AMD has confirmed it will restore the Transparent Secure Memory Encryption (TSME) BIOS option, branded as AMD Memory Guard, on select non-PRO Ryzen 9000 desktop processors. The update, set to roll out in July 2026 through AGESA-based motherboard firmware, reverses a controversial removal that left many users without hardware-backed RAM encryption. The decision comes after months of community pressure and signals a renewed focus on platform security for mainstream desktop builders.
In a brief statement released in June 2026, AMD acknowledged the gap and committed to making TSME accessible again on chips like the Ryzen 7 9700X and Ryzen 5 9600X. The feature—which encrypts data in system memory transparently, without a performance penalty visible to most workloads—was previously reserved for Ryzen PRO models on the AM5 platform. For Windows users who rely on BitLocker or other disk encryption, TSME provides an essential second layer: it protects against cold-boot attacks and DMA snooping, but only when enabled in the UEFI.
What Exactly Is TSME and Why Does It Matter?
Transparent Secure Memory Encryption is a silicon-level feature that uses an AES-128 engine integrated into the processor’s memory controller. When turned on, all data written to DRAM is encrypted with a hardware-generated key; decryption happens seamlessly as data is fetched back into cache. From the operating system’s perspective, nothing changes—applications and drivers see unencrypted data, while physical memory contents become scrambled to anyone without access to the chip’s internal key. AMD markets this as Memory Guard in its enterprise and PRO lineups, but the underlying technology is identical.
TSME’s value skyrockets in multi-tenant environments and for portable desktops that might be lost or stolen. Combined with Windows 11’s Secure Boot and TPM-backed BitLocker, it closes the attack vector that targets plaintext RAM contents via DMA attacks or physical memory extraction. Microsoft specifically recommends memory encryption for devices handling sensitive data, and many IT policies mandate it for compliance with standards like NIST SP 800-111.
The Rift: How Ryzen 9000 Lost TSME
When the first AM5 motherboards shipped with Ryzen 7000 processors, TSME was freely available across the entire stack. Owners of a $229 Ryzen 5 7600 could toggle “Memory Guard” in the UEFI just like someone with a $699 Ryzen 9 7950X. That changed with the launch of Ryzen 9000 “Granite Ridge” CPUs in August 2024. Early adopters discovered that the TSME option had vanished from BIOS menus on all non-PRO SKUs—only the pricier Ryzen PRO 9000 series retained the toggle.
Back then, AMD’s official line was vague. A company representative posted on the AMD Community forums that TSME was “not currently enabled” on certain consumer parts and suggested users who needed it could purchase PRO models or wait for further notice. The response infuriated enthusiasts and system integrators who had built workflows around hardware encryption. Threads on r/Amd, Level1Techs, and Windows-focused forums exploded with complaints: users who encrypted their drives with BitLocker suddenly lost the complementary memory encryption that prevented RAM from being the weak link.
Independent analysis by firmware researchers hinted at a technical root: early AGESA 1.1.0.0 builds for Granite Ridge appeared to segregate TSME capability by SKU ID, possibly to cut validation costs or create product segmentation. While the AES engine was physically present on every Ryzen 9000 die—it’s part of the Zen 5 memory controller—the System Management Unit (SMU) firmware simply refused to expose the control bit if the CPU’s model number didn’t fall in a whitelist. For many, it felt like a deliberate downgrade rather than an oversight.
The Course Correction: What AMD Announced in June 2026
After nearly two years of sporadic teasing—occasional leaked BIOS versions from ASRock and MSI that accidentally re-exposed TSME, quickly pulled—AMD finally broke its silence on 14 June 2026. In a post on the AMD Community blog, the company said:
“We are finalizing validation of an AGESA update that will restore the Memory Guard (TSME) BIOS option on Ryzen 9000 series desktop processors, excluding certain entry-level SKUs. Motherboard vendors will begin distributing this firmware starting in July 2026. We appreciate the community’s patience and ongoing feedback.”
The statement, though brief, explicitly mentions “desktop processors” and “non-PRO” parts being in scope. It leaves the door open for some lowest-tier chips—likely the Ryzen 3 9100 and possibly the Ryzen 5 9400F—to miss out, though AMD didn’t draw a hard line. The restoration will arrive via the AMD Generic Encapsulated Software Architecture (AGESA) ComboAM5 1.2.0.8 update, which board partners will customize and release per their own validation schedules.
The AGESA 1.2.0.8 Pipeline and Board Partner Impact
AGESA updates are the packaging mechanism for all AMD platform firmware, bundling CPU microcode, SMU firmware, and reference code for chipset and memory initialization. The ComboAM5 1.2.0.8 payload—already in limited beta testing at ASUS, Gigabyte, ASRock, and MSI—includes the SMU version 92.70.0 module that re-enables the TSME control flag irrespective of SKU ID, provided the CPU reports a compatible model. Board vendors will need to integrate this into their UEFI builds, test for regressions, and then deploy through their standard update tools.
For Windows users, the practical implication is that TSME will return as a toggle buried under the “AMD CBS” or “Security” tab in BIOS, often labeled “Memory Guard” or “Transparent SME.” Enabling it requires a reboot and, in some configurations, may demand that “TSME” and “Secure Boot” both be active for BitLocker to recognize the security baseline. The update is not expected to require a chipset driver refresh, though AMD’s PSP driver in Windows may get a nominal update to reflect the change.
Windows 11, BitLocker, and Real-World Security
Windows 11’s hardware security stack relies on a chain of trust that starts with Secure Boot and extends through the TPM. When BitLocker encrypts an OS drive, it can use the TPM to seal the encryption key, ensuring the drive only unlocks if the boot environment is unchanged. However, if an attacker can read the RAM contents—say, by freezing a DIMM or probing a Thunderbolt port—they might retrieve the BitLocker key from memory before the TPM can purge it. TSME closes that loophole by encrypting everything in RAM, rendering even a successful extraction useless.
