While testing the ESET Full Disk Encryption product we found that we can successfully move the drives to a new desktop (different TPM, CPU, mobo etc) and we're able to successfully boot into Windows. I read in this forum post that the ESET Encryption Boot files are stored in EFI System Partition (ESP). Why?
This completely defeats the purpose of encrypting the drives with a TPM. In our configuration we don't have the login password set as the computers live in facility. If there's a smash and grab and someone takes the drives they'd be able to boot into them to try and recover data. They'll have a running OS with a network stack which can likely be exploited. I confirmed we can't read the data while the drives are docked, or by booting into another OS to read them.
Why are the keys not stored in the TPM? I would expect that moving the drives to new hardware would render them inoperable.