What is Microsoft Pluton?

Pluton is a security processor developed by Microsoft. It was originally developed as part of the Xbox One console to implement hardware-based OS security. One of the main reasons was to protect the Xbox console or better: make it more difficult to hack it and run pirated games. Later it was also used in Azure Sphere, a security solution for IoT devices.

Today Pluton has been designed further by Microsoft and has evolved into a security solution within the CPU. So rather than having a separate security chip like the TPM chips, there is no separate chip required.

The main idea behind this is still to better protect the PC from hackers and safeguard data and connectivity. With today’s higher levels of PC use for working from home, security is more important than ever. In most work scenarios, data is stored in the cloud or the corporate network. But access to the network is configured and stored in the PC itself. So better security seems like a good idea.

Typical usages of Windows security features using TPM (and in the future can use Pluton) are Windows Hello and Bitlocker.

In actuality, there are already similar implementations in the market today. Apple has added the T2 security chip to its M1 chips.

Why security in the CPU?

Well, mainly because the main protection in modern PCs is realized by encryption. And for a lot of the encryption external hardware, like TPM chips are used. Although these are very secure by themselves there is a possibility that their data can be accessed. These chips need to communicate with the CPU, and that is a weakness since they can be hacked and used for getting access to the encryption keys.

As evident from the above, it does require that a hacker would need access to the physical system. So it all depends on the type of device used and the location(s) the device is stored at.

But this is why Microsoft plans to incorporate the security into the CPU itself, using Pluton.

How is Pluton implemented?

Although it is Microsoft’s design, Proton is implemented in the CPU. So they have teamed up with CPU manufacturers for implementing the security processor into the CPU. Partners like Intel, AMD, and Qualcomm will implement the security processor in their products. AMD is actually the first to include the Proton security processor into their Ryzen 6000 processors. Lenovo is including these chips in their new ThinkPad Z13 and Z16 models. Qualcomm has announced it plans to support Pluton in the new Snapdragon 8cx Gen 3 processor.

In its initial implementation, the Pluton security solution is basically the same as the TMP 2.0 solution. Encryption keys are stored in the hardware device. But with the Pluton option, the hardware is now part of the CPU.

The main reason to configure Pluton identical to the TPM solution at first is to allow for a smooth transition from TPM compatible solutions. Windows Hello and BitLocker can use the same API and easily use the Pluton-based security.

The solution architecture from Microsoft illustrates the design:

In the future, more features and types of usage are envisioned for Pluton. For one, updates to the Pluton firmware will be included in the Microsoft Windows Update process.

And, as Microsoft states it:

“Windows will use Pluton to securely integrate with other hardware security components on the system to provide greater visibility into the state of the platform to the Windows end user and eventually to IT administrators, who will have new platform resiliency signals that can be used for zero-trust conditional access workflows.”

This means that together with cloud reporting, security will be more easily manageable for organizations. This mode is referred to as platform resilience.

Pluton Concerns?

Improved security, with increased cyberterrorism, an increase of ransomware attacks, and more-and-more use of our devices, we should all welcome this!

So are there any concerns with the solution?

Well, it all depends on how you like to use your computer, as well as how future plans are realized.

For now, all CPU manufacturers seem to implement the ability to disable the Pluton security processor on their products. Most OEMs will probably opt to configure Pluton in the TPM mode, to support Windows 11 security features, or disable it.

For people that like to use their computer with an operating system other than Windows, the concern is: can they? Will running Linux, or any other OS you like, on these new computers with the Pluton solution be possible? And will it be in the future, if firmware updates are released? Will these firmware updates be optional?

Another concern for some people will be what data is sent to Microsoft. This has already been a point of concern with Windows 10, and will only be reinforced with the Pluton implementation.

Final thoughts on Pluton

In general, I think we can see increased security as a good thing. So the Pluton security processor is a welcome addition to the protection against malicious people.

It does seem to me that as a home user I currently get the same benefits from Pluton as I do from a TMP chip on the motherboard. And how secure do things need to be? User access, yes, almost everybody would use that. But data encryption? Do you actually use any encrypted drives? BitLocker?

The benefits seem to be mainly for organizations that manage and protect multiple Windows devices. Better security and easier management of corporate devices seems like big potential cost savings.

A lot will depend on the adoption of the industry and the further development of Pluton.