Skip to main content
Windows 11
January 4, 2022

CES 2022: Chip to cloud security: Pluton-powered Windows 11 PCs are coming

As we enter this new year, security remains a top concern as businesses continue to evolve and define their digital transformation strategies and what hybrid work means for their organizations and their employees. Over the last year, we’ve seen a 121% increase in ransomware attacks. Every second there are 921 password attacks, and since March 2020 the industry has seen a 667% increase in phishing attacks. While cloud-delivered protections and significant advancements in the Windows OS have made things more difficult for attackers, they continue to evolve as well – targeting the seams that exist between hardware and software and sensitive information like encryption keys and credentials within a device’s firmware. Security decision makers have taken note. The Microsoft Security Signals 2021 survey found that 80% believe that modern hardware, and not just software, is needed to protect against emerging threats.

These modern, sophisticated threats, combined with today’s distributed workforce, require solutions that are designed to protect each layer of computing from the chip to the cloud. To deliver that for our customers, we’ve made several important strides with the release of secured-core PCs, Windows 11 and the Microsoft Pluton security processor. The Microsoft Pluton is a security processor, pioneered in Xbox and Azure Sphere, designed to store sensitive data, like encryption keys, securely within the Pluton hardware, which is integrated into the die of a device’s CPU and is therefore more difficult for attackers to access, even if they have physical possession of a device. This design helps ensure that emerging attack techniques cannot access key material.

Today, we are thrilled to see Lenovo and AMD introduce one of the first Microsoft Pluton powered PCs. The new Lenovo device powered by AMD Ryzen 6000 Series processors introduces a valuable new hardware security capability for Windows customers, including:

  • Security updates from the chip to the cloud
    • The Pluton security processor’s firmware will be updateable through Windows Update along with standard industry controls. This tightly integrated hardware and software helps protect against security vulnerabilities by adding additional visibility and control, and provides a platform for innovation that allows customers to benefit from new features in future releases of Windows that leverage the Pluton hardware and, with this design, are adaptable to changes in the threat landscape.
  • Physical attack resistance
    • Even if the attacker has complete physical possession of the PC, the AMD Security Processor and Pluton are designed to co-exist on AMD client silicon to ensure constant communication, which helps to eliminate an attack vector that physical attackers could exploit.
  • Trusted, proven security built alongside our partners built on approaches and technologies used in Xbox and Azure Sphere.

Improving security for all Windows users with innovation built on partnerships

Pluton’s flexible, secure platform helps to improve security across a range of scenarios that benefit everyday consumers, small businesses and large commercial enterprises. Supporting the needs of our customers is always a top priority, which is why Pluton can be configured in three ways: as the Trusted Platform Module; as a security processor used for non-TPM scenarios like platform resiliency; or OEMs can choose to ship with Pluton turned off. That means for devices like the Lenovo ThinkPad Z13 and Z16, when Pluton is configured as the TPM 2.0 for a Windows 11 system, Pluton helps protect Windows Hello credentials by keeping them further isolated from attackers. Device encryption can use Pluton when it is configured as the TPM to securely protect encryption keys from physical attacks and help keep data safe from prying eyes. The flexibility of Pluton and the innovation supported by Microsoft’s ecosystem partners allow the hardware security capabilities supported by Pluton to be used for scenarios beyond the TPM.

The first example of such a scenario was developed in close partnership with multiple OEMs. Windows will use Pluton to securely integrate with other hardware security components on the system to provide greater visibility into the state of the platform to the Windows end user and eventually to IT administrators, who will have new platform resiliency signals that can be used for zero-trust conditional access workflows.

Windows OEMs work closely with commercial customers to help ensure that their device security needs are met. Given that OEMs help build a device from the case to the motherboard and connected peripherals, they are uniquely positioned to provide customers insight into what the expected state is across these various components.

In the future these signals will also be reported to cloud services like Intune, through the Microsoft Azure Attestation service, so that they can be used by IT administrators to take a step further in the zero-trust security paradigm of verifying as much as possible before authorizing access to any privileged resources.

To learn more about Lenovo’s device, visit their website.

The start of the Pluton journey with the Windows ecosystem

Our OEM partners are leveraging platforms from silicon partners to begin offering customers Windows systems with Pluton enabled. This is the start of a journey with the Windows ecosystem to bring the Pluton benefits of cloud-delivered, up-to-date protection, physical attack resilience and established security features to more Windows systems over time. Look for updates from Microsoft and our partners in the future around expanded hardware availability of Pluton.

Editor’s note – May 24, 2022 – The introduction and physical attack resistance paragraphs above were updated.