, without warning, the entire
2:10
drive locked up. My Abuntu partition
2:13
inaccessible. Grub wiped. The only way
2:17
to recover, I had to download a Lenovo
2:20
recover USB and start over. I lost not
2:24
just Ubuntu, but all my data since this
2:26
recover USB had to reformat the hard
2:29
drive. Why did this happen? because Bit
2:32
Locker is now on by default on Copilot
2:34
Plus PCs and Bit Locker's hardwired to
2:38
the TPM.
2:40
Now, there's a reason that Bit Locker is
2:42
automatically enabled and that's because
2:44
it's tied to Window Recall, but we'll
2:46
get back to that later.
2:49
The digital ID endorsement key. When the
2:53
drive locked, the bootloader gave me a
2:56
recovery option. Go to aka.ms bitlock
3:00
recovery and sign in with your Microsoft
3:03
account. This was problematic right
3:05
there because I actually with great
3:07
difficulty managed to sign in with a
3:10
local account. Now just to get this
3:12
going, it's forcing me to identify
3:14
myself. This was very suspicious, but I
3:17
did it. And there it was in plain text.
3:22
my device name, my 48digit Bit Locker
3:26
recovery key, my TPM chips endorsement
3:29
key, which is a 20 48 bit RSA public
3:33
key.
3:34
Pay attention to that. The TPM
3:37
endorsement key, that's the unique
3:38
identifier of your machine. Now, it is
3:41
tied to your Microsoft ID identity. As
3:45
it turns out, this EK is burnt into the
3:48
TPM at the factory. It never changes. is
3:51
the internal serial number of the chip.
3:54
Once you use Bit Locker, this EK becomes
3:56
your digital passport. You can't change
3:58
it. You can't delete it. It's now tied
4:01
to your Microsoft account, Windows
4:04
Hello, any cloud service that uses
4:07
Microsoft APIs for using the TPM, which
4:11
you'll learn about later, and some
4:13
Microsoft Azure services. Right now,
4:16
Microsoft is the main company using the
4:19
EK at scale. They use it for Bit Locker
4:22
Recovery, cloud services, gaming
4:25
anti-che systems, for example, Valerant
4:28
and Fortnite. But here's the problem.
4:31
They expose an open API.
4:34
Any application can call the TPM and
4:37
reveal the endorsement key. And here's a
4:40
command you can run on PowerShell and
4:43
run this yourself as I'm not going to
4:44
show you my endorsement key. This is not
4:47
locked down like an iPhone
4:50
on a phone. Only Apple, Google, and the
4:53
carrier can read it. On your PC, any app
4:56
with admin rights can pull your EK. And
5:00
yes, gaming anti-che systems are already
5:03
doing it.
5:06
Microsoft Cloud Cryptography, the PCP.
5:09
Now we enter the rabbit hole. The
5:12
Microsoft platform crypto provider PCP
5:16
is a version of a cryptography provider
5:18
that routes all TPM operations through
5:21
Microsoft's cloud. It's not just a
5:23
driver, it's a cloud service. Just to
5:26
explain this a bit more clearly,
5:28
Microsoft provides an API for
5:30
applications to interface with security
5:32
functions of your TPM, but it is handled
5:35
through the cloud through Microsoft,
5:37
which means Microsoft knows every
5:40
security interaction, including every
5:42
interaction with Windows Hello, booting
5:44
with Bit Locker, or interacting with any
5:47
application that uses these Microsoft
5:50
security features like gaming apps. When
5:53
you generate a key like this on
5:55
PowerShell,
5:58
that key is sealed to the TPM and
6:01
registered in Microsoft cloud servers.
6:04
The PCP exposes APIs like these.
6:12
Every call goes through Microsoft's
6:15
attestation infrastructure.
6:18
That means Microsoft knows every TPM key
6:22
you create. Microsoft knows every device
6:26
that uses this crypto service. Microsoft
6:29
can build a database of every Windows 11
6:32
machine. Microsoft knows when you are
6:35
using these keys and yes they are doing
6:38
it. Platform configuration registers
6:43
PCRs. This was my second disaster. I
6:46
swap SSDs all the time. I have several
6:49
NVME drives, several preset dual boot
6:52
drives, some for backup, and some for
6:54
testing. As a normal thing, I pulled my
6:56
existing SSD drive out and put in a new
6:58
one so I can do this video testing on
7:01
machine that didn't have my normal data.
