In brief — July 6, 2026 · ASUS has begun rolling out beta AGESA BIOS updates for AM5 motherboards that restore SME/SEV memory encryption on Ryzen 9000 CPUs, moving ahead of AMD's own July timeline. Owners of X670E and B650 boards can flash the beta now; the fix closes a security regression that had been quietly disabled since the Ryzen 9000 launch.
What happened
ASUS shipped a beta AGESA BIOS this week that re-enables AMD's SME and SEV memory-encryption features on AM5 boards paired with Ryzen 9000 desktop CPUs. Both features rely on the AMD Secure Processor to encrypt memory contents at rest in DRAM and had been shipped in a disabled state on early Ryzen 9000 BIOS branches, following an errata found during launch validation. AMD's public plan had targeted a July rollout of the fix through motherboard partners. ASUS is now first out of the gate with a beta that closes the gap on the two most popular consumer chipsets, X670E and B650, well ahead of AMD's timeline. Tom's Hardware reported the rollout after ASUS support forums began surfacing the beta ROM.
The affected features are the ones that keep on-chip memory encryption transparent to the OS — the sort of thing enterprise buyers care about for hypervisor isolation and Windows Defender Credential Guard, and that a growing slice of home users care about because Windows 11 24H2 leans on them for parts of its security posture. For Ryzen 5000 owners (AM4 socket) nothing has changed on the memory-encryption axis, so the practical takeaway is simple: if you're on AM5 and you care about the security posture, flash the beta; if you're on AM4 you were never affected.
Why it matters
Memory encryption is one of those features that lives in the deep tail of hardware datasheets and matters mostly when it's off. When SME is enabled, the DRAM contents that hold OS keys, crypto material, and process memory are protected against a physical attacker who pulls the stick out of the socket ("cold-boot" and DIMM-swap attacks). When SEV is enabled, VMs on the same host can't peek at each other's memory through hypervisor bugs. Neither of these is a routine consumer concern — but Windows and Linux both increasingly assume these features are present when they enable higher-tier isolation modes.
The upshot for Ryzen 9000 owners has been that some of Windows 11's virtualization-based security (VBS) modes have been either subtly slower or subtly less isolated than they would be on a comparable Intel Meteor Lake system. That gap closes with ASUS's beta. It also matters for anyone who runs local AI or crypto workloads — SME's overhead is under 5% in typical workloads, but it eliminates a class of low-level side-channel risks that anyone shipping a home lab into a shared office should care about.
Where our featured Ryzen 5000 CPUs stand today
Ryzen 5000 owners on AM4 (which covers our featured Ryzen 7 5800X, Ryzen 7 5700X, and the retired Ryzen 5 5600G) are unaffected by this specific rollout. Ryzen 5000's memory-encryption support has been in place since launch on socket AM4 boards with recent AGESA firmware, and the feature is already exposed on Windows 11's VBS stack. If you've been sitting on AM4 waiting for a security-posture reason to upgrade to Ryzen 9000, the honest answer is that the gap you'd close today is Zen 5's IPC gain, not memory encryption — Ryzen 5000's crypto path already does what most people need.
For anyone weighing a fresh build in July 2026: the ASUS beta closes the one platform-parity gap that could have pushed AM4 back into the frame at Ryzen 9000's expense, so the AM5 recommendation gets a bit stronger. If you're specifically building a budget rig around a used Ryzen 7 5800X or Ryzen 7 5700X, the AM4 socket remains a perfectly reasonable landing spot — the encryption feature has been there for a couple of years, and the CPUs are broadly available on the used market at a fraction of Ryzen 9000 pricing.
What to do if you own an ASUS AM5 board
Grab the beta from your board's support page under the "BIOS Beta" tab. Flash from EZ Flash (do not use Windows tooling for a beta AGESA — a lot of pain in this community starts with a beta flash mid-Windows-update). Once the flash completes, check for the SME toggle under "Advanced → CPU Configuration → SVM Mode / Memory Encryption." On boards with the beta the toggle appears; on production BIOS it doesn't. Enable it, save, reboot, and confirm from Windows via msinfo32 or from Linux via dmesg | grep -i sme.
AMD's own product page for the Ryzen 7000/9000 series is the canonical reference for feature support at the CPU level; motherboard-side you're at the mercy of your board vendor's BIOS cadence, and ASUS is now several weeks ahead of the pack.
The source
The rollout was first reported by Tom's Hardware based on ASUS's support-forum beta ROM postings and independent user confirmations of SME appearing in the BIOS menu. AMD has not yet published a public statement on the accelerated rollout; the working assumption is that other AM5 vendors (Gigabyte, MSI, ASRock) will follow within the next 2-4 weeks.
Why it matters for our featured builds
Two takeaways. First, if you're on AM5 and running any workload that touches Credential Guard, hypervisor-based security, or virtualization at all, the beta is worth flashing today rather than waiting for the final AGESA in a few weeks. Second, if you're on the fence between finishing a used-AM4 build around the Ryzen 7 5800X and jumping to a fresh Ryzen 9000 platform, this news slightly reduces one of the reasons to wait. AM4 is not going anywhere, but the parity story on AM5 got a bit better this week.
