The frequency dropped even before TPM was deployed on most machines and I guess most systems still haven't it enabled today. Reason for that is that there are simply more direct and profitable ways to get system access, see most applications of ransomware for example.
> It's nice that you have no key material
You can use many different types of authenticators. If you use Windows Hello you need TPM and they try to hinder you adding alternative means without TPM being activated. But that is a different story and solely on Microsoft. No need to falsely or passive aggressively suggest that a system would be insecure without these specific means.
> The frequency dropped even before TPM was deployed on most machines
I interpreted your sentence as two disjoint statements and thought you find UEFI/SB and TPMs all useless. But yes, it indeed started dropping before. TPMs don't deal with that topic unless we're speaking of Trusted Boot, which is a whole separate concept.
> [...] hinder you adding alternative means without TPM being activated. But that is a different story and solely on Microsoft.
No it's not solely on Microsoft. If there isn't a safe place to store keys, it makes sense to dissuade storing them. Fairly obvious, isn't it?
> You can use many different types of authenticators.
It's not a very realistic suggestion for most users and use-cases. Having a built-in module that does the job has a lot of upsides.
> No need to falsely or passive aggressively suggest that a system would be insecure without these specific means.
I didn't say such a system would be insecure, however it can't safely store key material, it would be less secure in a bunch of contexts.
> Having a built-in module that does the job has a lot of upsides.
And downsides, especially for corporate usage you don't want your data protected by device keys if they aren't set by yourself or replicated elsewhere. But it is a security risk to deploy such keys on local machines in the first place in many circumstances.
> If there isn't a safe place to store keys, it makes sense to dissuade storing them. Fairly obvious, isn't it?
The behavior is that you can only add keys if you already activated TPM. This is an implementation detail of Windows Hello. Perhaps they changed it but I can think of some reasons why they forgot to add the option.
> it would be less secure in a bunch of contexts
No, I disagree. Severely less secure depends on the security model. Applications cannot usually randomly access any memory, but yes, the system would need to ensure that and there can be attacks. If you assume your system is compromised on that level your device encryption will be bypassed via the same channel. TPM comes with its own suite of security flaws in regards of device identification (bug or feature?). That is a relevant threat model compared to many memory attacks regardless of the countless other fingerprinting problems we currently are subjected to. Plus the DRM issues around remote attestation and sealed storage.
> And downsides, especially for corporate usage you don't want your data protected by device keys if they aren't set by yourself or replicated elsewhere.
It's a solved problem in corporate environments.
> But it is a security risk to deploy such keys on local machines in the first place in many circumstances.
That's a massive stretch and no normal corporation agrees with that statement.
> No, I disagree.
Other people's threat models are not something you can disagree with.
> If you assume your system is compromised on that level your device encryption will be bypassed via the same channel.
Well not really, it's not a bypass. Continuous abuse of a compromised machine is significantly noisier than exfiltrating the keys needed and then abusing those. Plus you can't touch anything that would change TPM measurements, or you'll lock yourself out. It's much more cumbersome.
The frequency dropped even before TPM was deployed on most machines and I guess most systems still haven't it enabled today. Reason for that is that there are simply more direct and profitable ways to get system access, see most applications of ransomware for example.
> It's nice that you have no key material
You can use many different types of authenticators. If you use Windows Hello you need TPM and they try to hinder you adding alternative means without TPM being activated. But that is a different story and solely on Microsoft. No need to falsely or passive aggressively suggest that a system would be insecure without these specific means.