7:04
This one was dual boot Windows 11 with
7:06
Ubuntu 24.04.
7:09
Then when I booted the drive,
7:12
Grub was gone. Once again, I could only
7:15
go to Windows and the Linux setup was
7:18
gone. What's happening here is something
7:20
new and it's called the platform
7:22
configuration register PCR. There's now
7:25
a mechanism to watch your hardware and
7:28
record this configuration on the TPM and
7:32
this can be queried remotely and locally
7:35
by the bootloader. The TPM measures your
7:38
hardware on every boot and stores it in
7:41
these PCRs. This registry area is
7:44
another part of the TPM. So in every
7:46
boot, the bootloadader can query for
7:49
particular characteristics based on the
7:51
PCR selected. And here's a list of the
7:54
different PCR categories, meaning it can
7:57
give you a response on any of these
7:59
measures. PCR1 is the killer. It
8:03
includes CPU microode, motherboard
8:06
firmware, NVME drive, UU IDs, partition
8:11
gooids. When I swapped the SSD, the
8:14
drive UUI ID changed. The TPM saw the
8:18
mismatch when it quered the PCR using
8:21
PCR1 measure. And this apparently sent
8:24
the signal to the Windows 11 bootloader,
8:26
which then proceeded to wipe out Grub.
8:30
And yes, the UU ID is stored in PCR1.
8:34
You can see it yourself by trying this
8:36
on PowerShell. Look at PCR1. It's
8:39
different on every machine.
8:41
If you change one component on your
8:43
device, PCR1 changes. If you are using
8:46
Bit Locker, it locks. I wasn't even
8:49
using Bit Locker, and it still signal
8:51
Windows to take over the boot sequence.
8:54
This is not a bug. This is by design.
8:57
Very devious.
9:00
Remote attestation. The final boss. Now
9:04
we get to the scariest part. Using
9:07
Microsoft's platform crypto provider PCP
9:11
service, any application can remotely
9:14
query your TPM and get a signed PCR
9:17
quote. And here's how it works. An app
9:20
calls get TPM attestation quote. TPM
9:24
signs all PCRs with the atestation
9:27
identity key. That quote is sent to
9:30
Microsoft cloud service called the Azure
9:33
atestation service. Then Microsoft
9:36
returns
9:37
this device is running Windows 1124H2.
9:42
This device has secure boot enabled.
9:46
This device has no Linux bootloadader.
9:49
This is not theoretical. Microsoft Azure
9:53
at testation is live. Windows device
9:56
health attestation uses it and any app
10:00
can use it. For example, a bank app
10:04
wants to know if you're running Linux.
10:06
It calls attestation, sees PCR4 equals
10:11
grub signature, then it denies login. By
10:14
the way, Google does this on Android
10:16
with the newlyannounced play integrity
10:18
API. It is an attestation service. So
10:21
basically, today some bank apps will not
10:24
run in Europe because some of these
10:25
banks require Google atistation to work.
10:29
And this is a progression from the
10:30
Google safety net which before just
10:33
required the app to be signed. Now it
10:36
checks the OS and AD Google OS will be
10:38
rejected by this API. They will require
10:41
the production OS for their apps to
10:43
work. Microsoft is building the same
10:45
capability for PCs.
10:50
Can Microsoft see everything?
10:53
Yes. Every time you use Bit Locker,
10:56
enroll in Windows Hello, use a TPM
10:59
protected certificate, run a Copilot PC
11:02
feature, your EK endorsement key and
11:06
PCRs are sent to Microsoft. They don't
11:09
need to hack you. And remember that in
11:12
order for certain apps to work, those
11:14
apps that need Microsoft attestation
11:17
services will require that you be logged
11:19
in with your Microsoft ID or at
11:22
testation doesn't work. So, you can't
11:24
just log in with a local account since
11:27
all the attestation processes need to be
11:29
signed and verified through the
11:32
Microsoft PCP. You're sending them the
11:35
data. Microsoft is now in the middle of
11:37
everything.
