Microsoft Pluton
What is Microsoft Pluton?
Microsoft PlutonA Microsoft-designed security processor integrated into the CPU die that implements a firmware TPM 2.0, key isolation, and identity attestation for Windows 11.
Microsoft Pluton is a security subsystem co-developed with AMD, Intel, and Qualcomm and integrated directly into the SoC, rather than on a separate TPM chip on the motherboard. It originated in Xbox One and Azure Sphere and ships on Windows 11 systems based on AMD Ryzen 6000+, Qualcomm Snapdragon 8cx Gen 3, and Intel Core Ultra. Pluton implements a firmware TPM 2.0 measured-boot root of trust, hardware key isolation behind a Secure HCI bus, anti-rollback storage, and System Guard runtime attestation. It receives signed firmware updates through Windows Update, which is intended to close the gap of out-of-date discrete TPM firmware, though it has also raised concerns about vendor neutrality and self-hosted firmware.
● Examples
- 01
Pluton-equipped AMD Ryzen 6000 laptops use Pluton as their TPM 2.0 root of trust.
- 02
Windows Hello credentials are bound to keys generated inside Pluton.
● Frequently asked questions
What is Microsoft Pluton?
A Microsoft-designed security processor integrated into the CPU die that implements a firmware TPM 2.0, key isolation, and identity attestation for Windows 11. It belongs to the Cryptography category of cybersecurity.
What does Microsoft Pluton mean?
A Microsoft-designed security processor integrated into the CPU die that implements a firmware TPM 2.0, key isolation, and identity attestation for Windows 11.
How does Microsoft Pluton work?
Microsoft Pluton is a security subsystem co-developed with AMD, Intel, and Qualcomm and integrated directly into the SoC, rather than on a separate TPM chip on the motherboard. It originated in Xbox One and Azure Sphere and ships on Windows 11 systems based on AMD Ryzen 6000+, Qualcomm Snapdragon 8cx Gen 3, and Intel Core Ultra. Pluton implements a firmware TPM 2.0 measured-boot root of trust, hardware key isolation behind a Secure HCI bus, anti-rollback storage, and System Guard runtime attestation. It receives signed firmware updates through Windows Update, which is intended to close the gap of out-of-date discrete TPM firmware, though it has also raised concerns about vendor neutrality and self-hosted firmware.
How do you defend against Microsoft Pluton?
Defences for Microsoft Pluton typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Microsoft Pluton?
Common alternative names include: Pluton, Microsoft Pluton security processor.
● Related terms
- cryptography№ 981
Secure Boot
UEFI feature that verifies the cryptographic signature of every boot component, refusing to launch a bootloader, kernel, or driver not signed by a trusted authority.
- cryptography№ 460
Hardware Attestation
A cryptographic protocol by which a device proves its identity and software measurements to a remote verifier using a key rooted in tamper-resistant hardware.
- cryptography№ 060
ARM TrustZone
A hardware security extension on ARM CPUs that partitions the SoC into a Secure World and a Normal World, providing a TEE for keys, DRM, and biometric data.
- cloud-security№ 1177
Trusted Execution Environment (TEE)
A secure, isolated execution context within a processor where code and data are protected in confidentiality and integrity, even from the host OS and hypervisor.