• Dual boot – resolution in preview updates

    Home » Forums » AskWoody support » Windows » Windows 11 » Windows 11 version 23H2 » Dual boot – resolution in preview updates

    Author
    Topic
    Susan Bradley
    Manager
    September 20, 2024 at 3:41 pm #2705222

    August 2024 security update might impact Linux boot in dual-boot setup devices

    Status

    Mitigated

    Affected platforms

    Client Versions Message ID Originating KB Resolved KB
    Windows 11, version 23H2 WI868893 KB5041585 KB5043076
    Windows 11, version 22H2 WI868894 KB5041585 KB5043076
    Windows 11, version 21H2 WI868895 KB5041592 KB5043067
    Windows 10, version 22H2 WI868896 KB5041580 KB5043064
    Windows 10, version 21H2 WI868897 KB5041580 KB5043064
    Windows 10 Enterprise 2015 LTSB WI868898 KB5041782 KB5043083
    Server Versions Message ID Originating KB Resolved KB
    Windows Server 2022 WI868899 KB5041160 KB5042881
    Windows Server 2019 WI868900 KB5041578 KB5043050
    Windows Server 2016 WI868901 KB5041773 KB5043051
    Windows Server 2012 R2 WI868902 KB5041828 KB5043138
    Windows Server 2012 WI868903 KB5041851 KB5043125
    After installing the August 2024 Windows security update, (the Originating KBs listed above) or the August 2024 preview update, you might face issues with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device. Resulting from this issue, your device might fail to boot Linux and show the error message “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”

    The August 2024 Windows security and preview updates apply a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.

    IMPORTANT: This known issue only occurs with the installation of the August 2024 security and preview updates. The September 2024 security update (the Resolved KBs listed above) and later updates do not contain the settings that caused this issue. If you install the September 2024 update, you don’t need to apply the workaround below.

    Workaround:

    If your Linux becomes unbootable after installing the August 2024 security or preview updates, you can recover your Linux system by following these instructions.

    Important: This documentation contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows. Also, note that modifying firmware settings incorrectly might prevent your device from starting correctly. Follow these instructions carefully and only proceed if you are confident in your ability to do so.

    a) Disable Secure Boot:

    • Boot into your device’s firmware settings.
    • Disable Secure Boot (steps vary by manufacturer).

    b) Delete SBAT Update:

    • Boot into Linux.
    • Open the terminal and run the below command:

    sudo mokutil –set-sbat-policy delete

    • Enter your root password if prompted.
    • Boot into Linux once more.

    c) Verify SBAT Revocations:

    • In the terminal, run the below command:

    mokutil –list-sbat-revocations

    • Ensure the list shows no revocations.

    d) Re-enable Secure Boot:

    • Reboot into the firmware settings.
    • Re-enable Secure Boot.

    e) Check Secure Boot Status:

    • Boot into Linux. Run the below command:

    mokutil –sb-state

    • The output should be “SecureBoot enabled”. If not, retry step d).

    f) Prevent Future SBAT Updates in Windows:

    • Boot into Windows.
    • Open Command Prompt as Administrator and run:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORDAt this point, you should now be able to boot into Linux or Windows as before. It’s a good time to install any pending Linux updates to ensure your system is secure.

    NOTE: On Windows-only systems, after installing the September 2024 or later updates, you can set the registry key documented in CVE-2022-2601 and CVE-2023-40547 to ensure the SBAT security update is applied. On systems that dual-boot Linux and Windows, there are no additional steps necessary after installing the September 2024 or later updates.

    Next Steps: We are working on a final resolution that will be available in a future Windows update. We recommend you install the September 2024 update or later Windows updates to avoid this issue.

    Susan Bradley Patch Lady/Prudent patcher

    2 users thanked author for this post.
    ve2mrx, jburk07
    Reply | Quote
    Viewing 0 reply threads
    Author
    Replies
    • Susan Bradley
      Manager
      September 20, 2024 at 3:43 pm #2705225

      IMPORTANT: This known issue only occurs with the installation of the August 2024 security and preview updates. The September 2024 security update (the Resolved KBs listed above) and later updates do not contain the settings that caused this issue. If you install the September 2024 update, you don’t need to apply the workaround below.”

      Interesting.  When the September updates were posted, I know they indicated that the dual boot problem was not fixed.

      Susan Bradley Patch Lady/Prudent patcher

      2 users thanked author for this post.
      ve2mrx, jburk07
      Reply | Quote
      • sudo
        AskWoody Plus
        September 21, 2024 at 1:24 am #2705275

        Microsoft at it again breaking things with updates. I wonder how many Microsoft employees or there techs, dual boot with Linux, and then have this happen.

        I am  sure they would  not be impressed.

        Reply | Quote
        • Susan Bradley
          Manager
          September 21, 2024 at 11:07 pm #2705384

          This is actually fixing the issue.  They aren’t at it “again”, it already broke back in August.

          Susan Bradley Patch Lady/Prudent patcher

          Reply | Quote
          • sudo
            AskWoody Plus
            September 22, 2024 at 2:14 am #2705399

            Yes i was really referring  to the August update that caused this.

            Thank you Susan, for your  post on the fixes.

            That will help some people out reading this post…

            Reply | Quote
    Viewing 0 reply threads
    Reply To: Dual boot – resolution in preview updates

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.