SecureBoot

https://arstechnica.com/information-technology/2023/01/300-models-of-msi-motherboards-have-secure-boot-turned-off-is-yours-affected/

In my MSI Bios

Advanced -> Windows OS Conmfiguration

I see Secure Boot Enabled

Secure Boot Mode Standard

If this means run unsigned code then this is beyond stupid.

The only way I can drill into any other options is to set Custom.

I have a MSI Mini-ITX B450I Gaming Plus AC. Flashed latest BIOS E7A40AMS.AG0.

Image Execution Policy is disabled so there is no way to even tell what it's going to do when set Secure Boot Mode is set to the Default of Standard. Why would anyone enable secure boot to check for rootkit and then just load the rootkit. How is this a "Secure Boot"? On the flip side manually setting this crap is terrifying. Why would always deny even be an option for any user? Who would want to intentionally make it impossible to even get back into bios? Option ROM? Are you kidding me? What is that supposed to be set to? Depends on video card? This whole thing is a dumpster fire.

Image Execution Policy

Fixed Media -> Deny Execute

Don't plan on booting from removable media so always execute is fine with me.

Also doubt anyone is going to hack my video card/add in card firmware so always execute is Ok with me there as well.

Windows Boot Loader I would think would be a prime target to infect so I do feel better changing the Fixed Media default to Deny Execute.