deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update microsoft-pluton-security-processor.md

Browse Source 
Update based on leadership\reported feedback to add value prop and scenario example. Also updates availability information
This commit is contained in:
Nazmus Sakib 2024-07-12 14:26:09 -07:00 committed by GitHub
parent 7e683fb0ca
commit ac8c7ed300
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
View File

@ -9,7 +9,7 @@ ms.date: 07/10/2024
Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
Microsoft Pluton is currently available on devices with AMD Ryzen® 6000, 7000, 8000, Ryzen AI and Qualcomm Snapdragon® 8cx Gen 3 and Snapdragon X series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2 and above.
## What is Microsoft Pluton?
@ -19,6 +19,24 @@ Microsoft Pluton is designed to provide the functionality of the Trusted Platfor
Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/).
## How can Pluton help customers?
Pluton is built with the goal of providing customers with better end-to-end security experiences. It does so by doing three things:
1) **Zero-trust security and reliability**: customer security scenarios often span devices and cloud services. Windows PCs and services like Microsoft Entra and Intune need to work harmoniously together to provide frictionless security. Pluton is designed, built and maintained in close collaboration with teams across Microsoft to ensure that customers get both high security and reliability
2) **Innovation**: the Pluton platform and the functionality it provides is informed by customer feedback and Microsofts threat intelligence. As one example, 2024 Pluton platforms in AMD and Intel systems will start to use a Rust-based firmware foundation given the importance of memory safety.
3) **Continuous improvement**: the Pluton platform supports loading new firmware delivered through operating system updates. This functionality is supported alongside the typical mechanism of UEFI capsule updates that updates the Pluton firmware that is resident on the systems SPI flash and loaded during early system boot. The additional support for dynamically loading valid new Pluton firmware through operating system updates facilitates continuous improvements both for bug fixes and new features.
### A practical example: zero-trust security with device-based conditional access policies
An increasingly important zero-trust workflow is conditional access gating access to resources like Sharepoint documents based on verifying whether requests are coming from a valid, healthy source. Microsoft Intune for example supports may different workflows for conditional access including [device-based conditional access](https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune) which allows organizations to set policies that ensure that managed devices are healthy and compliant before granting access to the organizations apps and services.
To ensure that Intune gets an accurate picture about the devices health as part of enforcing these policies, ideally it has tamper-resistant logs on the state of the relevant security capabilities. This is where hardware security is critical as any malicious software running on the device could attempt to provide false signals to the service. One of the core benefits of a hardware security technology like the TPM, is that it has a tamper-resistant log of the state of the system. Services can cryptographically validate that logs and the associated system state reported by the TPM truly come from the TPM.
For the end-to-end scenario to be truly successful at scale the hardware-based security is not enough though. Since access to enterprise assets is being gated based on security settings that are being reported by the TPM logs, it is critical that these logs are available reliably. Zero-trust security essentially requires high reliability.
With Pluton, when it is configured as the TPM for the system, customers using conditional access get the benefits of Plutons security architecture and implementation with the reliability that comes from the tight integration and collaboration between Pluton and other Microsoft components and services.
## Microsoft Pluton security architecture overview
![Diagram showing the Microsoft Pluton security processor architecture](../images/pluton/pluton-security-architecture.png)