Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting settings that allows any operating system image to run regardless of whether it has a wrong or missing signature.
MSI accidentally disabled Secure Boot on hundreds of its motherboards. Secure Boot is a security feature that helps protect against malicious software by ensuring that only software with a valid signa...
I have known about this one for several weeks but did not have the time to deal with it and work out the settings. This thread has been very useful and I have implemented the changes and my machine still boots OK. I had to set the Secure Boot Mode setting to Custom (was Standard) before I could make the adjustments.
Intel Ethernet 1226-V 2.5GHz @ 1GHz
Intel Wi-Fi 6E AX210
ASUS router RT-AX86U with Wi-Fi 6
Logitech BRIO webcam
Macrium Reflect 8.1 paid for backups etc.
Operating System
Win 11 Pro 22H2
Computer type
Laptop
Manufacturer/Model
MSI SUMMIT E16 FLIP EVO A11MT-013AU
CPU
Intel i7-1195G7
Memory
16 GB
Graphics card(s)
Iris Xe graphics
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
16" 120Hz Pen Touch panel
Screen Resolution
2560 x 1600 (16 x 10)
Hard Drives
Samsung NVMe 980 Pro 1TB
PSU
Delta Electronics ADP-65SD B, HP 1HE08AA
Mouse
Logitech M350 Pebble Mouse BT + wireless
Keyboard
Full Keyboard
Internet Speed
50 x 20 megabits / second fibre
Browser
Firefox
Antivirus
Microsoft
Other Info
Killer Wi-Fi 6E 1675x (210NGW)
MSI Pen
Web Cam with Windows Hello Face
Fingerprint Reader
ASUS router RT-AX86U with Wi-Fi 6
Macrium Reflect 8 paid for backups etc.
The Option ROM setting, technically, should also be Deny Execute.
At least it is on all the other motherboards I have with Secure Boot.
I think it is user's choice.
The Option ROM setting, technically, should also be Deny Execute.
At least it is on all the other motherboards I have with Secure Boot.
I think it is user's choice.
There is a BIOS update coming with adjusted defaults for these settings. We will see what MSI does for these settings then although after their last effort who knows what we will get.
Intel Ethernet 1226-V 2.5GHz @ 1GHz
Intel Wi-Fi 6E AX210
ASUS router RT-AX86U with Wi-Fi 6
Logitech BRIO webcam
Macrium Reflect 8.1 paid for backups etc.
Operating System
Win 11 Pro 22H2
Computer type
Laptop
Manufacturer/Model
MSI SUMMIT E16 FLIP EVO A11MT-013AU
CPU
Intel i7-1195G7
Memory
16 GB
Graphics card(s)
Iris Xe graphics
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
16" 120Hz Pen Touch panel
Screen Resolution
2560 x 1600 (16 x 10)
Hard Drives
Samsung NVMe 980 Pro 1TB
PSU
Delta Electronics ADP-65SD B, HP 1HE08AA
Mouse
Logitech M350 Pebble Mouse BT + wireless
Keyboard
Full Keyboard
Internet Speed
50 x 20 megabits / second fibre
Browser
Firefox
Antivirus
Microsoft
Other Info
Killer Wi-Fi 6E 1675x (210NGW)
MSI Pen
Web Cam with Windows Hello Face
Fingerprint Reader
ASUS router RT-AX86U with Wi-Fi 6
Macrium Reflect 8 paid for backups etc.
I just did the most recent BIOS update for PRO Z790-A WiFi (A03) this last weekend. I reset defaults when I installed it, and when I went back in to do my settings those Secure Boot items were still Enabled and I had to change to Deny Execute.
The BIOS update for my machine (V1.50) has arrived and was installed a few days back. It worked with no problems. My machine still booted.
The Secure Boot settings were
STANDARD which auto loads the keys from BIOS or,
CUSTOM which allows some flexibility.
When CUSTOM is set there is a choice of MAXIMUM which does a FULL secure boot validation or HARDWARE/OS COMPATIBILITY which validates what is compliant and ignores that which is not.
I just set my machine to CUSTOM / MAXIMUM and it still booted. Has anyone else updated to the new BIOS?
Intel Ethernet 1226-V 2.5GHz @ 1GHz
Intel Wi-Fi 6E AX210
ASUS router RT-AX86U with Wi-Fi 6
Logitech BRIO webcam
Macrium Reflect 8.1 paid for backups etc.
Operating System
Win 11 Pro 22H2
Computer type
Laptop
Manufacturer/Model
MSI SUMMIT E16 FLIP EVO A11MT-013AU
CPU
Intel i7-1195G7
Memory
16 GB
Graphics card(s)
Iris Xe graphics
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
16" 120Hz Pen Touch panel
Screen Resolution
2560 x 1600 (16 x 10)
Hard Drives
Samsung NVMe 980 Pro 1TB
PSU
Delta Electronics ADP-65SD B, HP 1HE08AA
Mouse
Logitech M350 Pebble Mouse BT + wireless
Keyboard
Full Keyboard
Internet Speed
50 x 20 megabits / second fibre
Browser
Firefox
Antivirus
Microsoft
Other Info
Killer Wi-Fi 6E 1675x (210NGW)
MSI Pen
Web Cam with Windows Hello Face
Fingerprint Reader
ASUS router RT-AX86U with Wi-Fi 6
Macrium Reflect 8 paid for backups etc.
I recently updated to the most current UEFI/BIOS for my Pro Z790-A Wifi DDR5 board.
However, I always reset BIOS defaults when I do this so it is not relevant.
There was no change in the default security settings with the new upgrade.
The developers of the BlackLotus UEFI bootkit have improved the malware with Secure Boot bypass capabilities that allow it to infect even fully patched Windows 11 systems.
arstechnica.com
www.bleepingcomputer.com
www.guru3d.com
