Aug. 13th Windows Update broke dual-boot Windows 10/11 and Linux PCs


  • Staff
UPDATE 8/23:

August 2024 security update might impact Linux boot in dual-boot setup devices​


StatusOriginating updateHistory
MitigatedOS Build 22621.4037
KB5041585
2024-08-13
Last updated: 2024-08-23, 14:54 PT
Opened: 2024-08-21, 18:33 PT

After installing the August 2024 Windows security update, released August 13, 2024 (KB5041585), you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”

The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.

Workaround:

1. Before applying the August 2024 Windows update


If you’re dual booting Linux and Windows and you haven’t finalized the installation of the August 2024 Windows update with a reboot yet, you will be able to use the below opt-out registry key. This registry prevents the SBAT update from being applied as part of the August 2024 Windows update and future Windows updates. Later on, you will be able to delete the registry key if you want to install future SBAT updates.

Important: This documentation contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD

2. After applying the August 2024 Windows update

If your Linux becomes unbootable after installing the August 13, 2024, or later updates, you can recover your Linux system by following these instructions.

Important: Modifying firmware settings incorrectly might prevent your device from starting correctly. Follow these instructions carefully and only proceed if you are confident in your ability to do so.

a) Disable Secure Boot:
  • Boot into your device’s firmware settings.
  • Disable Secure Boot (steps vary by manufacturer).
b) Delete SBAT Update:
  • Boot into Linux.
  • Open the terminal and run the below command:
sudo mokutil --set-sbat-policy delete
  • Enter your root password if prompted.
  • Boot into Linux once more.
c) Verify SBAT Revocations:
  • In the terminal, run the below command:
mokutil --list-sbat-revocations
  • Ensure the list shows no revocations.
d) Re-enable Secure Boot:
  • Reboot into the firmware settings.
  • Re-enable Secure Boot.
e) Check Secure Boot Status:
  • Boot into Linux. Run the below command:
mokutil --sb-state
  • The output should be “SecureBoot enabled”. If not, retry the step 4.
f) Prevent Future SBAT Updates in Windows:
  • Boot into Windows.
  • Open Command Prompt as Administrator and run:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD

At this point, you should now be able to boot into Linux or Windows as before. It’s a good time to install any pending Linux updates to ensure your system is secure.

Next steps: We are investigating the issue with our Linux partners and will provide an update when more information is available.

Affected platforms:
  • Client: Windows 11, version 23H2; Windows 11, version 22H2; Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2; Windows 10 Enterprise 2015 LTSB
  • Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012


 ars Technica:

Microsoft said its update wouldn't install on Linux devices. It did anyway.

Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”

The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.

Multiple distros, both new and old, affected

Tuesday’s update left dual-boot devices—meaning those configured to run both Windows and Linux—no longer able to boot into the latter when Secure Boot was enforced. When users tried to load Linux, they received the message: “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.” Almost immediately support and discussion forums lit up with reports of the failure.


 Read more:

 
Last edited:
First thing I did after installing Windows 11 - disable Secure Boot. My quad-boot runs as smooth as butter.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Intel Core i5-13400F
    Motherboard
    PRIME B760M-A
    Memory
    32 GB
    Graphics Card(s)
    Nvidia 4060
    Sound Card
    On-board
    Monitor(s) Displays
    (2) Acer XD270H B
    Screen Resolution
    1920x1080
    Hard Drives
    (1) M2 1TB
    PSU
    600W
    Case
    Tower
    Cooling
    (3) Case fans
    Keyboard
    Standard
    Mouse
    Standard
    Internet Speed
    250 Mbps
    Browser
    Vivaldi
This problem corrupted my UEFI on two computers
 

My Computers

System One System Two

  • OS
    Windows 11-23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    i5 11600k
    Motherboard
    Gigabyte Aorus AX
    Memory
    32 GB Ripjaws V
    Graphics Card(s)
    Nvidia 1660ti (OC)
    Sound Card
    Realteck onboard audio
    Monitor(s) Displays
    Acer GN246HL
    Screen Resolution
    1920x1080
    Hard Drives
    PNY 1TB 2.5" Sata ssd
    PSU
    Sesonic Focus 850W
    Case
    Coolermaster h500
    Cooling
    Noctura HL15
    Keyboard
    Tewell model TGKB100
    Mouse
    Tecknet
    Internet Speed
    100 mb/sec
    Browser
    Mozilla Firefox
    Antivirus
    Window Defender
  • Operating System
    Windows 24h2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    i5 6600
    Motherboard
    Gaming m3
    Memory
    Gskill RipJaws
    Graphics card(s)
    intel-internal
    Sound Card
    Realtek

