Microsoft has acknowledged that the August 2024 Windows security updates are leading to booting complications for Linux users on dual-boot systems equipped with Secure Boot. This disruption stems from a Secure Boot Advanced Targeting (SBAT) update, which was implemented to prevent Linux boot loaders that have not been patched against the CVE-2022-2601 GRUB2 Secure Boot bypass vulnerability.
The company elaborated that affected devices might encounter a failure to boot into Linux, accompanied by the error message: ‘Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.’ This situation arises as the August 2024 Windows security update enforces a Secure Boot Advanced Targeting (SBAT) setting on Windows-running devices to obstruct older, vulnerable boot managers.
While Microsoft indicated that the SBAT update, aimed at blocking outdated UEFI shim bootloaders, would not be applied to devices recognized as dual-booting, it conceded that certain customized dual-boot configurations were not detected, resulting in the unintended application of the SBAT value.
Reports from BleepingComputer reveal that numerous Linux users have encountered issues following this month’s Patch Tuesday. Users running various distributions, including Ubuntu, Linux Mint, Zorin OS, and Puppy Linux, reported that their systems ceased to boot into Linux post-installation of the August security updates for Windows.
What if you already updated?
For those Linux users who have already attempted to navigate this known issue, many have found that common solutions—such as deleting the SBAT policy or wiping the Windows installation and restoring Secure Boot to factory settings—have not yielded success across all affected devices. The most reliable method to restore functionality involves disabling Secure Boot, installing the latest version of the preferred Linux distribution, and then re-enabling Secure Boot.
Microsoft has also shared a workaround for users who have not yet finalized the installation of the August 2024 security updates. By rebooting and utilizing the following opt-out registry key, users can interrupt the deployment process and prevent the problematic updates from being installed:
reg add HKEYLOCALMACHINESYSTEMCurrentControlSetControlSecureBootSBAT /v OptOut /d 1 /t REG_DWORD
The company is currently collaborating with its Linux partners to investigate the matter further and will provide updates as more information becomes available.
