ASUS pushed a beta BIOS on November 24, 2026 that restores Memory Encryption for Ryzen 9000 desktop CPUs, resolving the six-month regression that had shipped in the AGESA 1.2.0.3d microcode. The beta lands on the ROG X870E Hero, ROG X870E-E, and PRIME X870-P first, with the wider X870/B850 rollout expected within two weeks. AMD's own AGESA fix is still in verification, so ASUS is technically ahead of the reference silicon vendor on this one. If you own a 9000-series CPU on an ASUS board and use encrypted VMs or a security-hardened workload, this is the update to install.
What actually broke and what got fixed
AMD's Ryzen 9000 desktop CPUs support Memory Encryption via SME (Secure Memory Encryption) and SEV (Secure Encrypted Virtualization). The encryption is a set of AES-128 keys on the memory controller that transparently encrypt DRAM pages between the CPU and physical RAM.
In AGESA 1.2.0.3d, shipped in mid-2026, a change to the memory-training routine disabled SME on desktop SKUs by default. Board vendors — including ASUS — released BIOS updates on top of that AGESA, which meant OS-level flags to enable encryption returned success but the microcode silently refused. Anyone running SEV guests saw the guests boot without encryption enforced; anyone auditing memory dumps saw plaintext.
The ASUS beta BIOS 3106 rolls the memory-training routine back to a pre-1.2.0.3d state, restores the SME MSR, and re-adds the setup-menu toggle under Advanced → CPU Configuration → Memory Encryption. It's tested against Ryzen 7 5800X-era boards for backward compatibility and against every 9000-series CPU ASUS has in-house.
Which boards get the fix first
ASUS' rollout order for BIOS 3106 (or the equivalent version per SKU):
- ROG X870E Hero — released 2026-11-24, tagged Beta.
- ROG X870E-E Gaming WiFi — released 2026-11-24, tagged Beta.
- PRIME X870-P WiFi — released 2026-11-25, tagged Beta.
- TUF Gaming X870-Plus WiFi — targeted 2026-12-01, in QA.
- B850 boards (Strix, TUF, PRIME) — targeted 2026-12-08.
- X670E/B650 legacy 9000-support boards — targeted 2026-12-15 pending verification.
The beta tag is meaningful. ASUS BIOSes tagged Beta on the download page have passed internal QA but not the full "Release" cadence that includes broad system-integrator validation. For a home rig, beta is fine and often necessary to get real fixes early. For a production workstation, wait for the Release tag.
Do you actually need this
Only if any of these are true:
- You run SEV-encrypted VMs on Ryzen 9000. If you're running Proxmox with encrypted guests, or KVM with SEV enabled, the encryption is currently a no-op.
- You care about DMA-attack resistance. SME encrypts DRAM against cold-boot and physical-access threats. If your threat model includes stolen laptops or malicious PCIe devices, you need this on.
- You're on a compliance regime that mandates memory encryption. Enterprise security frameworks that require SME (some PCI-DSS variants and defense contractor baselines) are directly affected.
If you're running Windows Pro with BitLocker on the boot drive and a normal desktop workload, you don't need SME to be functional. BitLocker is a disk-encryption layer, not a memory-encryption layer. Your daily-driver security posture is unaffected.
What AMD is doing about it
AMD's own fix is bundled into AGESA 1.2.0.4a, currently in "final verification" per AMD's public BIOS-partner roadmap. Once 1.2.0.4a ships, every board vendor picks it up on their own cadence — MSI, Gigabyte, ASRock, and Biostar typically trail ASUS by 2–4 weeks on major AGESA transitions.
ASUS' choice to ship a fix before AGESA 1.2.0.4a is unusual. They accomplished it by cherry-picking the memory-training code path from the pre-1.2.0.3d AGESA into an otherwise-current firmware base, effectively backporting a fix rather than waiting for AMD's roll-forward.
This kind of backport is a minor engineering victory for ASUS and a public embarrassment for AMD. Enthusiasts noticed the regression in June 2026 and reported it through community channels; AMD's public acknowledgment came in October. That's a five-month gap where a documented security feature silently didn't work on a currently-shipping desktop platform.
Timeline of the regression
- March 2026: AMD ships AGESA 1.2.0.3d to board partners with revised memory-training changes intended to broaden EXPO compatibility on high-density DDR5-6400+ kits.
