Windows 11 – Security with TPM and Pluton

Trusted Platform Module (TPM), what is it for, and is there more? 

The TPM history started back in 2009 with version 1.2, and was a result of the Trusted Computing Group and an industry consortium.  

The goal was to secure devices and components at a silicon level, and this led to the development of crypto-processors, cryptographic keys and hardware-based security. In 2014 the Trusted Computing Group announced the TPM 2.0 library specification, and this is the version we see being implemented now by most OEMs. The TPM 2.0 became an ISO standard in 2019.  

What it does is quite clever and includes a hardware random number generator, a cryptographic key generator, remote attestation (super secure unforgeable hash key) and it encrypts data using a unique RSA key. It is, without doubt, the most important security device inside a modern computer, and it’s understandable why Microsoft built Windows 11 around its capabilities. The TPM is provisioned inside devices in one of three ways. 

1 - TPM Discrete 

• A discrete TPM chip is a separate component housed in its own semiconductor package. 

• It provides dedicated hardware for security functions. 

• Discrete TPMs are commonly found on motherboards or expansion cards. 

• These chips enhance security by performing cryptographic operations and securely storing keys. 

• A separate module in its own physical package. 

2 - TPM Integrated 

• The integrated TPM solution involves dedicated hardware integrated into one or more semiconductor packages. 

• While physically integrated alongside other components, it remains logically separate. 

• Integrated TPMs are often part of the system-on-chip (SoC) design. 

• They offer similar security features as discrete TPMs but are more tightly integrated with the overall system. 

• A piece of hardware incorporated into the CPU package. 

3 - Firmware TPM  

• The firmware based TPM runs within the firmware of a general-purpose computation unit (such as the CPU). 

• It operates in a Trusted Execution mode. 

• Firmware TPMs provide security features like physical TPMs, but without a separate hardware chip. 

• They are especially useful in virtualised environments where physical TPMs may not be available. 

• Simply put; a virtualisation of the hardware TPM capability. 

So that’s TPM, but what’s Pluton? 

Microsoft’s advanced TPM capability is known as Pluton. Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) while delivering additional security features beyond what is possible with the TPM 2.0 specification, which, to be honest, are pretty good to start off with.  

It establishes the silicon root of trust (this is a term used to explain that a firmware technology is integrated directly into a hardware-level component) and supports enhanced security features in Windows 11, including BitLocker, Windows Hello, and Windows Defender System Guard. Pluton is integrated directly within the CPU and ensures that sensitive information, like encryption keys, remains secure even if an attacker gains physical access to the device. 

Additionally, Pluton’s firmware updates are delivered via Windows Update; simplifying the process for users. Pluton is integrated directly into the CPU chip itself. Unlike the traditional Trusted Platform Module (TPM), which resides in a separate chip, Pluton is designed to be part of the CPU die. This integration ensures that Pluton operates in a walled-off garden, isolated from other system components. It securely stores cryptographic keys and other secrets, making it significantly more challenging for attackers to compromise. You can find support for Pluton in Intel, AMD and Qualcomm chipsets being built into a wide range of OEM devices. 

Considerations 

If you are looking to refresh your device estate to support a Windows 11 migration or for refresh reasons, it would be wise to consider both TPM and Pluton as an option. TPM 2.0 is a pre-requisite for Windows 11, but I would consider it to be a minimum requirement. With the TPM implementation you can also consider the level of TPM integration as highlighted above, and finally you have Pluton. This is optional, however being newer it is also more secure and likely to be a requirement for future functionality and capability, especially security related ones and provides a simplified firmware update capability by being integrated directly into Windows Update 

Summary  

Pluton is a new technology that enhances the security and simplicity of TPM 2.0, which is required for Windows 11. It’s integrated into the CPU and protects sensitive data from physical attacks, while also providing seamless firmware updates through Windows Update. Pluton is supported by major chip manufacturers and device vendors, and offers a futureproof solution for Windows security. 

If you are planning to upgrade to Windows 11 or refresh your device fleet, you should consider choosing devices that have Pluton enabled. This will ensure that you benefit from the latest security features and capabilities that Windows 11 has to offer, and that your devices will be ready for any upcoming enhancements or requirements. Pluton is not only a minimum requirement, but a competitive advantage for Windows devices. To learn more about devices enabled with both TPM 2.0 and Pluton please reach out to us today.