Add more documentation around TPM state used to seal Windows Hello keys

[complexspaces]

Currently, all of the documentation around Windows Hello and use of the platform's TPM simply refers to it as such, that it "uses it." This is less than ideal as it doesn't give consumers of the Hello APIs a clear understanding around the security guarantees applied to the key material stored in the TPM, so they are unable to evaluate the possible threat model to using it.

This is in contrast to the documentation around Bitlocker, which clearly states the PCRs that it binds to by default.

I believe it would be very helpful to document these more specific details so that those evaluating using Windows Hello for key storage can get a clear image of what kind of platform threats are protected against or not, instead of hoping for the best.

[Mike-AgileBits]

The 1Password team would love to have these updated and/or clarified, so we could use such information to improve our Windows Hello support in 1Password 8.

[paolomatarazzo]

Closing the issue. After talking to the feature PMs, there are no immediate plans to add this level of details to the documentation. It will be considered in the future.