- April 2026: ASUS, MSI, Gigabyte push BIOS updates carrying the new AGESA to X870/B850 boards.
- June 2026: First community reports on Reddit and Level1Techs forums that SEV guests boot without encryption enforced on Ryzen 9950X and 9900X boards.
- July 2026: Independent security researchers publish a memory dump showing plaintext KVM guest state on a 9950X + ASUS ROG X870E-E system.
- August 2026: AMD engineers acknowledge the issue in a private tracker; no public statement yet.
- October 2026: AMD publicly acknowledges the regression on its Ryzen Community Forum and commits to a fix in AGESA 1.2.0.4a "before end of year."
- November 24, 2026: ASUS ships BIOS 3106 Beta with the SME restoration ahead of AGESA 1.2.0.4a.
The five-month gap between community discovery and public acknowledgment is the story worth remembering. Silicon security features can regress silently and it takes coordinated disclosure to force a fix.
How to install and verify
Backup first. Any BIOS flash on any modern platform carries a nonzero brick risk if power drops mid-write. Have a UPS or hold the flash for a calm afternoon.
- Download BIOS 3106 (or your SKU's equivalent) from the ASUS support page under your board's model.
- Save to the root of a FAT32 USB stick.
- Reboot into BIOS with F2 or Delete, use EZ Flash Utility, point at the USB.
- Wait for the flash to complete and reboot. Don't touch power for the first 60 seconds — memory training on the first post takes 30–45 seconds by itself.
- Once booted, re-enter BIOS. Advanced → CPU Configuration → Memory Encryption should now be visible. Set it to Enabled. Save and exit.
- Boot the OS. Verify with
rdmsr -a 0xC0010010on Linux or the equivalent MSR read tool on Windows.
If you use encrypted VMs, additionally check that SEV is available: cat /sys/module/kvm_amd/parameters/sev should return Y after the fix.
Key takeaways
- ASUS is first with a fix. BIOS 3106 (Beta) restores SME on ROG X870E boards as of 2026-11-24.
- Wider rollout takes two weeks. All ASUS X870/B850 boards should have the fix by mid-December 2026.
- AMD's reference AGESA is still in verification. MSI, Gigabyte, ASRock will trail ASUS by 2–4 weeks.
- This is a Beta BIOS. Fine for home rigs, wait for the Release tag on production systems.
- You only need this if you use encrypted VMs, DMA-hardening, or security-mandated workloads. Most desktop users are unaffected.
Comparison: what other board vendors are saying
- MSI has acknowledged the issue publicly and committed to a fix in an unspecified upcoming release. No Beta channel disclosure yet.
- Gigabyte referenced the AMD AGESA 1.2.0.4a timeline without independent fix commitment.
- ASRock has been silent on the issue as of this writing. Historically ASRock trails 4–6 weeks behind MSI on major AGESA transitions.
- Biostar does not have any 9000-series server or workstation SKUs affected and is a non-factor here.
- Supermicro ships EPYC-focused boards with a different microcode path; not affected.
If you're on a non-ASUS X870/B850 board and need the fix urgently, watch your vendor's Beta channel or consider an ASUS board swap. If you can wait, AGESA 1.2.0.4a should reach every consumer vendor by end of Q1 2027.
What a proper regression-test pipeline would have caught
The 5-month gap between community discovery and vendor acknowledgment reflects a real gap in AMD's post-AGESA validation. A working regression test suite for SME would have caught this in the pre-release cycle. The specific test — boot a Linux KVM guest with SEV enabled, dump host memory, grep for guest kernel signatures — takes 30 seconds to run and would have caught the regression immediately.
The lesson isn't that AMD needs to write a specific test. It's that firmware-level security features need pre-release validation with adversarial fuzzing, not just functional tests. "The MSR is present" isn't the same as "encryption is enforced end-to-end."
For end users, this suggests a practical hygiene: any time a critical security feature depends on firmware, add a boot-time verification step to your OS build. For SME, that's checking the SME_STATUS MSR at boot; for TPM measurements, that's re-reading PCRs and comparing to expected values; for Secure Boot, that's checking the shim signature chain.
