It has been reported that the Secure Boot feature on as many as 300 MSI motherboards does not work as expected or as intended by this feature. Specifically, when Secure Boot is enabled, the motherboard will allow unverified firmware or operating systems to be loaded.

Open source security researcher Dawid Potocki (via El Reg (opens in new tab)) first discovered this problem when trying to set up secure boot on his MSI PRO Z790-A WIFI. Potocki says, "Unfortunately, I found that my firmware would accept any OS image I gave it, whether it was reliable or not."

That prompted him to check other MSI motherboards, and he discovered that nearly 300 models had the same problem, including all AMD B650 and X670 and all Z790 and B760 Intel models (opens in new tab). Yikes.

Secure boot is a technology designed to ensure that only software trusted by the original manufacturer is loaded when the PC boots. More to the point, an increasing number of PC games require Secure Boot to be enabled; titles such as "FIFA 23" and "Valorant" are already requiring Secure Boot to be enabled.

MSI responded to Potocki's findings with a detailed description of the current configuration of MSI boards (opens in new tab) and the changes planned for a future BIOS update:

"MSI has been working with Microsoft to ensure that prior to the launch of Windows 11 We have implemented a secure boot mechanism on our motherboard products in accordance with the design guidance defined by Microsoft and AMI, providing a user-friendly environment that allows you to flexibly build your PC system with thousands (or more) of components, including built-in optional ROMs with OS images. In order to provide and achieve higher compatibility configurations, we have set Secure Boot to "Enabled" ahead of time and "Always Run" as the default setting. For security-conscious users, the "Image Execution Policy" can be manually set to "Deny Execution" or other settings to meet their security needs.

"In response to reports of security concerns with the preset BIOS settings, MSI will be rolling out new BIOS files for motherboards with "Execution Denied" as the default setting for a higher level of security. MSI will also retain a fully functional secure boot mechanism in the BIOS for end users to modify as needed.

In other words, Secure Boot will function correctly on MSI boards, but MSI has configured all code to execute by default, even when Secure Boot is enabled. Only when the BIOS is specifically instructed to deny execution does Secure Boot do what it is supposed to do. It certainly seems like an odd way to have Secure Boot reported as "enabled" but not actually doing its job.

But at least there is an option to ensure complete security. Also, the issue does not seem to prevent the game from running.