diff --git a/BUILDING b/BUILDING
index 3b2e85d34..17cd98d32 100644
--- a/BUILDING
+++ b/BUILDING
@@ -78,6 +78,9 @@ Variables you could set to customize the build:
 - OSLABEL
   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
   By default this is the same value as EFIDIR .
+- POST_PROCESS_PE_FLAGS
+  This allows you to add flags to the invocation of "post-process-pe", for
+  example to disable the NX compatibility flag.
 
 Vendor SBAT data:
 It will sometimes be requested by reviewers that a build includes extra
diff --git a/Make.defaults b/Make.defaults
index c46164a33..9af89f4ef 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -139,6 +139,8 @@ CFLAGS		= $(FEATUREFLAGS) \
 		  $(INCLUDES) \
 		  $(DEFINES)
 
+POST_PROCESS_PE_FLAGS =
+
 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
 	DEFINES	+= -DOVERRIDE_SECURITY_POLICY
 endif
diff --git a/Makefile b/Makefile
index a9202f46d..f0f53f8f2 100644
--- a/Makefile
+++ b/Makefile
@@ -255,7 +255,7 @@ endif
 		-j .rela* -j .dyn -j .reloc -j .eh_frame \
 		-j .vendor_cert -j .sbat -j .sbatlevel \
 		$(FORMAT) $< $@
-	./post-process-pe -vv $@
+	./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
 
 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
 %.hash : %.efi
diff --git a/post-process-pe.c b/post-process-pe.c
index de8f4a38b..f39fdddf8 100644
--- a/post-process-pe.c
+++ b/post-process-pe.c
@@ -42,7 +42,7 @@ static int verbosity;
 		0;                                               \
 	})
 
-static bool set_nx_compat = false;
+static bool set_nx_compat = true;
 
 typedef uint8_t UINT8;
 typedef uint16_t UINT16;