AMD has reversed course on a controversial decision to omit Transparent Secure Memory Encryption (TSME) from its non-PRO Ryzen 9000 desktop processors, confirming this week that a BIOS option for the critical security feature will be restored in a firmware update arriving in July. The move comes after a vocal outcry from tech enthusiasts and security-conscious users who discovered that TSME—a hardware-based memory encryption engine AMD had long shipped on its Ryzen chips—was mysteriously absent from the BIOS of Socket AM5 motherboards when paired with non-PRO Zen 5 CPUs.

The backtrack highlights the growing tension between chip makers’ product segmentation strategies and the expanding baseline of security features demanded by modern operating systems like Windows 11. For months, AMD had quietly disabled the Memory Guard (the consumer-facing brand for TSME) option on its Ryzen 7 9700X, Ryzen 5 9600X, and other non-PRO 9000-series parts, reserving the capability for commercial-focused Ryzen PRO SKUs. The restriction, which emerged with the initial AGESA firmware for AM5, went largely unnoticed until eagle-eyed builders began comparing BIOS screenshots across different CPU models and raised the alarm on forums like Reddit and the AMD Community.

What is TSME and why does it matter?

Transparent Secure Memory Encryption is a real-time, full-memory encryption mechanism baked into the integrated memory controller of modern AMD processors. It uses a hardware random number generator to create a transient encryption key that is never accessible to the operating system, ensuring that all data stored in DRAM—including the OS kernel, application code, and user documents—is encrypted when the system is on. The “transparent” moniker means the process requires zero software modifications; applications run as normal while the memory controller encrypts and decrypts data on the fly.

The feature provides a robust defense against cold boot attacks, memory scraping, and DMA-based threats. An attacker who physically removes a RAM module from a running system and tries to read its contents on another machine would find only garbled ciphertext. In an era where physical attacks on hardware are a real concern for enterprise, government, and increasingly for privacy-focused consumers, TSME is a critical security layer. It also aligns with Windows 11’s hardware security stack, where memory encryption complements features like Virtualization-Based Security (VBS) and Hypervisor-Enforced Code Integrity (HVCI). Microsoft has been gradually raising the bar for CPU security, and having TSME enabled can improve the assurance posture of a Windows device.

The discovery and the outcry

The missing TSME option first came to light in early June when a user on the AMD subreddit posted side-by-side BIOS screenshots: one with a Ryzen 9 9950X PRO showing the “AMD Memory Guard” toggle under Advanced CPU Settings, and another with a retail Ryzen 7 9700X where the entire line item was simply gone. The thread exploded, drawing hundreds of comments. Several owners confirmed that on their non-PRO Ryzen 9000 chips, the BIOS option was absent regardless of motherboard vendor—ASUS, Gigabyte, ASRock, and MSI boards all exhibited the same omission when running non-PRO SKUs.

Further investigation by the community revealed that the functionality was not physically fused off on the die. Rather, it was being suppressed by the AGESA firmware. This triggered suspicions that AMD was deliberately segmenting its lineup, tying basic security features to a higher-priced PRO tier. The move rankled the enthusiast base because TSME had been available on virtually all Ryzen desktop processors since the first generation, including mainstream non-PRO models. The sudden disappearance felt like a regression.

The backlash quickly spilled over to Windows-focused forums. IT administrators and power users who build their own Windows 11 workstations expressed frustration. “I picked the 9950X specifically for a secure dev environment,” one commenter wrote. “If I’d known TSME was being paywalled behind PRO, I would have reconsidered.” Others pointed out that the segmentation created an inconsistent security posture across what are essentially identical silicon dies, undermining the trust in AMD’s consumer platform.

AMD’s response and the July fix

On June 18, 2025, AMD issued a brief statement to tech press outlets acknowledging the omission and promising a remedy. “We are aware of reports that the Transparent Secure Memory Encryption (TSME) / Memory Guard BIOS option is not available on certain non-PRO Ryzen 9000 Series desktop processors,” the statement read. “This option was inadvertently restricted in the initial AGESA release. We will restore the BIOS option for all affected processors via a firmware update scheduled for distribution in July 2025.”

A follow-up on the AMD Community blog clarified that the fix would come through an AGESA ComboAM5PI 1.2.0.3 update, which motherboard manufacturers would begin rolling out in the first two weeks of July. All AM5 boards with a compatible BIOS version will expose the “Memory Guard” toggle once a non-PRO Ryzen 9000 CPU is detected. The statement stressed that TSME is not being held back for security or stability reasons; it was simply a configuration mistake during the initial BIOS bring-up for Zen 5.

