Merge pull request #7126 from vinaypamnani-msft/vp-sv2-pluton

Add Microsoft Pluton for SV2 docs
2025-05-28 13:17:23 +00:00 · 2022-09-20 11:19:54 -04:00 · 2022-09-20 11:19:54 -04:00 · b6ccb09ab8
commit b6ccb09ab8
parent a69218085a b9776c6209
5 changed files with 142 additions and 34 deletions
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@ -5,13 +5,19 @@
  href: zero-trust-windows-device-health.md
  expanded: true
 - name: Hardware security
-  items: 
+  items:
    - name: Overview
      href: hardware.md
+    - name: Microsoft Pluton security processor
+      items:
+        - name: Microsoft Pluton overview
+          href: information-protection/pluton/microsoft-pluton-security-processor.md
+        - name: Microsoft Pluton as TPM
+          href: information-protection/pluton/pluton-as-tpm.md
    - name: Trusted Platform Module
      href: information-protection/tpm/trusted-platform-module-top-node.md
-      items: 
-        - name: Trusted Platform Module Overview
+      items:
+        - name: Trusted Platform Module overview
          href: information-protection/tpm/trusted-platform-module-overview.md
        - name: TPM fundamentals
          href: information-protection/tpm/tpm-fundamentals.md
@ -32,16 +38,16 @@
    - name: System Guard Secure Launch and SMM protection
      href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
    - name: Enable virtualization-based protection of code integrity
-      href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md    
+      href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
    - name: Kernel DMA Protection
      href: information-protection/kernel-dma-protection-for-thunderbolt.md
    - name: Windows secured-core devices
      href: /windows-hardware/design/device-experiences/oem-highly-secure
 - name: Operating system security
-  items: 
+  items:
   - name: Overview
     href: operating-system.md
-   - name: System security   
+   - name: System security
     items:
     - name: Secure the Windows boot process
       href: information-protection/secure-the-windows-10-boot-process.md
@ -70,19 +76,19 @@
       href: threat-protection/security-policy-settings/security-policy-settings.md
     - name: Security auditing
       href: threat-protection/auditing/security-auditing-overview.md
-   - name: Encryption and data protection 
+   - name: Encryption and data protection
     href: encryption-data-protection.md
     items:
     - name: Encrypted Hard Drive
       href: information-protection/encrypted-hard-drive.md
-     - name: BitLocker 
+     - name: BitLocker
       href: information-protection/bitlocker/bitlocker-overview.md
-       items: 
+       items:
        - name: Overview of BitLocker Device Encryption in Windows
          href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
        - name: BitLocker frequently asked questions (FAQ)
          href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
-          items: 
+          items:
            - name: Overview and requirements
              href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
            - name: Upgrading
@ -128,7 +134,7 @@
        - name: Protecting cluster shared volumes and storage area networks with BitLocker
          href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
        - name: Troubleshoot BitLocker
-          items: 
+          items:
            - name: Troubleshoot BitLocker
              href: information-protection/bitlocker/troubleshoot-bitlocker.md
            - name: "BitLocker cannot encrypt a drive: known issues"
@ -142,7 +148,7 @@
            - name: "BitLocker configuration: known issues"
              href: information-protection/bitlocker/ts-bitlocker-config-issues.md
            - name: Troubleshoot BitLocker and TPM issues
-              items: 
+              items:
                - name: "BitLocker cannot encrypt a drive: known TPM issues"
                  href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
                - name: "BitLocker and TPM: other known issues"
@ -158,12 +164,12 @@
       - name: Configure Personal Data Encryption (PDE) in Intune
         href: information-protection/personal-data-encryption/configure-pde-in-intune.md    
     - name: Configure S/MIME for Windows
-       href: identity-protection/configure-s-mime.md    
+       href: identity-protection/configure-s-mime.md
   - name: Network security
     items:
     - name: VPN technical guide
       href: identity-protection/vpn/vpn-guide.md
-       items: 
+       items:
        - name: VPN connection types
          href: identity-protection/vpn/vpn-connection-type.md
        - name: VPN routing decisions
@ -190,13 +196,13 @@
       href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
   - name: Windows security baselines
     href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
-     items: 
+     items:
      - name: Security Compliance Toolkit
        href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
      - name: Get support
-        href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md     
