ASUS Z390 motherboards automatically install software without asking the user

TechPowerUp pulls attention to the fact that the new ASUS Z390 motherboards automatically install drivers and software to your new Windows 10 installation. After a fresh install on a system without network access, TechPowerUp was greeted by an ASUS window in the bottom right corner of the screen, inviting them to install network drivers and download the ASUS "Armoury Crate" software.

After a brief investigation, it turned out there were three ASUS-signed files in the Windows 10 System32 folder, and the system was running a service called "AsusUpdateCheck". More digging ensued and TechPowerUp traced the software to the motherboard's 16MB UEFI BIOS chip. It turns out this is a feature of the ASUS Z390 UEFI, there's a new UEFI setting "Download and Install Armoury Crate App" that is activated by default.

Basically, the ASUS UEFI firmware adds an ACPI table to Windows 10, which copies data from the BIOS to the System32 folder to execute it everytime you boot your system. The site has mixed feelings about this new feature. On one hand it's useful as it delivers the basic driver to get the integrated network controller working (which is not supported by Windows 10 out of the box).

On the other hand, all this software is installed without user consent. There are privacy and possibly even security issues here if the tools provided by ASUS have exploitable bugs. TechPowerUp also warns that it's impossible to permanently delete the software without first deactivating "Download and Install Armoury Crate App" in the UEFI settings.

The site offers the following suggestions to ASUS to make this new feature more transparent to the end-user:

ASUS needs to make a few changes and release UEFI BIOS updates, on the double. One option could be to disable the Armour Create option in BIOS by default, so unsuspecting users don't get these files. It could be advertised in the home-screen of the UEFI setup instead. Another option could be to properly clean up the installed files if the users chooses to not use Armoury Crate and not install them again on next reboot. Also required is a GPDR-compliant license agreement, that clarifies which data is collected, how it is processed, and whether it is shared with third parties. While this probably won't happen, some kind of ASUS warranty to include liability for any future malware that exploits WPBT to survive OS reinstalls, would go a long way.