UPDATE 8/23:
After installing the August 2024 Windows security update, released August 13, 2024 (KB5041585), you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.
Workaround:
1. Before applying the August 2024 Windows update
If you’re dual booting Linux and Windows and you haven’t finalized the installation of the August 2024 Windows update with a reboot yet, you will be able to use the below opt-out registry key. This registry prevents the SBAT update from being applied as part of the August 2024 Windows update and future Windows updates. Later on, you will be able to delete the registry key if you want to install future SBAT updates.
Important: This documentation contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows.
2. After applying the August 2024 Windows update
If your Linux becomes unbootable after installing the August 13, 2024, or later updates, you can recover your Linux system by following these instructions.
Important: Modifying firmware settings incorrectly might prevent your device from starting correctly. Follow these instructions carefully and only proceed if you are confident in your ability to do so.
a) Disable Secure Boot:
At this point, you should now be able to boot into Linux or Windows as before. It’s a good time to install any pending Linux updates to ensure your system is secure.
Next steps: We are investigating the issue with our Linux partners and will provide an update when more information is available.
Affected platforms:
Microsoft said its update wouldn't install on Linux devices. It did anyway.
Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”
The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.
Multiple distros, both new and old, affected
Tuesday’s update left dual-boot devices—meaning those configured to run both Windows and Linux—no longer able to boot into the latter when Secure Boot was enforced. When users tried to load Linux, they received the message: “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.” Almost immediately support and discussion forums lit up with reports of the failure.
Known and Resolved issues for Windows 11 version 23H2
Windows message center: Current status as of July 17, 2024 Windows 11, version 23H2, also known as the Windows 11 2023 Update, is now broadly available to all users with eligible devices who Check for updates. In addition to annual updates, devices running version 23H2 receive new features and...
www.elevenforum.com
August 2024 security update might impact Linux boot in dual-boot setup devices
Status | Originating update | History |
---|---|---|
Mitigated | OS Build 22621.4037 KB5041585 2024-08-13 | Last updated: 2024-08-23, 14:54 PT Opened: 2024-08-21, 18:33 PT |
After installing the August 2024 Windows security update, released August 13, 2024 (KB5041585), you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.
Workaround:
1. Before applying the August 2024 Windows update
If you’re dual booting Linux and Windows and you haven’t finalized the installation of the August 2024 Windows update with a reboot yet, you will be able to use the below opt-out registry key. This registry prevents the SBAT update from being applied as part of the August 2024 Windows update and future Windows updates. Later on, you will be able to delete the registry key if you want to install future SBAT updates.
Important: This documentation contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
2. After applying the August 2024 Windows update
If your Linux becomes unbootable after installing the August 13, 2024, or later updates, you can recover your Linux system by following these instructions.
Important: Modifying firmware settings incorrectly might prevent your device from starting correctly. Follow these instructions carefully and only proceed if you are confident in your ability to do so.
a) Disable Secure Boot:
- Boot into your device’s firmware settings.
- Disable Secure Boot (steps vary by manufacturer).
- Boot into Linux.
- Open the terminal and run the below command:
sudo mokutil --set-sbat-policy delete
- Enter your root password if prompted.
- Boot into Linux once more.
- In the terminal, run the below command:
mokutil --list-sbat-revocations
- Ensure the list shows no revocations.
- Reboot into the firmware settings.
- Re-enable Secure Boot.
- Boot into Linux. Run the below command:
mokutil --sb-state
- The output should be “SecureBoot enabled”. If not, retry the step 4.
- Boot into Windows.
- Open Command Prompt as Administrator and run:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
At this point, you should now be able to boot into Linux or Windows as before. It’s a good time to install any pending Linux updates to ensure your system is secure.
Next steps: We are investigating the issue with our Linux partners and will provide an update when more information is available.
Affected platforms:
- Client: Windows 11, version 23H2; Windows 11, version 22H2; Windows 11, version 21H2; Windows 10, version 22H2; Windows 10, version 21H2; Windows 10 Enterprise 2015 LTSB
- Server: Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
ars Technica:
Microsoft said its update wouldn't install on Linux devices. It did anyway.
Last Tuesday, loads of Linux users—many running packages released as early as this year—started reporting their devices were failing to boot. Instead, they received a cryptic error message that included the phrase: “Something has gone seriously wrong.”
The cause: an update Microsoft issued as part of its monthly patch release. It was intended to close a 2-year-old vulnerability in GRUB, an open source boot loader used to start up many Linux devices. The vulnerability, with a severity rating of 8.6 out of 10, made it possible for hackers to bypass secure boot, the industry standard for ensuring that devices running Windows or other operating systems don’t load malicious firmware or software during the bootup process. CVE-2022-2601 was discovered in 2022, but for unclear reasons, Microsoft patched it only last Tuesday.
Multiple distros, both new and old, affected
Tuesday’s update left dual-boot devices—meaning those configured to run both Windows and Linux—no longer able to boot into the latter when Secure Boot was enforced. When users tried to load Linux, they received the message: “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.” Almost immediately support and discussion forums lit up with reports of the failure.
Read more:
“Something has gone seriously wrong,” dual-boot systems warn after Microsoft update
Microsoft said its update wouldn't install on Linux devices. It did anyway.
arstechnica.com
An update made to fix a vulnerability broke dual-boot Windows-Linux PCs
A Windows Patch Tuesday update that was supposed to fix a vulnerability has caused a number of dual-boot Windows-Linus PCs to no longer boot up in Linux. Microsoft has yet to fix this problem.
www.neowin.net
Last edited: