Why the biggest laptop vendors are ignoring Microsoft’s Pluton security tech

Two of the biggest laptop vendors have chosen to pass over Microsoft’s blossoming vision for PC chip security, Pluton. But the reason why may be less complex than it appears: Both companies are apparently sticking with an established relationship with Intel’s vPro technology, instead.

The Register reported this week that both Dell and Lenovo planned to skip Microsoft’s Pluton technology in its commercial PCs, which Microsoft introduced two years ago as a better way of integrating security directly into the CPU. The technology originally received somewhat tepid endorsements from both Qualcomm and Intel, and a more enthusiastic response from AMD — which had helped develop the technology to secure the Xbox game console.

Now, Dell told El Reg that “Pluton does not align with Dell’s approach to hardware security and our most secure commercial PC requirements” and that it won’t include the Pluton technology in most of its commercial PCs. Lenovo, too, said that it would ship Intel ThinkPads without Pluton, and that laptops with AMD Ryzen (and Pluton-enabled) chips inside them would be turned off by default.

(Editor’s Note: Dell provided PCWorld with a statement after publication. It reads:

“Pluton architecture depends on support within the SoC – versus a separate “chip” – and is a different approach to hardware security capabilities. At this time, Pluton does not align with our hardware security approach in our commercial PCs. You’ll see new Dell commercial laptops with 12^thGen Intel Core processors coming soon – these will continue to include Trusted Platform Module/TPMs (TCG certified and FIPS 140-2 level 2 validated) to protect the device. But with all new technologies, we will continue to evaluate Pluton to see how it compares against existing TPM implementations in the future.

And when it comes to endpoint security, our holistic security approach includes both software-based, “above the OS” protections and hardware-based, “below the OS” capabilities to protect against traditional/emerging attacks and threats at the deepest levels of a device,” the statement added.“These investments over the last decade allow us to provide the industry’s most secure commercial devices to businesses. “)

Lenovo also provided PCWorld with a statement, saying that customers asked for Pluton to be turned off. “Pluton is disabled by default on 2022 Lenovo ThinkPad laptops using AMD Ryzen PRO 6000 Series processors because that’s what Lenovo customers have asked for, the choice to enable or not,” a company representative said via email. “If they wish to use Pluton, we can do that for them at factory, or let the customer do it as they deploy.“

That sounds alarming, but the reality of the situation might be simpler: The majority of the world’s commercial laptops ship with Intel’s Core chips inside, specifically with its vPro security enabled.

According to Bob O’Donnell, the president of Technalysis Research, Intel’s vPro technology can’t currently work with the Microsoft Pluton security core. “You can’t do both,” O’Donnell said. “My guess is at the end of the day, Lenovo and Dell have invested a fair amount of time, money and effort into supporting vPro. So, as a result [Pluton] becomes a bit of an unnecessary thing.”

What’s Microsoft Pluton, again?

Pluton is, and was, Microsoft’s ongoing effort to secure the PC. Microsoft announced Pluton in 2020, the year before the company began laying down the law on Windows 11’s security requirement: Windows 11 PCs need a Trusted Platform Module, or TPM, whether discrete or integrated. Most processors for commercial and consumer PCs alike integrate a TPM function inside the processor, even if it doesn’t always go so well. Pluton is Microsoft’s approach — a secondary logic block that integrates security functions into the processor as well. Its selling point is that Microsoft used it to help secure the Xbox, which hasn’t suffered from any notable high-profile hacks. More importantly, it’s secure enough to allow firmware updates via Microsoft’s standard Windows Update channels.

But to be fair, worrying about Pluton may be jumping the gun. AMD originally said that even if it implemented Pluton, which it has, it wouldn’t replace AMD’s own TPM implementation — just sit alongside it. And Intel said that it would partner with Microsoft to add the Pluton technology to future platforms, “in the next few years.” More significantly, Intel never acknowledged Pluton as a feature in its recent Alder Lake platforms, including those for its most recent vPro systems. Even with its sliver of PC sales, Qualcomm may turn out to be Pluton’s biggest backer, as the company said in December that it plans to enable Pluton inside of its upcoming Snapdragon 8cx Gen 3 processor.

So with minimal chip support, what can PC makers do?

Lenovo’s decision is the most interesting, since the Pluton technology was included within the Ryzen-powered Lenovo ThinkPad Z13 and Z16, which were announced at CES 2022. Leaving the technology turned off for the entirety of 2022, as The Register reported, would put the burden of securing those PCs on AMD. Lenovo representatives didn’t immediately respond to a request for comment.

So what does this mean for Pluton? For Microsoft, its customers’ lukewarm response to Pluton is a bit of an embarrassment. But it’s not like commercial PCs powered by either AMD or Intel will be unsecured going forward, which is really what matters.

This story was updated at 1:53 PM on March 14 with a statement from Lenovo.