+        href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
   - name: Virus & threat protection
-     items: 
+     items:
      - name: Overview
        href: threat-protection/index.md
      - name: Microsoft Defender Antivirus
@ -214,7 +220,7 @@
      - name: Microsoft Defender for Endpoint
        href: /microsoft-365/security/defender-endpoint
   - name: More Windows security
-     items: 
+     items:
      - name: Override Process Mitigation Options to help enforce app-related security policies
        href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
      - name: Use Windows Event Forwarding to help with intrusion detection
@ -223,13 +229,13 @@
        href: threat-protection/block-untrusted-fonts-in-enterprise.md
      - name: Windows Information Protection (WIP)
        href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
-        items: 
+        items:
         - name: Create a WIP policy using Microsoft Intune
           href: information-protection/windows-information-protection/overview-create-wip-policy.md
-           items: 
+           items:
            - name: Create a WIP policy in Microsoft Intune
              href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
-              items: 
+              items:
                - name: Deploy your WIP policy in Microsoft Intune
                  href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
                - name: Associate and deploy a VPN policy for WIP in Microsoft Intune
@ -240,7 +246,7 @@
              href: information-protection/windows-information-protection/wip-app-enterprise-context.md
         - name: Create a WIP policy using Microsoft Endpoint Configuration Manager
           href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
-           items: 
+           items:
            - name: Create and deploy a WIP policy in Configuration Manager
              href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
            - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
@ -257,7 +263,7 @@
           href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
         - name: General guidance and best practices for WIP
           href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
-           items: 
+           items:
            - name: Enlightened apps for use with WIP
              href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
            - name: Unenlightened and enlightened app behavior while using WIP
@ -282,7 +288,7 @@
     href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
   - name: Windows Sandbox
     href: threat-protection/windows-sandbox/windows-sandbox-overview.md
-     items: 
+     items:
        - name: Windows Sandbox architecture
          href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
        - name: Windows Sandbox configuration
@ -295,7 +301,7 @@
   - name: Configure S/MIME for Windows
     href: identity-protection\configure-s-mime.md
   - name: Windows Credential Theft Mitigation Guide Abstract
-     href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md 
+     href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
 - name: User security and secured identity
  items:
    - name: Overview
@ -308,7 +314,7 @@
      href: identity-protection/enterprise-certificate-pinning.md
    - name: Protect derived domain credentials with Credential Guard
      href: identity-protection/credential-guard/credential-guard.md
-      items: 
+      items:
        - name: How Credential Guard works
          href: identity-protection/credential-guard/credential-guard-how-it-works.md
        - name: Credential Guard Requirements
@ -333,12 +339,12 @@
      href: identity-protection/password-support-policy.md
    - name: Access Control Overview
      href: identity-protection/access-control/access-control.md
-      items: 
+      items:
        - name: Local Accounts
          href: identity-protection/access-control/local-accounts.md
        - name: User Account Control
          href: identity-protection/user-account-control/user-account-control-overview.md
-          items: 
+          items:
            - name: How User Account Control works
              href: identity-protection/user-account-control/how-user-account-control-works.md
            - name: User Account Control security policy settings
@ -347,10 +353,10 @@
              href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
    - name: Smart Cards
      href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
-      items: 
+      items:
        - name: How Smart Card Sign-in Works in Windows
          href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
-          items: 
+          items:
            - name: Smart Card Architecture
              href: identity-protection/smart-cards/smart-card-architecture.md
            - name: Certificate Requirements and Enumeration
@ -365,7 +371,7 @@
              href: identity-protection/smart-cards/smart-card-removal-policy-service.md
        - name: Smart Card Tools and Settings
