Discussion How to disable Microsoft Pluton on AMD AM5 motherboards ?

[paullyh]

Hi everyone!

- Is it possible to disable Pluton in AM5 motherboards BIOS?
- If there is an option, what is it called? Which manufacturers enable on/off / or in which specific mobos?
- For TPM there is usually an option, maybe the same disables Pluton as well?

Thanks.

 

[hedwar2011]

Explanation of Microsoft Pluton can be found HERE.

1) Most manufacturers have left the adoption of Pluton as an "opt-in" for consumers so it may not be enabled in the first place. A quick google search will provide several resources where manufacturers are adopting this mind-set.

It might be best for you to do more research on Microsoft Pluton and exactly what it is and how it affects laptop motherboards specifically (it's why I included the explanation).

 

[Order 66]

why would you want to disable it? something along the lines of performance impacts if left enabled? I know there are other windows security features that impact performance as well.

 

[paullyh]

Explanation of Microsoft Pluton can be found HERE.

1) Most manufacturers have left the adoption of Pluton as an "opt-in" for consumers so it may not be enabled in the first place. A quick google search will provide several resources where manufacturers are adopting this mind-set.

It might be best for you to do more research on Microsoft Pluton and exactly what it is and how it affects laptop motherboards specifically (it's why I included the explanation).

@ hedwar2011
Thanks, I know what pluton is; it is like a piece of bios updatable by Windows Update, outside my control. It is a MS backdoor working under the OS, whatever the OS, whatever I do.

As far as i know, only a few OEMs have this option, Lenovo is one as stated by MS here (green tip): https://learn.microsoft.com/en-us/wi.../pluton-as-tpm
others don't show the option, so it seems activated without an opt-out, rather than an opt-in.
I asked to some people with Asus boards and we couldn't find any similar option.
I wonder if other (retail) board manufacturers have this option. I googled a lot and found nothing...

why would you want to disable it? something along the lines of performance impacts if left enabled? I know there are other windows security features that impact performance as well.

@ order66
It's not for performance, as told before I don't want a backdoor.
However it seems to check for updates at (every?) boot, so it could affect the boot time. And if something goes wrong during the update process (blackout, data corruption,etc.), the bios is corrupted and probably the motherboard is bricked. Imagine you are updating the firmware every now and then, and you don't know when...
(just for your info, my Win10 is stuck on an update error from months, i probably have to reinstall from scratch).

 

[hedwar2011]

@ hedwar2011
Ihanks, I know what pluton is; it is like a piece of bios updatable by Windows Update, outside my control. It is a MS backdoor working under the OS, whatever the OS, whatever I do.

As far as i know, only a few OEMs have this option, Lenovo is one as stated by MS here (green square): https://learn.microsoft.com/en-us/wi.../pluton-as-tpm
others don't show the option, so it seems activated without an opt-out, rather than an opt-in.
I asked to some people with Asus boards and we couldn't find any similar option.
I wonder if other (retail) board manufacturers have this option. I googled a lot and found nothing...

@ order66
It's not for performance, as told before I don't want a backdoor.
However it seems to check for updates at (every?) boot, so it could affect the boot time. And if something goes wrong during the update process (blackout, data corruption,etc.), the bios is corrupted and probably the motherboard is bricked. Imagine you are updating the firmware every now and then, and you don't know when...
(just for your info, my Win10 is stuck on an update error from months, i probably have to reinstall from scratch).

I can understand the apprehension of a backdoor at the below OS level but they won't be able to gain any information at that level anyway. It's outside the OS entirely. It goes along the same lines as TPM and I typically recommend to people that want to disable it for whatever reason that they are better off leaving it as is unless they have a direct requirement that needs it disabled (which isn't often).

 

[paullyh]

I can understand the apprehension of a backdoor at the below OS level but they won't be able to gain any information at that level anyway. It's outside the OS entirely. It goes along the same lines as TPM and I typically recommend to people that want to disable it for whatever reason that they are better off leaving it as is unless they have a direct requirement that needs it disabled (which isn't often).

@ hedwar2011
Your informations widely differ from mine:
read the last chapter (and related links): https://semiaccurate.com/2022/01/18/...afe-to-deploy/
It is inside the cpu, so it is at the highest level, well inside (any) OS. Pluton has also access to the keys (tpm), so rather than a backdoor we could call it a front-door. It can do whatever it (MS) wants, or if hacked (like tpm was)... and you cannot know, no antivirus will be aware of it, etc...
Why do you always try to minimize? Maybe do you work for MS or have any hidden agenda?

Beyond the scary risks in the link above, Windows update gives problems every month, i don't want to have my pc bricked. Here just a recent example of BSOD after Win.update: https://www.bleepingcomputer.com/new...-blue-screens/

What do you refer to with "direct requirement that needs it disabled (which isn't often)"?
I just want to know please which motherboards (brands) offer this option, because by now I couldn't find any option, neither opt-in nor opt-out, so i assume they are "in".

I'm going to build a new pc, the AM5 platform seems the best right now for longevity, but if I can't solve this hassle i must go with Intel (or AM4), which I don't want. Thank you.

 

[USAFRet]

Windows update gives problems every month,

Conversely, I've not seen that on any of my Win 10 or 11 systems in many years.
Yes, really.

 

[hedwar2011]

@ hedwar2011
Your informations widely differ from mine:
read the last chapter (and related links): https://semiaccurate.com/2022/01/18/...afe-to-deploy/
It is inside the cpu, so it is at the highest level, well inside (any) OS. Pluton has also access to the keys (tpm), so rather than a backdoor we could call it a front-door. It can do whatever it (MS) wants, or if hacked (like tpm was)... and you cannot know, no antivirus will be aware of it, etc...
Why do you always try to minimize? Maybe do you work for MS or have any hidden agenda?

