Lenovo has launched the first Windows 11 PCs with Microsoft Pluton, debuting with AMD’s new Ryzen 6000 Series Mobile secure processors. AMD and Lenovo revealed Tuesday that the secure processor for PCs will arrive this spring with two new ThinkPads.

The three companies are showcasing Microsoft Pluton at the annual Consumer Electronics Show (CES), which begins on Wednesday. Microsoft Pluton is an embedded security subsystem introduced in 2018 for Azure Sphere for IoT-based devices. Azure Sphere processors include Microsoft Pluton, which provides multiple layers of defense-in-depth security in hardware.

While Pluton in Azure Sphere is a Linux-based subsystem, it is also used to secure Microsoft’s Xbox gaming platform. In November 2020, Microsoft announced partnerships with AMD, Intel and Qualcomm to bring the Pluton security processor to Windows PCs. During its CES media briefing, AMD introduced the Ryzen 6000 Series Mobile processors for PCs, which will include Microsoft Pluton.

Lenovo’s Lisa Su

“Our co-development work with Microsoft eliminates entire attack vectors on notebooks, better protecting critical data like system credentials, user identities, encryption keys and personal information,” said Lisa Su, AMD’s president and CEO. “The Microsoft Pluton processor, combined with our other security features, delivers the most innovative security in a PC processor.”

Building on TPM

The Pluton processor extends Microsoft’s existing hardware-based security processor for Windows PCs, Trusted Platform Module (TPM), which enables BitLocker, System Guard and Windows Hello. Although TPM performs critical security functions in Windows PCs, sophisticated attackers have found new gaps, exposed by hybrid work environments.

Attackers are now “targeting the seams that exist between hardware and software and sensitive information like encryption keys and credentials within a device’s firmware,” according to Tuesday’s Pluton announcement posted by Microsoft’s director of enterprise and OS security David Weston.

Microsoft’s David Weston

Weston noted that 80% of security decision makers believe more modern hardware is necessary to thwart emerging threats, citing Microsoft’s Security Signals 2021 survey. Microsoft has also tracked a 150% increase in ransomware attacks since March 2020 and a 667% rise in phishing incidents.

Protecting the CPU to TPM Bus Interface

One way that sophisticated hackers have compromised TPM is by targeting the bus interface connecting the CPU and TPM. Pluton protects against theft of credentials, identities and encryption keys, because an attacker cannot remove it from Pluton even if they installed malware or have physical access to the PC.

“This is accomplished by storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helping to ensure that emerging attack techniques, like speculative execution, cannot access key material,” Weston noted. “Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself, providing an unprecedented level of security for Windows customers.”

Microsoft has enabled partners to configure Pluton in three ways: as a Trusted Platform Module (TPM), a security processor utilized for scenarios that don’t need TPM, or for OEMs to deliver with Pluton not running. The Ryzen 6000 Series Mobile processor with Microsoft Pluton will also include AMD’s Secure Processor and AMD Memory Guard.

Lenovo, which is launching the ThinkPad Z13 and Z16 laptops at CES, will include AMD’s Ryzen 6000 Series Mobile processor. The ThinkPads will also include Lenovo’s ThinkShield security. The ThinkPad Z13 will  ship in May, with a starting price of $1,550. The ThinkPad Z16 will ship around the same time and will have a starting price of $2,100.