Most MSI motherboards will allow any code to run in a bizarrely insecure Secure Boot mode

MSI PRO Z790-A WIFI
(Image credit: MSI)
Audio player loading…

The Secure Boot feature on as many as 300 MSI motherboards reportedly doesn't work as you might expect—or as the feature is intended. Specifically, the motherboards will allow unvalidated firmware and operating systems to load when Secure Boot is enabled.

Open source security researcher Dawid Potocki (via El Reg (opens in new tab)) first discovered the problem when attempting to set up Secure Boot on an MSI PRO Z790-A WIFI. "Unfortunately I found my firmware was accepting every OS image I gave it, no matter if it was trusted or not," says Potocki.

That prompted him into checking other MSI motherboards and he found nearly 300 models had the same issue (opens in new tab), including every AMD B650 and X670 and all Z790 and B760 Intel models. Yikes.

Secure Boot is technology designed to ensure that PCs only load software at boot that is trusted by the original manufacturer. More to the point, requiring Secure Boot to be enabled is increasingly a thing for PC games. FIFA 23 and Valorant are among titles that already require Secure Boot to be enabled.

MSI has responded to Potocki's findings with a full explanation of the current configuration on MSI boards (opens in new tab), plus some changes planned for a future BIOS update:

"MSI implemented the Secure Boot mechanism in our motherboard products by following the design guidance defined by Microsoft and AMI before the launch of Windows 11. We pre-emptively set Secure Boot as Enabled and "Always Execute" as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations. For users who are highly concerned about security, they can still set "Image Execution Policy" as "Deny Execute" or other options manually to meet their security needs.

"In response to the report of security concerns with the preset bios settings, MSI will be rolling out new BIOS files for our motherboards with "Deny Execute" as the default setting for higher security levels. MSI will also keep a fully functional Secure Boot mechanism in the BIOS for end-users so that they can modify it according to their needs."

All of which means that Secure Boot does work correctly on MSI boards, but MSI has set it to allow all code to execute by default, even when Secure Boot is enabled. Only if you specifically tell the BIOS to deny execution will Secure Boot do the job for which it is intended. Having Secure Boot reporting as 'enabled' but not actually doing its job seems to be an odd way of going about things, that's for sure.

But at least you have the option of ensuring full security should you wish. And it does not appear that the problem will prevent any games from running.

Image (opens in new tab)


Best CPU for gaming: Top chips from Intel and AMD
Best gaming motherboard: The right boards
Best graphics card: Your perfect pixel-pusher awaits Best SSD for gaming: Get into the game first

Jeremy Laird
Hardware writer

Jeremy has been writing about technology and PCs since the 90nm Netburst era (Google it!) and enjoys nothing more than a serious dissertation on the finer points of monitor input lag and overshoot followed by a forensic examination of advanced lithography. Or maybe he just likes machines that go “ping!” He also has a thing for tennis and cars.