          href: identity-protection/smart-cards/smart-card-tools-and-settings.md
-          items: 
+          items:
            - name: Smart Cards Debugging Information
              href: identity-protection/smart-cards/smart-card-debugging-information.md
            - name: Smart Card Group Policy and Registry Settings
@ -374,10 +380,10 @@
              href: identity-protection/smart-cards/smart-card-events.md
        - name: Virtual Smart Cards
          href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
-          items: 
+          items:
            - name: Understanding and Evaluating Virtual Smart Cards
              href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
-              items: 
+              items:
                - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
                  href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
                - name: Use Virtual Smart Cards
@ -399,7 +405,7 @@
   - name: Azure Virtual Desktop
     href: /azure/virtual-desktop/
 - name: Security foundations
-  items: 
+  items:
    - name: Overview
      href: security-foundations.md
    - name: Microsoft Security Development Lifecycle
--- a/windows/security/information-protection/images/pluton/pluton-firmware-load.png
+++ b/windows/security/information-protection/images/pluton/pluton-firmware-load.png
--- a/windows/security/information-protection/images/pluton/pluton-security-architecture.png
+++ b/windows/security/information-protection/images/pluton/pluton-security-architecture.png
--- a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
@ -0,0 +1,52 @@
+---
+title: Microsoft Pluton security processor
+description: Learn more about Microsoft Pluton security processor
+ms.reviewer:
+ms.prod: m365-security
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
+ms.localizationpriority: medium
+ms.collection:
+  - M365-security-compliance
+ms.topic: conceptual
+ms.date: 09/15/2022
+appliesto:
+- ✅ <b>Windows 11, version 22H2</b>
+---
+
+# Microsoft Pluton security processor
+
+Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
+
+Microsoft Pluton is currently available on devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
+
+## What is Microsoft Pluton?
+
+Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC.
+
+Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
+
+Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/).
+
+## Microsoft Pluton security architecture overview
+
+![Diagram showing the Microsoft Pluton security processor architecture](../images/pluton/pluton-security-architecture.png)
+
+Pluton Security subsystem consists of the following layers:
+
+| | Description |
+|--|--|
+| **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. |
+| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) |
+| **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. |
+
+## Firmware load flow
+
+When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process:
+
+![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png)
+
+## Related topics
+
+[Microsoft Pluton as TPM](pluton-as-tpm.md)
--- a/windows/security/information-protection/pluton/pluton-as-tpm.md
+++ b/windows/security/information-protection/pluton/pluton-as-tpm.md
@ -0,0 +1,50 @@
+---
+title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
+description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
+ms.reviewer:
+ms.prod: m365-security
+author: vinaypamnani-msft
+ms.author: vinpa
+manager: aaroncz
+ms.localizationpriority: medium
+ms.collection:
+  - M365-security-compliance
+ms.topic: conceptual
+ms.date: 09/15/2022
+appliesto:
+- ✅ <b>Windows 11, version 22H2</b>
+---
+
+# Microsoft Pluton as Trusted Platform Module
+
+Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard.
+
+As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material.
+
+Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates.
+
+To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features).
+
+## Microsoft Pluton as a security processor alongside discrete TPM
+
+Microsoft Pluton can be used as a TPM, or in conjunction with a TPM. Although Pluton builds security directly into the CPU, device manufacturers may choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM.
+
+Pluton is integrated within the SoC subsystem, and provides a flexible, updatable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. We encourage users owning devices that are Pluton capable, to enable Microsoft Pluton as the default TPM.
+
+## Enable Microsoft Pluton as TPM
+
+Devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device.
+
+UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM.
+
+> [!WARNING]
+> If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive.
+>
+> Windows Hello must be re-configured after switching the TPM. Setup alternate login methods before changing the TPM configuration to prevent any login issues.
+
+> [!TIP]
+> On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit.
+
+## Related topics
+
+[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)