11:40
Windows Copilot, the AI that never
11:42
forgets. You can't talk TPM without
11:45
C-Pilot. Windows recall takes
11:48
screenshots every 3 seconds. Stores the
11:50
analysis of them in encrypted SQLite
11:52
databases at this address. Guess what
11:56
encrypts it? The TPM. Guess why they
11:58
need the TPM and Bit Locker to encrypt
12:01
it. So now your behavior is logged. Your
12:06
identity is tied to the TPM. Your
12:09
configuration is attested. And Microsoft
12:12
says we shouldn't worry about this. It's
12:14
all local. But here's the thing. There
12:17
is no technical barrier to sending an
12:20
instruction to the AI companion to
12:22
examine your recall database and report
12:26
findings to HQ. This can be done without
12:29
any data leaving your computer. Apple
12:32
already proved it with neural hash.
12:35
Apple scans your photos. Then it
12:37
computes what it perceives as a hash
12:40
which is basically turning the
12:41
observations into some secret digital
12:44
identifier. Then it is compared to other
12:47
hashes pre-ompiled by Apple that it
12:50
identified as CSAM and if a match is
12:53
found it is sent to Apple. They
12:56
suspended this project but they already
12:58
did the proof of concept that this was
13:00
doable. This was already a demonstration
13:03
of communications between the AI and HQ.
13:08
All they did was to turn off parts of
13:10
it. The portion that's doing the
13:12
scanning of photos, that's the media
13:14
analysisd I keep talking about, it's
13:17
still running today. Microsoft can do
13:19
the same. And Windows recall is much
13:22
more capable. And actually, they can do
13:24
it easier because during Apple's time,
13:26
there was no LLM. But today, they can
13:29
just ask this. Hey co-pilot, summarize
13:33
this users last week.
13:36
They visited privacy forms, searched
13:40
disabled TPM, opened tour,
13:44
zero technical difficulty,
13:48
the kill chain.
13:51
Let's put it together. Identity. You now
13:54
have an inescapable identity with the
13:56
Microsoft key and the permanent TPM
13:59
endorsement key configuration. Now
14:03
through PCRs applications can require
14:05
very specific configurations of your
14:07
system and all verified by the TPM with
14:10
atestation. This can now force you to
14:13
use those required configurations
14:15
behavior. Now they can observe what
14:17
you're doing with Microsoft recall and
14:20
copilot control. The next step is to
14:23
lock you out via policy if they want to
14:26
shut you down. This is debanking 2.0. In
14:31
case you forgot, let me remind you. In
14:34
the UK, Nigel Farage was debanked for
14:37
politics.
14:38
In Canada, truckers were frozen out of
14:41
their bank accounts. In China, if you
14:43
have low social scores, you have no
14:46
access to WeChat, which is their primary
14:49
payment method. Now this new
14:51
sophisticated infrastructure exists in
14:54
the west.
14:57
How to fight back?
15:00
You don't have to play this game. The
15:03
only way to beat this is if the market
15:05
says no and we the consumers need to
15:08
decide that we don't want what they are
15:11
pushing. Here are important takeaways.
15:14
Number one, don't use Windows 11 as your
15:16
main OS. Stay on Windows 10. Run Windows
15:20
11 in a VM or confine your use of this
15:23
to a minimum. Use Linux for everything
15:26
else. Number two, disable or reset the
15:30
TPM, but with a caveat. Let me be very
15:34
clear here because this is important.
15:36
The endorsement key EK cannot be
15:39
changed. It is burnt into the TPM at the
15:43
factory. It is permanent. There is no
15:45
API, no BIOS setting, no clear TPM
15:49
command that will ever change it. But
15:52
here's what you can do. Option A,
15:55
disable the TPM and BIOS recommended.
