Is BitLocker useful in the case of stolen laptop?

It's generally useful. If you have automatic unlock, some systems might allow a determined attacker to bypass it, but it would take significantly more skill than just booting up a USB stick. However, you should have a BitLocker PIN to actually lock it down.

the hash of the password is also on the hard drive,

Yes, but they cannot read it, because the hard drive is encrypted.

BitLocker on new laptops uses the TPM chip to implement automatic unlock. One key is stored in the TPM such that it can be read back only if the system is booting in exactly the same way – same firmware settings, same PCI hardware, same boot device, same digitally-signed BOOTMGR.

(This means that your login password is not used for unlocking the disk; at the time you're staring at the login screen, the disk is already unlocked, so that the OS could be loaded from it. Everything on the system partition, including the OS itself – except for BOOTMGR – is encrypted.)

If you try to boot from a USB stick (or make any other changes, e.g. disable Secure Boot signature verification) the system disk will not automatically unlock anymore, even if it's still the same laptop; the only way to access it is by knowing the recovery key.

So the thief cannot obtain your Windows password hash (which would indeed be fairly easy to bruteforce) and they're limited to poking at the actual Windows login screen, or performing some sort of hardware attack (e.g. "cold boot" & reading the BitLocker key out of RAM).

Note: If the laptop has a discrete TPM chip (as opposed to fTPM), they can fairly easily intercept the actual signals between the TPM and the CPU and find out the BitLocker key this way. I believe BitLocker's "TPM + PIN" mode guards against this, because the PIN is required by the TPM to reveal the key (and the TPM itself has a lockout mechanism).


Finally, BitLocker won't prevent the laptop from being wiped or reused. The TPM is by design always possible to clear and reinitialize by anyone who can access the firmware settings screen. (Unless the manufacturer also stores the firmware password in the TPM, like HP does... but apparently it doesn't stop people from unlocking laptops by replacing the whole chip.)


This is the design scenario of the TPM chip.

An attack against the security of Bitlocker backed by the TPM (which it is if it auto-boots) must inherently be an attack against the system bus or RAM.

On desktops, TPM has fallen because of adding PCI devices (wait what? TPM hashing checks ...; well no not really), but you can't reasonably add PCI devices to laptops. There is the cold RAM attack that should work against laptops, but that's really about it.

The attack against TPM on desktop costs a couple hundred dollars when we looked six months ago; the attack against TPM on laptops was beyond our reach and a fair estimate is probably a couple tens of thousands.