A quick refresher on SME and SEV
The two features share a name but do different jobs. SME (Secure Memory Encryption) protects host memory transparently — the OS keeps writing to memory as normal, the memory controller encrypts the bytes on the way out to DRAM, and any attacker who physically pulls a DIMM sees ciphertext. SEV (Secure Encrypted Virtualization) does the same job across VM boundaries — each guest VM gets its own memory-encryption key so a rogue hypervisor or a co-tenant VM can't read the guest's plaintext. AMD introduced both on server EPYC parts around 2017 and gradually filtered them down to consumer Ryzen platforms.
The reason they've become interesting outside data-center use is Windows 11's evolving posture. Microsoft has been leaning harder on Virtualization-Based Security (VBS) with each 24H2 build, using nested virtualization to isolate the Credential Guard vault and the LSA process from the main OS kernel. When SME is present, VBS can run those isolated workloads at a higher trust tier and skirt an entire category of side-channel attacks that people had documented at prior Black Hats. It is not the difference between a secure system and an insecure one; it is the difference between "hardened against a broad class of attacker" and "hardened against a slightly broader class." That is worth about half an hour of careful BIOS work for anyone whose workload leans on the security boundary.
Real-world impact — what changes for typical users
For a gaming rig, essentially nothing changes on the day-to-day. Frames per second do not move, boot time does not move noticeably. What does change is what Windows 11 will let you enable in its Device Security settings page. On systems with SME active you can turn on the tighter isolation modes for Credential Guard without seeing the "your device does not meet the minimum requirements for enhanced isolation" banner. For anyone whose work-from-home posture requires that banner to disappear before IT lets them join a corporate VPN, the ASUS beta is the difference between "waiting for AMD's July" and "flashing tonight."
For a home lab or a light hypervisor setup — Hyper-V, KVM, VMware Workstation Pro — SEV is the interesting one. If you're running a small stack of VMs on your own box (a NAS in a VM, a Windows sandbox for dubious downloads, a Linux VM for kernel work), SEV means those VMs are cryptographically isolated from each other. Historically that was an EPYC-only guarantee. On Ryzen 9000 with the new BIOS, it's now a consumer feature. That's the sort of thing that quietly raises the bar for what a $500 home lab can do.
For a build focused on local LLMs or crypto work, the story is nuanced. The workload itself doesn't need the feature, but the security posture around it does. If you're running Ollama on a shared machine where other users have shell access, SME closes a category of memory-scraping attacks against the loaded model weights and the KV cache. Whether that matters is a threat-modeling question, not a spec-sheet one.
Common myths worth clearing up
"Enabling SME makes my system slower." In the sense that anything is technically slower with an extra pass through the memory controller, yes. In practice the overhead is under 5% on the memory-heavy workloads that stress it and well under 1% on typical gaming and productivity workloads. Nobody buying a Ryzen 9000 platform is going to notice.
"This is only for enterprise use." No. It's an enterprise-origin feature that has genuine consumer utility on Windows 11 24H2's security stack. The line between "enterprise" and "consumer" security features has blurred a lot over the last five years; treat it as one continuum.
"AMD is late; Intel had this in 2014." Intel's SGX and TDX are different feature families with different threat models. SGX is enclave-oriented (small trusted regions), SME is bulk-memory-oriented (all of DRAM). They complement each other in a proper defense-in-depth stack; they are not substitutes.
"I should wait for the GA BIOS." If your box is critical infrastructure, sure. If it's a home rig and you're comfortable with a well-supported ASUS beta ROM, waiting three or four more weeks buys almost nothing. The beta is the same code that will ship as GA once AMD's timeline finalizes.
FAQ
Does this affect Ryzen 5000? No. The rollout is Ryzen 9000-specific and only touches AM5 boards. AM4 boards paired with Ryzen 5000 CPUs already had memory encryption enabled through prior AGESA revisions.
Is a beta BIOS safe to flash on a daily driver? Broadly yes if you follow standard beta-flash hygiene — flash from a UEFI-native tool (EZ Flash on ASUS, not Windows utilities), have a known-good BIOS backup, and don't chain the flash with other risky operations. The bigger risk is the AGESA regressions that sometimes ship in betas; watch the ASUS forum thread for a week before flashing on a mission-critical box.
Will Gigabyte, MSI, and ASRock follow? Almost certainly, based on prior AGESA rollouts. Historically the other three vendors ship their beta or GA within 2-4 weeks of ASUS's first mover.
Does enabling SME impact performance? Under 5% overhead in most workloads, per public AMD benchmarks. Some memory-bandwidth-heavy workloads see a bit more; most gaming and productivity workloads see no measurable change.
Do I need to enable anything in Windows? Windows 11 auto-detects SME support and turns on the virtualization-based security features that depend on it. Check via msinfo32 under "Device Guard" to confirm the isolation mode is running at the highest tier.
Bottom line
ASUS moved first on a security fix that AMD had scheduled for July, and the practical impact for Ryzen 9000 buyers on X670E and B650 boards is that memory encryption goes from a checkbox that couldn't be turned on to a checkbox that should be turned on. AM4 owners on Ryzen 5000 don't need to do anything — their platform has already been in this state for a couple of AGESA revisions. If you were considering an upgrade to AM5 specifically for security posture, one of the reasons to wait just quietly evaporated.
Sources
- Tom's Hardware — coverage of the ASUS beta rollout
- AMD — Ryzen 9000 desktop processor product hub
- ASUS — AMD X670/B650 motherboard product portal