15:59
And these are the steps I had to take on
16:01
my Lenovo ThinkPad. I rebooted then
16:05
clicked on F1 and then went to security
16:09
in the BIOS trusted computing set the
16:13
TPM state to disabled and then I saved
16:16
and exited. Bit Locker will suspend
16:19
itself. Some apps maybe Turboax may
16:22
refuse to run. This depends on which
16:24
apps start using the attistation
16:26
service. Option B, reset the TPM
16:30
ownership, but only if you never log in
16:33
again to Microsoft. Run this in elevated
16:37
PowerShell. Clear TPM.
16:41
What happens? TPM ownership is removed.
16:46
All the AI keys, they're called at the
16:48
station identity keys are deleted. All
16:51
Bit Locker protectors tied to the old
16:53
TPM are invalidated. you are prompted to
16:56
retake ownership. Bit Locker re-encrypts
17:00
with a new protector.
17:02
But if you don't use Bit Locker, much of
17:05
this won't matter. So, make sure you
17:07
don't use Bit Locker. But, and this is
17:10
huge, if you sign back in with the same
17:13
Microsoft account, Microsoft will read
17:15
your EK and relink everything because
17:19
the EK is factory burned. Microsoft
17:22
already has it in their database. They
17:25
match it on login. It's like burning
17:28
your passport and then walking into the
17:30
same embassy with your old photo. Same
17:32
chip, same identity, same tracking. The
17:36
only way to break the chain permanently
17:39
is reset TPM using clear TPM. Create a
17:44
local account. Never sign in with
17:46
Microsoft. Suspend Bit Locker or don't
17:49
use it. Use a different machine for
17:52
Microsoft services. And yes, you can
17:55
verify this yourself. After clear TPM,
17:58
sign in with your Microsoft account. Go
18:01
to akams Bit Locker Recovery. Your old
18:04
recovery key is back. Your EK is rel.
18:09
However, if you don't go to Microsoft
18:12
again on this device and the keys are
18:14
gone, it will simulate a new user like a
18:17
new user got your computer. It's not too
18:20
different from selling a phone and the
18:22
IMEI now belongs to someone else. Number
18:24
three, never use embedded AI. So, no
18:28
C-pilot,
18:30
no Apple intelligence, no Google Gemini.
18:33
Use Linux on PCs and the Googled OSS on
18:37
a phone. Remember that embedded AI is
18:40
controlled by someone else. It is okay
18:42
to run AI like local AI you installed
18:45
yourself like at least you're the only
18:48
one giving it instructions. Number four,
18:52
boycott attestation apps. If a bank is
18:55
using atestation,
18:57
switch. If government services use at
19:00
testation, demand alternatives. Social
19:03
platforms leave.
19:07
Final thought.
19:10
This isn't coming. It's here. Every new
19:14
PC ships with TPM 2.0 required. Bit
19:19
Locker on by default. Copilot watching.
19:23
You are not the user. You are the
19:26
product. Disable your TPM. Switch to
19:30
Linux. Reject the AI companion because
19:34
tomorrow your PC might decide you're not
19:37
allowed to log in.
19:42
Folks, thank you for watching my videos.
19:45
As many of you know, this channel does
19:46
not have sponsors and we primarily
19:48
sustain ourselves by just creating
19:50
products and services that we use to
19:53
defend our privacy posture. I'd like to
19:55
invite you to visit our community site,
19:58
Braxme, which has a growing group of
20:01
privacy enthusiasts. There are people
20:04
from various walks of life and beliefs
20:05
converge together in the mutual support
20:08
of privacy issues. We have a story there
20:11
with products ranging from the Bra
20:13
virtual phone service,
20:16
Braxmail,
20:18
Bicevpn,
20:21
the Google phones and other services
20:24
like flashing an OS. All these are tools
20:27
used by the privacy aware and you can
20:29
even talk to the actual users of the
20:31
products directly. Join us. We'd love to
20:34
have you there. And you don't even have
20:36
to identify yourself to be part of the
20:38
community. The very successful Bra phone
20:41
is available for pre-order on the second
20:43
batch. The first batch has been sold
20:45
out. Information about that is on
20:48
bratec.net.
20:50
Thanks also to those who donate to us on
20:52
Patreon, locals, and YouTube
20:54
memberships. You are all appreciated.
20:57
See you next time.
-----------------------
[*/quote*]