Microsoft has addressed a significant issue that affected users of dual-boot systems running Linux alongside Windows, particularly those with Secure Boot enabled. This problem arose following the installation of the August 2024 Windows security updates, which inadvertently caused Linux systems to fail to boot.
The affected systems span a range of client and server operating systems, including Windows 10, Windows 11, and Windows Server 2012 and later versions. The root of the issue lies in a Secure Boot Advanced Targeting (SBAT) update, which was designed to block UEFI shim bootloaders that were vulnerable to exploits associated with the CVE-2022-2601 GRUB2 Secure Boot bypass.
Despite Microsoft’s assurances in the CVE-2022-2601 advisory that the SBAT update would not be applied to devices with dual-boot configurations, it became evident that the detection mechanism failed to recognize some customized dual-boot setups. Consequently, many Linux users, utilizing various distributions such as Ubuntu, Zorin OS, Linux Mint, and Puppy Linux, found their systems rendered unbootable after the August updates.
Reports from affected users highlighted a common error message: “Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation,” indicating the severity of the situation.
Fixed after nine months
In a recent announcement, Microsoft confirmed that the boot issues would be resolved with the May 2025 Patch Tuesday security updates. The company stated, “This issue was resolved by Windows updates released May 13, 2025 [..], and later.” They urged users to install the latest updates, which include crucial improvements and resolutions for this specific problem.
This fix comes after Microsoft provided a temporary workaround in late August, shortly after the initial reports surfaced. Users were advised to delete the SBAT update and ensure that future SBAT updates would not be installed to restore functionality to their dual-boot systems.
Additionally, on September 19, Microsoft ceased the automatic application of the problematic SBAT update to firmware. They recommended a command for users wishing to prevent future SBAT updates in Windows:
reg add HKEYLOCALMACHINESYSTEMCurrentControlSetControlSecureBootSBAT /v OptOut /d 1 /t REG_DWORDMicrosoft clarified that this known issue was specific to the August 2024 security and preview updates, assuring users that subsequent updates, starting with the September 2024 security update, do not contain the settings that led to these complications.
