Microsoft has confirmed that its August 2024 security update, released on August 13, may disrupt the boot process for Linux on devices configured with a dual-boot setup.
The issue stems from the installation of update KB5041585, which introduces changes related to Secure Boot Advanced Targeting (SBAT) to enhance device security by blocking outdated and vulnerable boot managers. However, due to an error in the dual-boot detection mechanism, this security measure has unintentionally affected some systems running both Windows and Linux.
Issue details
The problem manifests when a device attempts to boot into Linux after applying the August 2024 security update. Affected users are encountering the error message, “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation,” preventing them from accessing their Linux operating system.
The issue arises because the SBAT update, designed to enhance the security of the boot process by targeting specific vulnerabilities, was mistakenly applied to systems where dual-booting should have been detected and exempted from this change.
Impact
The impact of this issue is significant for users who rely on both Windows and Linux operating systems on the same device. Microsoft has acknowledged that the update has caused problems on a variety of systems, including those running multiple versions of Windows 10, Windows 11, and various Windows Server editions. The affected platforms include:
Windows 11 (versions 23H2, 22H2, 21H2)
Windows 10 (versions 22H2, 21H2, Enterprise 2015 LTSB)
Windows Server 2022, 2019, 2016, 2012 R2, and 2012
This issue is particularly troublesome for users who use Linux for development, testing, or as part of their daily operations, as it renders the Linux partition unbootable and disrupts workflows.
Workaround
For users who have not yet completed the installation of the August 2024 update, Microsoft has provided a temporary workaround. Users can prevent the update from being finalized by adding a registry key to opt out of the SBAT application:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORDThis action should be taken before the required reboot that completes the installation process. It is crucial for users to back up the registry before making any changes, as modifying the registry can lead to system instability if not done correctly. Microsoft has also advised that users will be able to remove this registry key later if they wish to install future SBAT updates once the issue is resolved.
Microsoft is actively investigating the issue in collaboration with its Linux partners and plans to release an update with more information as it becomes available. In the meantime, users who rely on dual-boot systems are advised to delay installing the August 2024 update until a permanent fix is provided.
Leave a Reply