Researcher Claims Windows 11 Secure Boot Is Broken On Hundreds Of MSI Motherboards
Among the requirements for installing Windows 11 are two security features: Trusted Platform Module (TPM) version 2.0 and Secure Boot. As we’ve documented before, it’s possible to sidestep these requirements and force a Windows 11 install or upgrade anyway. Microsoft even published a registry hack to give users this option. That said, if you do go through with this install without TPM 2.0 or Secure Boot enabled, both the installation menu and operating system protest at various points along the way, as Microsoft really wants these security features to be present and active.
Manufacturers of computer hardware also work to comply with Microsoft’s new security standards by including and enabling TPM 2.0 and Secure Boot by default. However, according to new findings by a security researcher, the default Secure Boot settings on MSI motherboards are effectively tricking Windows 11 and potentially giving users a false sense of security.
Manufacturers of computer hardware also work to comply with Microsoft’s new security standards by including and enabling TPM 2.0 and Secure Boot by default. However, according to new findings by a security researcher, the default Secure Boot settings on MSI motherboards are effectively tricking Windows 11 and potentially giving users a false sense of security.
Secure Boot functions to protect computers from threats by checking the signatures of all software that attempts to launch on system startup, then booting the system only of these signatures confirm that the software is trusted by the Original Equipment Manufacturer (OEM). This feature is intended to prevent particularly vicious and resilient malware from launching during system boot.
Those with MSI motherboards may have noticed that Secure Boot is listed as enabled by default, both in the BIOS and in Windows. However, as Dawid Potocki recently discovered, these indicators aren’t sufficient to verify that Secure Boot is functionally properly. As you can see in the image above, while Secure Boot is marked as “Enabled” in the BIOS, Secure Boot Mode is set to “Custom,” activating a group of sub-menus with further Secure Boot settings.
Those with MSI motherboards may have noticed that Secure Boot is listed as enabled by default, both in the BIOS and in Windows. However, as Dawid Potocki recently discovered, these indicators aren’t sufficient to verify that Secure Boot is functionally properly. As you can see in the image above, while Secure Boot is marked as “Enabled” in the BIOS, Secure Boot Mode is set to “Custom,” activating a group of sub-menus with further Secure Boot settings.
One of these sub-menus, labeled “Image Execution Policy, contains rules that determine under what circumstances Secure Boot will allow software to launch at system boot. In order for Secure Boot to function as intended, these rules should be set to “Deny Execute,” which will prevent software from launching when there is a security violation.
However, according to Dawid Potocki’s research, the default configuration for a wide range of MSI motherboards has all of these rules set to “Always Execute.” This option effectively bypasses Secure Boot, as the system will launch any software at boot regardless of whether it bears a signature that Secure Boot recognizes as safe. Thus, many MSI motherboards seem to appease the Windows 11 security requirement by marking Secure Boot as “Enabled,” while operating according to rules with the same effect as if Secure Boot were disabled.
This default configuration is a boon to threat actors, enabling them to implant persistent malware on compromised systems without needing to bypass Secure Boot with an exploit. Unfortunately, it doesn’t seem that MSI is willing to acknowledge this problem, as Potocki’s attempts to contact the company have so far been ignored. That said, users can patch up this security hole themselves by entering the BIOS and changing the “Always Execute” rules to “Deny Execute.” Since the full list of affected MSI motherboards is hundreds of lines long, we won’t copy it here. We encourage those with MSI motherboards to check the list on GitHub for their model numbers or enter the BIOS and audit the Secure Boot settings themselves.
However, according to Dawid Potocki’s research, the default configuration for a wide range of MSI motherboards has all of these rules set to “Always Execute.” This option effectively bypasses Secure Boot, as the system will launch any software at boot regardless of whether it bears a signature that Secure Boot recognizes as safe. Thus, many MSI motherboards seem to appease the Windows 11 security requirement by marking Secure Boot as “Enabled,” while operating according to rules with the same effect as if Secure Boot were disabled.
This default configuration is a boon to threat actors, enabling them to implant persistent malware on compromised systems without needing to bypass Secure Boot with an exploit. Unfortunately, it doesn’t seem that MSI is willing to acknowledge this problem, as Potocki’s attempts to contact the company have so far been ignored. That said, users can patch up this security hole themselves by entering the BIOS and changing the “Always Execute” rules to “Deny Execute.” Since the full list of affected MSI motherboards is hundreds of lines long, we won’t copy it here. We encourage those with MSI motherboards to check the list on GitHub for their model numbers or enter the BIOS and audit the Secure Boot settings themselves.