Users who combine TSME with Windows’ own “Kernel DMA Protection” (IOMMU) and “Memory integrity” (HVCI) create a defense-in-depth scenario that satisfies most zero-trust frameworks. For the home builder or small business owner, the restored option means a sub-$400 Ryzen 7 9700X system can achieve a security posture that previously demanded a PRO-tier CPU—often marked up by $50–$100 solely for the encryption toggle.
The Road to Restoration—and Why It Took So Long
Why the two-year delay? Multiple insider reports suggest a combination of internal politics and technical debt. During the AM5 launch window, AMD was simultaneously ramping its enterprise EPYC and Threadripper lines, both of which use SME and SEV (Secure Encrypted Virtualization) extensively. Engineering resources dedicated to client TSME validation may have been reallocated. Additionally, Microsoft’s Windows 11 24H2 update introduced stricter requirements around memory encryption reporting, which exposed inconsistencies in AMD’s firmware that needed to be resolved before TSME could be safely re-enabled without triggering boot failures or driver crashes.
Some motherboard vendors inadvertently tipped AMD’s hand. In March 2026, a beta BIOS for the ASRock X870E Taichi briefly listed “TSME Enable” as an experimental option. Users who flashed it reported mixed results: on a Ryzen 7 9800X3D, the toggle worked, but Windows Event Viewer generated Secure Launch errors unless the BIOS also had “Data Scramble” enabled. In contrast, on a Ryzen 5 9600X, the toggle caused a black screen until a CMOS clear. This variability likely mirrors the validation challenges AMD needed to overcome across dozens of SKUs, chipset combinations, and DRAM configurations.
What the Community Is Saying
Enthusiasm is tempered by exhaustion. On Reddit’s r/AMD, u/ThreadripperTim posted: “Great, but what about the 7600X3D—it’s a Zen 4 part that also had TSME yanked. Is AMD going to backport this fix?” Similar questions pop up for AM4’s Ryzen 5000 series, where TSME was flaky on non-PRO models depending on the AGESA version. AMD has not addressed older generations, and the announcement strictly references “Ryzen 9000 series desktop processors” on the AM5 platform. That leaves millions of existing AM4 and early AM5 users still locked out.
Forum threads on WindowsNews.ai highlight another friction point: the BIOS update cadence for last-gen motherboards. An owner of a B650 board said, “My ASUS B650E-E still hasn’t received the AGESA 1.2.0.7 fix for USB dropout, and now I’m supposed to wait for 1.2.0.8 for TSME? I’m two security patches behind.” This underscores a perennial challenge in the DIY PC ecosystem—firmware support is at the mercy of each vendor’s release schedule.
Practical Steps for Users
If you’re running a non-PRO Ryzen 9000 system and want TSME, here’s what to do:
- Check your CPU model: The update is expected to cover Ryzen 7 9700X, Ryzen 5 9600X, Ryzen 9 9900X and 9950X, and likely the X3D variants. The Ryzen 3 9100 may be excluded; verify your model against AMD’s list once it’s published.
- Watch for the AGESA version: Look for AGESA ComboAM5 1.2.0.8 or later in your motherboard’s BIOS changelog. Do not flash a beta unless you’re comfortable with potential instability.
- Enable TSME correctly: After the update, the toggle will typically require a full power-cycle (not just a reboot) to take effect. In Windows, run “msinfo32” and check “Device Encryption Support”—it should show “Meets prerequisites” when TSME is active alongside Secure Boot and a functional TPM.
- Test with BitLocker: For drive encryption, first verify TSME is on, then open BitLocker Drive Encryption and turn on protection. The combination of TPM-sealed keys and RAM encryption delivers the strongest personal device security.
Broader Implications for AMD’s Platform Strategy
TSME’s return signals a shift in AMD’s segmentation strategy. By restoring a security feature that was never explicitly sold as a PRO exclusive, AMD acknowledges that desktop users—gamers, content creators, and home-office workers—increasingly demand enterprise-grade protections. The move also aligns with the growing “secure-by-default” principle Microsoft advocates, where hardware-assisted encryption is a baseline, not a premium.
Competitively, Intel has offered Total Memory Encryption (TME) across all 12th-gen and later Core processors without SKU restrictions. AMD’s temporary absence of TSME on mainstream Ryzen 9000 put it at a disadvantage for anyone cross-shopping for a secure Windows workstation. The July 2026 update closes that gap entirely.
Looking ahead, the question is whether AMD will maintain TSME as a universal feature in future Zen 6 “Morpheus” processors. The SMU-based gating approach suggests the hardware is capable; it’s the firmware policy that locks it. If AMD learns from this episode, it might simply enable TSME out of the box on all SKUs, leaving the BIOS option for users who need to disable it for memory overclocking—a common trade-off where extreme DRAM timings conflict with the encryption engine.
Conclusion
AMD’s confirmation in June 2026 that TSME will return to non-PRO Ryzen 9000 chips in July is a win for transparency and user trust. After two years of uncertainty, enthusiasts and IT pros can finally plan for a fully encrypted desktop platform without paying the PRO tax. The actual rollout depends on motherboard vendors absorbing the AGESA 1.2.0.8 update, but early signs from beta testers are promising. For Windows 11 users who value defense-in-depth, the restored BIOS toggle is more than a checkbox—it’s a critical piece of a hardware-rooted security posture. Keep an eye on your board maker’s support page throughout July 2026; when that new firmware drops, a quick UEFI visit could meaningfully strengthen your system’s resistance to physical memory attacks.