Turns out Secure Boot is broken on hundreds of MSI motherboards

Motherboard manufacturer MSI may have accidentally disabled some secure boot features on more than 290 motherboards. This misconfiguration allows any operating system image to work, whether the signature is incorrect or missing. It is stated that the revealed problem also affects the current motherboard versions and does not distinguish between Intel or AMD.

One of the most important security features that Microsoft mandated as a system requirement for Windows 11 was Secure Boot. The idea behind Secure Boot is to prevent malware from installing when a system boots. This is done only by verifying trusted (signed) drivers and Windows boot files. But the Secure Boot settings on MSI’s motherboards seem to have been set incorrectly for over a year.

Secure Boot issue on MSI motherboards

Polish security researcher Dawid Potocki discovered the problem on an MSI Pro Z790-A WiFi. Potocki found that MSI changed the Secure Boot default settings as part of the January 18, 2022 firmware update (version 7C02v3C), with all options under “Display Execution Policy” in the Secure Boot settings set to “Always Execute”. This means that the motherboard will accept and boot any OS image, reliable or not.

As you can see from the image above, although Secure Boot is enabled, the ‘Image Execution Policy’ setting is set to ‘Always Execute’ so that the system is booted even if there are security breaches.

More than 290 MSI motherboard models have problems

After doing more research, Potocki discovered that the roots of the problem could be traced back to the third quarter of 2021. This means MSI motherboards have been vulnerable to vulnerabilities and spyware for over a year.

According to the information Potocki has revealed, the number of MSI motherboard models with insecure settings is more than 290. To see the full list, you can visit here.

If you are using an MSI motherboard in this list, go to BIOS settings and check if “Display Execution Policy” is set to a safe option. If the ‘Always Execute’ option is enabled, we recommend that you manually change it and keep your motherboard’s BIOS version up to date.