Impact on the encrypted-VM market
If you're running Proxmox or KVM with encrypted guests on Ryzen 9000 boards, the six-month gap where SME was silently disabled means every guest state that transited memory between June and November 2026 was potentially exposed to physical-access attacks. For most home labs this is a theoretical risk (nobody physically extracts DIMMs from your home NAS). For enterprise workloads with regulated data, it's a documented compliance failure.
If your compliance regime required SME to be enforced, you need to file a post-incident report acknowledging the exposure window, apply the BIOS 3106 fix, and re-verify the enforcement state. AMD's public acknowledgment gives you cover for the regression; not applying the fix once available doesn't.
The two-week rollout math
ASUS X870/B850 boards will get the fix over the next two weeks. MSI, Gigabyte, ASRock will trail 2-4 weeks depending on AGESA 1.2.0.4a availability. Board-vendor delivery is deterministic once AMD ships the reference AGESA; you can plan around it.
By early January 2027, essentially every consumer 9000-series board should have a Release-tagged BIOS with SME restored. That's the point at which "wait for Release" becomes the more conservative recommendation than "install Beta today." Between now and then, ASUS X870E owners are on the fastest path.
Related coverage
- Ryzen 7 5800X vs Ryzen 7 5700X — the older AM4 8-core comparison for buyers considering staying on 5000-series.
- Best AM4 Upgrade Parts — sensible late-cycle AM4 buys before jumping to AM5.
- Best Budget AMD Gaming PC Upgrades — parts to consider if you're on the fence about the AM5 jump.
Common gotchas
- Some boards flash but don't expose the toggle. If you flashed and the Memory Encryption menu is missing, re-flash. The setup-menu module lives in a different partition and occasionally doesn't update on the first pass.
- Overclocked memory profiles reset. BIOS 3106 wipes CMOS. Screenshot your XMP/EXPO settings before you flash, or you'll spend 20 minutes re-dialing them.
- Windows might reject the new BIOS ID on first boot. BitLocker will demand a recovery key if TPM measurements shifted. Have your recovery key on paper.
- Beta BIOS won't downgrade cleanly. Once you flash to 3106, downgrading to 2xxx-series firmware may require ASUS' USB BIOS Flashback with a specifically-formatted USB stick.
- Legacy Ryzen 7 5700X owners on X570 are not affected. The AGESA regression only touched 9000-series memory training. AM4 continues as before.
When NOT to install
- You use Windows 11 Pro with BitLocker, don't run VMs, and don't care about DMA attacks. The fix does nothing you'd notice; wait for the Release tag.
- You're mid-production with a machine that needs to stay up. Beta firmware is Beta firmware. Even the Beta tag ASUS uses implies "we haven't put this through the full SI validation matrix yet." A 1% brick risk is a 1% brick risk.
- You're on a laptop. This BIOS is for desktop X870/B850. Ryzen 9000 mobile parts have a separate microcode path.
What this incident says about firmware security posture
The Ryzen 9000 SME regression is the second AMD firmware security incident in 18 months where a documented feature silently stopped working and took months to acknowledge. The prior one was the CPPC preferred-core scheduling behavior on Ryzen 7000 that broke with Windows 24H2 and took ~90 days to public-acknowledge.
The lesson for buyers isn't "don't buy AMD." Intel has had comparable Management Engine regressions and Alder Lake efficiency-core scheduling bugs. The lesson is: security-critical features need verification, not just documentation. If your workload depends on SME being on, add a boot-time check that reads the SME MSR and refuses to launch guest VMs if encryption isn't enforced. Firmware regressions catch you silently otherwise.
For the next 12 months, if you're speccing a new Ryzen 9000 workstation for a security-sensitive workload, budget an ASUS X870E board and stay on the Beta BIOS channel for critical fixes. It's the fastest path to real SME today.
Bottom line
For six months, if you owned a Ryzen 9000 CPU on an X870 board and thought your memory was encrypted, it wasn't. ASUS' Beta BIOS 3106 fixes that today. Every other board vendor will catch up on AMD's AGESA 1.2.0.4a timeline over the next 6–10 weeks. This is the right update for anyone whose threat model actually depends on SME, and skippable for anyone whose doesn't.
Sources
- Tom's Hardware coverage of the ASUS BIOS release and the SME regression timeline.
- AMD Ryzen product page documenting SME support on 9000-series.
- ASUS motherboards support page for the BIOS 3106 downloads.
