(Credit: Microsoft)
As part of its "AI Tour," Microsoft last week announced new generations of its Surface Pro and Surface Laptop For Business family based on Intel Core Ultra 200V (Lunar Lake) processors. But what stood out to me were the security improvements, most notably a significant upgrade to its Pluton capabilities that should make things like BitLocker and Windows Hello more resistant to attacks, specifically those involving memory safety.
The new laptops include both 13.8- and 15-inch versions of the Surface Laptop (the 7th generation of this machine). The machines are available in different configurations of the Core Ultra 200V, with an anti-reflective display and support for Wi-Fi 7.
Microsoft says the machine can get up to 22 hours of battery life running video, and three times the battery life in Teams with the new processor and support for Teams running on the neural processing unit (NPU), a big step forward. And, of course, it promises better performance, particularly in graphics, with the new processors.
Later in the year, the company will be adding a 5G model, something that Nancie Gaskill, General Manager of Surface for Business, tells me global customers have been asking for.
For the 11th Generation Surface Pro, a tablet that works with a detachable keyboard, in addition to the new processor, there's now an optional OLED display, and it comes with built-in NFC support for things like the YubiKey 5C.
I liked the Flex keyboard, which uses Bluetooth so that the keyboard can be pushed away from the display, particularly a version with much larger letters and brighter backlighting. In addition, the company has a number of adaptive accessories for those who have trouble using a traditional mouse.
Microsoft continues to sell last year's version based on Intel's Meteor Lake processors, and Snapdragon versions of the Surface line.
For manageability, Microsoft has a Surface Management Portal, now integrated into its Intune Admin Center, with Copilot functionality and the ability to combine company-specific information (such as the number of Surface machines, their versions, and their operating systems) with information from the web. I was a bit disappointed to learn that Microsoft is not supporting Intel's vPro (or AMD's Ryzen Pro) features for remote management in its business lineup. Gaskill says Microsoft is committed to solutions that work across the entire ecosystem instead.
Pluton Changes Enhance Security
As nice as the new Surfaces look, I was more interested in the changes Microsoft is making to its Pluton security system, as that will become part of pretty much all Windows PCs going forward with support from AMD, Qualcomm, and most recently Intel.
Pluton was announced several years ago and is a combination of hardware, software, and firmware, says David Weston, VP of OS Security for Microsoft. This is designed as a secure area for storing and processing things like passwords and security keys, and is meant as a successor to the Trusted Platform Module (TPM) that most PCs have had for many years.
Pluton is implemented differently in the three families of general CPUs it supports. Weston says Microsoft worked with AMD to codesign the Pluton originally as part of the Xbox, and then it became part of the AMD Ryzen CPU family around 2019 and continuing through current Ryzen chips. For Qualcomm, he said, Microsoft adapted its software to work with the Qualcomm security processor, and this is implemented in all the Snapdragon-based Copilot+ PCs.
Most recently, Intel and Microsoft announced that they had worked to incorporate Pluton into Intel's Operating System Security engine in the Core Ultra 200V (Lunar Lake) processors. But while the specific implementations are different, the functionality is the same on all of these.
A bigger change has come to the Pluton software. It now has a new operating system based on Tock OS, which is itself built on RUST. This should reduce the attack surface and vulnerabilities, Weston says, since Rust inherently mitigates against memory safety issues, which account for something like 75% of all the security updates.
The idea is that Pluton can become the key storage provider (KSP) – something that stores and processes keys for things like Windows Hello, BitLocker, or Entra ID – eventually on all Windows 11 PCs. It can be used in designs side-by-side with a traditional discrete TPM, or Pluton can emulate a TPM. Weston says having it integrated in the CPU package itself reduces the attack surface and makes it more difficult for physical attacks. The new design is also meant to be more extensible, allowing developers of tools such as password managers or identity management solutions to use Pluton in a more flexible way than they did through a TPM.
Weston says Pluton will receive updates through Windows Update, just like any other piece of Windows software to keep it up to date and more reliable.
During the AI tour, Microsoft EVP for Cloud and AI Scott Guthrie mostly recapped announcements from the recent Ignite conference. During the show, Microsoft executives reiterated Copilot+ features that now work on machines based on the latest AMD Ryzen AI 300 ("Strix Point") and Intel Core 200V processors, and talked up forthcoming features, including Recall, improved Windows Search, and Click to Do. One new thing I heard is that a future version of Outlook will use the NPU in Copilot+ PCs to enable things like local summarization.