Key Takeaways:
- Microsoft’s August Patch Tuesday update has inadvertently caused boot issues on dual-boot systems running both Windows and Linux, leading to crashes during startup.
- The issue arises from a Windows security update intended to patch a vulnerability in the GRUB bootloader.
- Microsoft is collaborating with Linux partners to resolve the problem on affected systems.
Microsoft is currently investigating a critical issue that is causing crashes on select dual-boot Windows and Linux machines. The company detailed on the Windows Health dashboard that the problem stems from the August 2024 Patch Tuesday updates and impacts systems running Windows 11, Windows 10, and Windows Server.
Last week, Microsoft issued a security update to address a two-year-old vulnerability in the GRUB open-source bootloader, which is critical for the startup of many Linux devices. The flaw, identified as CVE-2022-2601 and rated 8.6 out of 10 on the CVSS scale, could allow hackers to bypass secure boot protections and inject malicious code during the system’s startup process.
In its security advisory, Microsoft mentioned that the update would apply a Secure Boot Advanced Targeting (SBAT) value exclusively to devices configured to run only Windows, with no intended impact on dual-boot systems running both Linux and Windows. However, reports from various forums indicate that the security patch was mistakenly applied to some dual-boot devices.
Microsoft has warned that Windows users who installed the latest security updates may face the following error when booting Linux: “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
“The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied” Microsoft explained.
Currently, Microsoft is collaborating with its Linux partners to resolve the issue on affected systems. Meanwhile, the company has provided an opt-out registry key for users who haven’t yet applied the August 2024 Patch Tuesday updates with a reboot. Additionally, a workaround is available for those affected users, which involves deleting the SBAT policy by following these steps:
- Disabling Secure Boot at the BIOS level.
- Log into a Ubuntu user account and opening a terminal.
- Now, delete Microsoft’s SBAT policy with:
- Code: Select all
- sudo mokutil –set-sbat-policy delete
- Reboot the PC and log back into Ubuntu to update the SBAT policy.
- Finally, restart and then re-enable secure boot in BIOS.
In Windows 11, Microsoft made Secure Boot a mandatory requirement to safeguard users against malware and unauthorized software during the boot process. However, over the past few years, Microsoft has identified various vulnerabilities in Secure Boot that could be exploited to compromise Windows PCs.