First and foremost, I most certainly DO NOT work for MS nor do I have a hidden agenda....not sure where you got that from. I'm a normal user just like you helping others. @USAFRet has seen me come and go here for a long time now giving when time allows. Can you point out how I tried to minimize?

Beyond the scary risks in the link above, Windows update gives problems every month, i don't want to have my pc bricked. Here just a recent example of BSOD after Win.update: https://www.bleepingcomputer.com/new...-blue-screens/

Windows updates aren't usually the source of BSODs, its typically something else either installed or configured on the said PC that doesn't play with the changes made. Yes, there have been some over the years but no software vendor is perfect ESPECIALLY not MS.

What do you refer to with "direct requirement that needs it disabled (which isn't often)"?

Often it is custom built boards that never see public usage or for government use like in military installations. I supported a group a few years back that had DELL PCs and all had custom BIOS settings that didn't include TPM as they were in a secure location to begin with.

I just want to know please which motherboards (brands) offer this option, because by now I couldn't find any option, neither opt-in nor opt-out, so i assume they are "in".

I'm going to build a new pc, the AM5 platform seems the best right now for longevity, but if I can't solve this hassle i must go with Intel (or AM4), which I don't want. Thank you.

I honestly don't know of any unless you are able to acquire a custom built BIOS rom and use that.

 

[paullyh]

@ USAFret
Lucky boy

@ hedwar2011
I don't want a quarrel with you about what pluton is or is not. My points are in the link i posted above (this on the same, altough inside qualcomm's devices: https://www.semiaccurate.com/2021/12/01/qualcomm-8cx-gen-3-too-dangerous-to-deploy/). Let's move on.

It is true that some oems offer their pcs/notebooks with pluton turned off by default (and an opt-in option), Dell and Lenovo for sure:
https://www.pcworld.com/article/621...ignoring-microsofts-pluton-security-tech.html

and Amd said that this option would have been available for everyone, including end users:
https://www.techradar.com/news/micr...will-not-lock-devices-to-windows-11-as-feared

so it should be also in DIY motherboards, but I can't find out which one have it.
So I'm asking to anyone who has an AM5 - ryzen 7000 platform to look in the BIOS an tell if you can find any "suspect" name.
They should be under cpu or security page/chip..., and sound like "MSFT" (from link above, green tip) or "HSP" or "PSP" or other i don't know...
https://noise.getoto.net/2022/03/23/amds-pluton-implementation-seems-to-be-controllable/

Or that promise has been denied for retail/diy pcs?

 

[hedwar2011]

@ hedwar2011
I don't want a quarrel with you about what pluton is or is not. My points are in the link i posted above (this on the same, altough inside qualcomm's devices: https://www.semiaccurate.com/2021/12/01/qualcomm-8cx-gen-3-too-dangerous-to-deploy/). Let's move on.

Wasn't quarrelling about pluton or anything. I was replying to your statement about me always trying to minimize things and working for MS. Each individual is allowed his/her/their own opinion and it's what I provided. Take it for what it is or don't, it really doesn't matter to me.

It is true that some oems offer their pcs/notebooks with pluton turned off by default (and an opt-in option), Dell and Lenovo for sure:
https://www.pcworld.com/article/621...ignoring-microsofts-pluton-security-tech.html

and Amd said that this option would have been available for everyone, including end users:
https://www.techradar.com/news/micr...will-not-lock-devices-to-windows-11-as-feared

so it should be also in DIY motherboards, but I can't find out which one have it.
So I'm asking to anyone who has an AM5 - ryzen 7000 platform to look in the BIOS an tell if you can find any "suspect" name.
They should be under cpu or security page/chip..., and sound like "MSFT" (from link above, green tip) or "HSP" or "PSP" or other i don't know...
https://noise.getoto.net/2022/03/23/amds-pluton-implementation-seems-to-be-controllable/

Or that promise has been denied for retail/diy pcs?

Just because it's been talked about by OEM distributors, etc. doesn't necessarily mean it's going to hit the DIY markets in the same light so it is ENTIRELY possible that no DIY boards have the option yet. There have been countless times that something has been released to OEMs, tested, burned out, and never got implemented in the DIY realm.

Most DIY boards still have TPM chip protection and Pluton is simply going to enhance that and not replace it since it's part of the CPU itself.

But like you said yourself. Moving on...

 

[paullyh]

Just because it's been talked about by OEM distributors, etc. doesn't necessarily mean it's going to hit the DIY markets in the same light so it is ENTIRELY possible that no DIY boards have the option yet. There have been countless times that something has been released to OEMs, tested, burned out, and never got implemented in the DIY realm.

Yes, but AMD clearly said: "AMD respects user choice and, as is typical with many other security technologies, we provide the ability for a user to enable or disable Pluton based on their preferences in our reference BIOS"

Lenovo, for one, will ship Microsoft Pluton as an opt-in

Folks can enable or disable it, install Linux as normal. Just sayin'

www.theregister.com

So retail mobo vendors are not respecting AMD references!?!

As far as you know, is it easily feasible to customize a bios changing just those few values, or bioses need some digital signature to be loaded into the mobo?

 

[hedwar2011]

I've, personally, never had a need for a custom BIOS firmware or setup so I would have no idea.

 

[paullyh]

I found the Pluton disable option at least on an Asrock mobo, under "SOC miscellaneous" menu. I'm happy now

.
If anyone with other brands can verify I would be grateful, thanks.

Happy New 2024!

 

[paullyh]

Hi everyone!
Apparently also on Gigabyte motherboards this critical option is available.
Anyone is willing to share his experience on Pluton settings?