Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge
Find out how HCI cuts down virtualization costs and complexity

Microsoft Pluton Security Processor: New enhancements

  • March 12, 2025
  • 13 min read
Brandon Lee
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com

Microsoft continues to refine the Pluton security processor with new updates aimed at strengthening system protection. Curious about the latest improvements? 

Microsoft has recently provided updated information on the Microsoft Pluton Security Processor. There are many advancements that have been noted with Pluton. With Microsoft’s new processor they have shown they are committed to making it secure by design. There are new features to note, including a Rust-based firmware, expanded cryptographic capabilities, and also an interesting “Pluton Key Storage Provider (KSP)”. Let’s see what each of these developments and capabilities bring to the table and how it fits into Microsoft’s overall view of Pluton moving forward.

Pluton and the original design

Microsoft had many things in mind when developing Pluton. It was originally built to provide a flexible security processor that was also updateable. It was to be a hardware-isolated security device that helps to protect things like credentials, sensitive data (encryption keys, auth tokens, etc). However, it was to take things further.

Traditional TPM solutions are generally devices that can be physically removed from a server, workstation, etc and tampered with. With Pluton, this security device is actually embedded within the CPU. This means that even if the attacker gains physical access to devices, it would be much harder to physically remove the device since it is embedded in the proc.

Microsoft Pluton security processor architecture

Microsoft Pluton security processor architecture

With the architecture of the Pluton processor, Microsoft is helping to make sure that Pluton will be a core security component. By its embedded nature, it will provide a more resilient security platform for protecting Windows systems.

Key Features and Recent Enhancements

Let’s take a look at the key features and recent enhancements with Microsoft Pluton.

1. The move to rust for the security platform

Arguably, one of the most important improvements that Microsoft has introduced recently is the shift to Rust for firmware for the Pluton (via Tock OS). This is a significant shift for the security processor. The transition to Rust helps to reduce the security attack surface and protect against memory issues. Rust is known for memory safety and provides a layer of protection against things like buffer overflows, use-after-free errors and other common vulnerabilities that attacker can take advantage of.

Tock OS provides a lightweight and modular design for security-focused applications. It helps to make sure that Pluton firmware is maintainable and extensible. With a microkernel approach, Pluton helps to support a variety of security functionalities while keep the overhead low and making sure performance is what it needs to be.

2. Better hardware security and isolation features

Pluton is a dedicated microcontroller that is embedded as a system-on-chip (SoC) design. This helps to make sure you have complete isolation from the CPU cores. It helps to reduce the risk of side-channel attacks and unauthorized access.

Note the following hardware security features include

  • Independent ROM and SRAM provides a separate isolation environment for security tasks
  • Random Number Generator (RNG) helps with secure cryptographic operations
  • It supports hardware-accelerated encryption which supports SHA-2 hashing, AES encryption, RSA, ECC, etc
  • Secure communication channels, which prevent unauthorized tampering with sensitive data stored within Pluton

This separation of security processing from the main CPU allows a significant improvement in separation of security processing which helps to reduce the attack surface. This works in parallel with existing Windows security features like UEFI Secure Boot, System Guard and memory integrity protection.

3. Collaboration with Intel, AMD, and Qualcomm

Microsoft has worked with chip vendors and integrated Pluton’s new Rust security core in AMD Ryzen AI, Intel Core Ultra, and Snapdragon X processors that are found in Copilot+ PCs.

  • AMD Ryzen AI 300 Series: AMD’s latest Ryzen AI processors now provide deeper hardware-based security protections with Pluton
  • Intel Core Ultra (Series 2): With Intel Partner Security Engine (IPSE) it allows for hardware-based isolation of Pluton from CPU operations
  • Snapdragon X Series: This uses Qualcomm Secure Processing Unit (SPU) and implements Pluton as a ultra-secure security enclave

Microsoft is doing a good job of standardizing Pluton across major processor architectures. This will mean security protections are consistent for Windows systems regardless of the chip Windows is running on top of. It will also mean that PC manufacturers will be able to implement additional enhancements customized to their hardware.

Pluton Key Storage Provider (KSP)

One of the more exciting developments with Pluton, is the Pluton Key Storage Provider (KSP). This will extend what Pluton can do beyond just TPM configurations. In its first iteration, Pluton was primarily tied to TPM 2.0 operations. The new KSP allows applications to interact with Pluton’s secure storage capabilities. This leads to many benefits to take note of, including:

  • Persistent keys stored securely – With the Pluton KSP, cryptographic keys can be stored permanently and remain available across system updates, firmware upgrades, and when the device is restarted
  • Enhanced developer experience: There are no specialized hardware configurations needed for Windows applications to access and use the KSP as secure storage for sensitive data
  • Cloud security integration: Pluton KSP is going to be integrated with Microsoft Entra (formerly Azure AD) and Microsoft Intune. This will have many advantaged, including allowing enterprises to enhance endpoint protection, authentication, and compliance.

This means that even if Pluton is not configured as the device’s TPM, its security capabilities can still be utilized for key storage, identity verification, and encryption.

New Pluton is good for security

With the updates to the Pluton security processor, Microsoft is helping with longstanding issues that have plagued TPM devices for a while now and extending its functionality to go beyond just simple TPM features. How do the features help with general security moving forward?

  1. Helps protect memory safety: With the Rust-based firmware, it helps to make sure that Pluton is built on a secure foundation. This will help to vulnerabilities caused by unsafe memory access.
  2. Helps with physical attacks as well as remote attacks: Since Microsoft has embedded Pluton within the CPU, this helps to isolate it from the main system memory or physical tampering. It will make it much more difficult to have someone remove or tamper with the TPM device since it is part of the CPU physically.
  3. Longer security lifespan: Pluton will protect against new threats through the lifespan of a device.
  4. Integration with enterprise security solutions: The new KSP will make it easier for IT admins to enforce certain types of authentication and cryptographic policies. All of these features will help with making sure compliance with modern security standards is met.
  5. Consistent security across devices: Pluton will be effective and available across AMD, Intel, or Snapdragon platforms. This will help to standardize the security model no matter which platform a user is on and will bring consistent security across the board.

Wrapping up

The Microsoft Pluton security processor evolution shows Microsoft is committed to proactive and consistent security measures that line up with the threats facing organizations today. With the new Rust-based firmware, embedded nature of the chip, and the new Pluton Key Storage Provider (KSP), it will help to provide more security features and capabilities moving forward. Overall, this will mean better endpoint security protection and a reduced attack surfaces. It will also mean a streamlined experience for security key management.

Related articles
What is Microsoft Pluton Security Processor?
Windows 11 Security Features in 2024
Tags
Hey! Found Brandon’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!