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Intel Core i5-13400F
    Motherboard
    PRIME B760M-A
    Memory
    32 GB
    Graphics Card(s)
    Nvidia 4060
    Sound Card
    On-board
    Monitor(s) Displays
    (2) Acer XD270H B
    Screen Resolution
    1920x1080
    Hard Drives
    (1) M2 1TB
    PSU
    600W
    Case
    Tower
    Cooling
    (3) Case fans
    Keyboard
    Standard
    Mouse
    Standard
    Internet Speed
    250 Mbps
    Browser
    Vivaldi
I had to reflash the firmware lucky I had backup usb drives loaded
 

My Computers

System One System Two

  • OS
    Windows 11-23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    i5 11600k
    Motherboard
    Gigabyte Aorus AX
    Memory
    32 GB Ripjaws V
    Graphics Card(s)
    Nvidia 1660ti (OC)
    Sound Card
    Realteck onboard audio
    Monitor(s) Displays
    Acer GN246HL
    Screen Resolution
    1920x1080
    Hard Drives
    PNY 1TB 2.5" Sata ssd
    PSU
    Sesonic Focus 850W
    Case
    Coolermaster h500
    Cooling
    Noctura HL15
    Keyboard
    Tewell model TGKB100
    Mouse
    Tecknet
    Internet Speed
    100 mb/sec
    Browser
    Mozilla Firefox
    Antivirus
    Window Defender
  • Operating System
    Windows 24h2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    i5 6600
    Motherboard
    Gaming m3
    Memory
    Gskill RipJaws
    Graphics card(s)
    intel-internal
    Sound Card
    Realtek
I tried but was unable to disable secure boot...Revoking keys is next
Quote:Ouch! If you disable SecureBoot, can you start your systems?
 

My Computers

System One System Two

  • OS
    Windows 11-23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Gigabyte
    CPU
    i5 11600k
    Motherboard
    Gigabyte Aorus AX
    Memory
    32 GB Ripjaws V
    Graphics Card(s)
    Nvidia 1660ti (OC)
    Sound Card
    Realteck onboard audio
    Monitor(s) Displays
    Acer GN246HL
    Screen Resolution
    1920x1080
    Hard Drives
    PNY 1TB 2.5" Sata ssd
    PSU
    Sesonic Focus 850W
    Case
    Coolermaster h500
    Cooling
    Noctura HL15
    Keyboard
    Tewell model TGKB100
    Mouse
    Tecknet
    Internet Speed
    100 mb/sec
    Browser
    Mozilla Firefox
    Antivirus
    Window Defender
  • Operating System
    Windows 24h2
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    i5 6600
    Motherboard
    Gaming m3
    Memory
    Gskill RipJaws
    Graphics card(s)
    intel-internal
    Sound Card
    Realtek
This problem corrupted my UEFI on two computers
Seen this alleged in other forums elsewhere

I can see the class action vultures circling already .....
 

My Computers

System One System Two

  • OS
    Windows 11 22H2 (latest update ... forever anal)
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Slim S01
    CPU
    Intel i5-12400
    Memory
    8GB
    Graphics Card(s)
    NVIDIA GeForce GT730
    Sound Card
    OOBE
    Monitor(s) Displays
    Acer 32"
    Screen Resolution
    1920x1080
    Hard Drives
    512GB KIOXIA NVMe
    1TB SATA SSD
    PSU
    OOBE
    Case
    OOBE
    Cooling
    OOBE
    Keyboard
    BT
    Mouse
    BT
    Browser
    Brave FFox Chrome Opera
    Antivirus
    KIS
  • Operating System
    Windows 11 Pro (latest upadte ... anally always)
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavillion 15
    CPU
    i7-1165G7 @ 2.80GHz
    Graphics card(s)
    Intel Iris Xe Graphics
    Hard Drives
    Samsung NVMe 512GB
    + numerous/multiple SSD Type C USB enclosures
    Internet Speed
    NBN FTTN 50
    Browser
    Brave
    Antivirus
    KIS
I tried but was unable to disable secure boot...Revoking keys is next
Quote:Ouch! If you disable SecureBoot, can you start your systems?
FYI - I disabled SecureBoot just before I re-installed Windows 11 (system was pre-loaded).
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Intel Core i5-13400F
    Motherboard
    PRIME B760M-A
    Memory
    32 GB
    Graphics Card(s)
    Nvidia 4060
    Sound Card
    On-board
    Monitor(s) Displays
    (2) Acer XD270H B
    Screen Resolution
    1920x1080
    Hard Drives
    (1) M2 1TB
    PSU
    600W
    Case
    Tower
    Cooling
    (3) Case fans
    Keyboard
    Standard
    Mouse
    Standard
    Internet Speed
    250 Mbps
    Browser
    Vivaldi
Actually happening on my device with a clean boot from a Linux distro USB (Mint flavour), so it's not even just installed multi-boot systems !!!
 

