The first Microsoft Pluton-powered PCs will become available later this year with Windows 11 as Lenovo and AMD announced during CES 2022 a new ThinkPad Z series laptops powered by AMD’s Ryzen-6000 Series processors which will integrate the Microsoft Pluton security processor.
The Microsoft Pluton is a security processor first pioneered in Xbox and Azure Sphere that is designed to store sensitive data securely within the Pluton hardware, which is integrated into the die of a device’s CPU, Microsoft said in a blog post.
In the same post, the company rattled off several alarming cybersecurity statistics, including:
- A 150% increase in ransomware attacks over the last year
- Nearly 580 password attacks every second
- A 667% increase in phishing attacks since March 2020
“While cloud-delivered protections and significant advancements in the Windows OS have made things more difficult for attackers, they continue to evolve as well – targeting the seams that exist between hardware and software and sensitive information like encryption keys and credentials within a device’s firmware,” Microsoft said in the blog. “Security decision makers have taken note. The Microsoft Security Signals 2021 survey found that 80% believe that modern hardware, and not just software, is needed to protect against emerging threats.”
According to Microsoft, Pluton is designed to make it harder for attackers to access data like encryption keys even if they have physical possession of a device.
The new Lenovo device, Microsoft says, is among the first to use the Pluton processor, and features these capabilities:
- Security updates from the chip to the cloud. The Pluton firmware will be updateable through Windows Update along with standard industry controls.
- Physical attack resistance. Microsoft cited its Security Signals survey that suggested security decision makers were more concerned with risk of device theft due to hybrid work.
- Trusted, proven security built alongside Microsoft’s partners, based on approaches and technologies used in Xbox and Azure Sphere.
The company says Pluton can be configured in three ways: as the Trusted Platform Module; as a security processor used for non-TPM scenarios like platform resiliency; or OEMs can choose to ship with Pluton turned off.
“That means for devices like the Lenovo ThinkPad Z13 and Z16, when Pluton is configured as the TPM 2.0 for a Windows 11 system, Pluton helps protect Windows Hello credentials by keeping them further isolated from attackers” the company says. “Device encryption can use Pluton when it is configured as the TPM to securely protect encryption keys from physical attacks and help keep data safe from prying eyes. The flexibility of Pluton and the innovation supported by Microsoft’s ecosystem partners allow the hardware security capabilities supported by Pluton to be used for scenarios beyond the TPM.”
Microsoft says Windows will use Pluton to securely integrate with other hardware security components on the system to provide end users and eventually IT admins with greater visibility into the state of the platform. IT will also be able to use the technology for platform resiliency signals that can be used for zero-trust conditional access workflows.
“In the future these signals will also be reported to cloud services like Intune, through the Microsoft Azure Attestation service, so that they can be used by IT administrators to take a step further in the zero-trust security paradigm of verifying as much as possible before authorizing access to any privileged resources.”