Solution to MSI's Secure Boot Settings

Or should we say, insecure settings? Recently the news broke that over 290 MSI motherboards, on both AMD & Intel systems, have incorrect Secure Boot settings. Thankfully, there's a relatively easy fix that you can perform yourself in the comfort of your own home/office, and is detailed on this page for your convenience!

What is the problem?

Secure Boot is a security feature built into modern motherboards' firmware which controls what software is allowed to execute during the boot process. When functioning as intended, the motherboard will stop unsigned (untrusted) software from executing, and allow signed (trusted) software to proceed.

The issue is that somewhere along the line, for many motherboards MSI makes either by default or via a BIOS update, the settings were altered to allow any software to execute during boot rendering the Secure Boot feature effectively pointless.

How can I fix it - or ensure that it's already correct?

It's relatively easy to change the settings back to a safe state, essentially turning Secure Boot (as it was intended at least) back on.

1. With your PC shut down, power it on as normal and continually press the Delete key on your keyboard until you get into the system's BIOS.
2. Navigate to the Security menu, then select the Secure Boot option.
3. Change the Secure Boot Mode option to Custom.
4. Select Image Execution Policy.
5. Change Fixed Media & Removable Media to Deny Execute.
   Optionally, you can also set Option ROM to Deny Execute.
6. Press the F10 key, or manually navigate to the Save & Exit screen, ensuring you allow the changes to be saved before leaving BIOS.
7. The PC will restart/turn off momentarily and then start as normal in most instances by itself, and will go through to your operating system (Windows).

Will the issue fix itself?

Unfortunately, the answer to this is no: the problem can't be fixed without intentional intervention for the time being as described just above. In the future we would imagine MSI would issue BIOS updates that alter the settings for the better either just to address this issue or as well as other changes/improvements as BIOS updates normally aim to do. However, we don't know that all the motherboards would be issued an update, or if they do, we don't know when that might be. At the time of writing MSI is yet to issue any BIOS updates that address this issue.

You can find a full list of the impacted motherboards/BIOS versions on this page. As it stands it's every X670 (including X670E), B650 (including B650E), Z790, and B760 which encompasses many of our latest customers who purchased some of the latest hardware, but there's many other impacted chipsets which only effect some models, or some of the BIOS revisions within certain models. In short, it's worth checking if your settings are correct.

Can't I just wait for a BIOS update?

Of course you can! However, MSI is yet to announce if they'll be issuing updates to the over 290 impacted motherboard models. Typically, updates are issued to increase functionality or support for new CPUs.

As always though, be cautious when updating your system's BIOS. If the system loses power during a BIOS update, it can leave the motherboard in a non-functioning state which cannot be rectified. For this reason, even if there was a BIOS update that addresses the problem for you, we'd still recommend altering the settings manually as above.

Do I need to do anything at all?

Well, no... It's been this way for the last 12+ months in some instances and we're yet to learn of any issues stemming from this. But now that this information is public it can be taken advantage of by bad actors. There have been many other known security exploits that we're certain not everyone rushes out to fix or is even aware of but is never impacted by it, but just because not everyone needs to worry, it doesn't mean that nobody needs to worry.