My Computers

System One System Two

  • OS
    Windows 11 22H2 (latest update ... forever anal)
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Slim S01
    CPU
    Intel i5-12400
    Memory
    8GB
    Graphics Card(s)
    NVIDIA GeForce GT730
    Sound Card
    OOBE
    Monitor(s) Displays
    Acer 32"
    Screen Resolution
    1920x1080
    Hard Drives
    512GB KIOXIA NVMe
    1TB SATA SSD
    PSU
    OOBE
    Case
    OOBE
    Cooling
    OOBE
    Keyboard
    BT
    Mouse
    BT
    Browser
    Brave FFox Chrome Opera
    Antivirus
    KIS
  • Operating System
    Windows 11 Pro (latest upadte ... anally always)
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavillion 15
    CPU
    i7-1165G7 @ 2.80GHz
    Graphics card(s)
    Intel Iris Xe Graphics
    Hard Drives
    Samsung NVMe 512GB
    + numerous/multiple SSD Type C USB enclosures
    Internet Speed
    NBN FTTN 50
    Browser
    Brave
    Antivirus
    KIS
Is this also affecting dual boot on Win 11/Win 10 systems? That's a problem I'm having. Seems like every other boot I get the blue screen telling me a list of things to do. If I hit the escape key it takes me into BIOS. From BIOS if I do nothing and exit without saving it'll go to the Metro boot screen like it should.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender
I'm not sure why anyone would dual boot anymore when virtualization is so much better.

But yeah this is def a big "screwed up" moment.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell G15 5525
    CPU
    Ryzen 7 6800H
    Memory
    32 GB DDR5 4800mhz
    Graphics Card(s)
    RTX 3050 Mobile 4GB Vram
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Screen Resolution
    Internal laptop screen: 1920 x 1080 @ 120hz
    Hard Drives
    2TB Solidigm™ P41 Plus nvme
    Internet Speed
    800mbps down, 20 up
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
I'm not sure why anyone would dual boot anymore when virtualization is so much better.

But yeah this is def a big "screwed up" moment.
You're right. But for gamers, there are just too many Windows games that don't run as well in VMs, even with GPU pass-through. Proton/WINE are getting better, still got a long way to go.

Maybe when GPU prices drop to a reasonable level, I'll give it another go.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Intel Core i5-13400F
    Motherboard
    PRIME B760M-A
    Memory
    32 GB
    Graphics Card(s)
    Nvidia 4060
    Sound Card
    On-board
    Monitor(s) Displays
    (2) Acer XD270H B
    Screen Resolution
    1920x1080
    Hard Drives
    (1) M2 1TB
    PSU
    600W
    Case
    Tower
    Cooling
    (3) Case fans
    Keyboard
    Standard
    Mouse
    Standard
    Internet Speed
    250 Mbps
    Browser
    Vivaldi
I'm not sure why anyone would dual boot anymore when virtualization is so much better.

But yeah this is def a big "screwed up" moment.
'Cause I just don't trust it. :-) I do have a PC that does dual boot Win 11 and Win 10 from a VHDX file. So far so good. So I might end up doing it on my main PC too.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender
Sometimes you need to test an OS on real hardware -- it's not just a question of performance -- with appropriate hardware and passthru VM's can be hugely efficient -- often up to around 92% or even higher % of native speed. Usually virtualisation means the "Virtual hardware" is para-virtualised meaning it can usually run via some sort of emulated instruction set on the broadest range of hardware around -- and for some people who need really fast graphics etc there's a performance issue price to be paid.

Things like Wine just really aren't worth the hassle these days. If you don't want to run a VM but want Linux the WSL is improving by leaps and bounds so I'd go for that instead - or maybe try some sort of "Containerisation". You can also run quite a few "Windowed" or Gui type apps from various Linux distros under WSL and it's even possible in some cases to get a full Linux OS desktop - although I;'d rather dual boot or use a VM than go down that route. It's good though as an academic exercise if you have the spare time to do it.

For what I need usually running a Windows 11 PRO VM is just fine - even on one of those miniPC things !! - Linux KVM/QEMU virtualisation really is OK these days -- and it's 100% free. It's advantage over HYPER-V (also very efficient) is that it has dynamic USB re-direction which means you can attach / remove USB devices at will in the VM - Hyper-V needs any USB device to be attached to the host before powering on the VM which is a bit of a pain. However Hyper-V was designed initially for servers where devices aren't generally connected / removed onve booted up so one can understand why this functionality is lacking.

Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
Back
Top Bottom