Microsoft has fixed a known issue preventing Linux from booting on dual-boot systems with Secure Boot enabled after installing the August 2024 Windows security updates.
The list of affected systems includes those running client (Windows 10 and Windows 11) and server (Windows Server 2012 and later) OS versions.
This issue is triggered by a Secure Boot Advanced Targeting (SBAT) update that blocks UEFI shim bootloaders vulnerable to exploits targeting the CVE-2022-2601 GRUB2 Secure Boot bypass.
While Microsoft said in the CVE-2022-2601 advisory that this SBAT update would not be delivered to devices where dual booting is detected, it also acknowledged that the dual-boot detection failed to detect some customized methods of dual-booting and applied the update anyway.
As revealed by many Linux users (running a wide range of distros, including but not limited to Ubuntu, Zorin OS, Linux Mint, and Puppy Linux), their systems stopped booting after installing the August 2024 Windows updates, and the SBAT update was incorrectly applied.
Microsoft confirmed the known issue following widespread reports, saying that affected users saw “Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation” errors on systems rendered unbootable.
Fixed after nine months
This week, nine months after confirming the issue, Microsoft announced that the May 2025 Patch Tuesday security updates should fix the boot problems for all affected users.
“This issue was resolved by Windows updates released May 13, 2025 [..], and later,” Redmond noted in a Windows release health update. “We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one.”
The fix comes after the company shared a temporary workaround in late August, weeks after the first user reports surfaced, to help revive impacted dual-boot systems, requiring them to delete the SBAT update and ensuring that future SBAT updates would no longer be installed.
On September 19, it also stopped applying the problematic SBAT update to the firmware automatically, advising those who want to prevent future SBAT updates in Windows to run the following command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
“This known issue only occurs with the installation of the August 2024 security and preview updates. The September 2024 security update and later updates do not contain the settings that caused this issue,” Microsoft added.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
-
-
-
-
-
-
-
-