That explanation, while plausible, did not fully satisfy skeptics. The fact that PRO processors already exposed the option under the very same AGESA baseline suggested a deliberate conditional compile rather than a bug. Nevertheless, AMD’s decision to restore the feature means that once the update is applied, all Ryzen 9000 desktop users will again be able to lock down their memory with a single BIOS toggle.

The Windows security angle

For Windows 11 users, the return of TSME is more than a convenience. Microsoft’s operating system is increasingly architected around the assumption that the platform offers secure memory handling. With features like Secured-core PC, the OS checks for the presence of memory encryption and other hardware security measures to establish a device’s security state. While Windows has never explicitly required TSME for consumer versions, its absence could affect an organization’s ability to meet certain compliance benchmarks, such as those defined by the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS).

More practically, many Windows power users run hypervisors, sandboxes, and Kubernetes clusters on their desktop machines. In those scenarios, memory encryption provides an extra guardrail against guest-to-guest or guest-to-host memory snooping. A developer running Windows Subsystem for Linux 2 (WSL2) may also appreciate having their Linux environment’s data encrypted, even though WSL2 already leverages Hyper-V isolation.

There is no evidence that attackers have actively exploited the missing TSME option in the wild. The risk is primarily from attackers with physical access, which for a home desktop is generally lower than for a corporate laptop. However, the principle remained important: a long-standing security feature should not vanish without notice.

How to enable TSME after the update

Once the July AGESA update lands, enabling TSME is straightforward:

  1. Download and flash the latest BIOS from your motherboard vendor’s support page. Look for a build that lists “ComboAM5PI 1.2.0.3” or later in the release notes.
  2. Reboot into the UEFI/BIOS setup, typically by pressing Del or F2 during POST.
  3. Navigate to the Advanced CPU Configuration section (exact path varies by motherboard vendor).
  4. Locate the entry labeled “AMD Memory Guard” or “TSME.” The option may be under a sub-menu such as “AMD CBS” or “North Bridge Configuration.”
  5. Change the setting from “Disabled” to “Enabled.” Some UEFI implementations will also present a sub-option to choose encryption strength (usually AES-128).
  6. Save and exit. The system will reboot, and Windows will load with full memory encryption active.

It is worth checking after boot that the feature is indeed operational. While Windows does not have a native UI to confirm TSME status, you can use a tool like HWiNFO64 or System Information Viewer, which read the AMD Platform Security Processor (PSP) status to verify that memory encryption is active.

A broader pattern of security segmentation

AMD is not alone in grappling with how to differentiate its product lines without shortchanging security. Intel similarly disables certain hardware features like Software Guard Extensions (SGX) on its consumer Core processors, reserving them for Xeon server CPUs. However, SGX is a specialized enclave technology that most consumer workloads never touch. TSME, on the other hand, is a system-wide defense that has been a staple of AMD’s consumer platform for nearly a decade.

Microsoft, too, has faced criticism for its security segmentation. Windows 11 Home lacks BitLocker drive encryption and certain Group Policy controls, pushing power users toward Pro or Enterprise editions. The difference is that Microsoft makes those omissions transparent at purchase time, whereas AMD’s BIOS toggle simply disappeared without documentation.

The episode underscores the importance of maintaining detailed release notes for firmware updates. Motherboard vendors often ship AGESA updates with generic descriptions like “improve system stability” or “update to AGESA version X.X.X.X.” The community had to resort to grassroots detective work to uncover the missing TSME option. If AMD had been more forthcoming, the situation might have been less frustrating.

What’s next for Ryzen and Windows security

Looking ahead, AMD is expected to further integrate memory encryption into its upcoming Ryzen 9000 X3D and future Zen 6 architectures. The company has already hinted at plans to extend its Secure Encrypted Virtualization (SEV) technology to consumer platforms, a move that would bring enterprise-grade VM isolation to prosumer workstations. Windows 11, for its part, continues to tighten the baseline: the next major feature update is rumored to require at least TPM 2.0 and Secure Boot, and it may eventually check for memory encryption capabilities on higher-end SKUs.

The restoration of TSME for non-PRO Ryzen 9000 chips may also influence how AMD handles security features in future product launches. A vocal segment of the Windows enthusiast community has made it clear that they view memory encryption not as a premium extra but as a fundamental building block. As remote work and bring-your-own-device policies become entrenched, the line between consumer and commercial hardware blurs, and expectations around security converge.

For now, the immediate takeaway for any enthusiast running a Ryzen 9000 desktop with Windows 11 is to mark the calendar for July and be ready to flash that BIOS when it drops. The penalty for not doing so is subtle but real: your system will continue to run fine, but all that data in RAM will sit in plain text, waiting for an attacker with a PCIe DMA card, a cold-boot rig, or even a sophisticated software exploit that can dump memory. With the fix, you get back a layer of defense that should never have gone missing.