Microsoft has acknowledged a serious issue impacting both Windows 10 and Windows 11 PCs. The issue impacts Windows 10 and Windows 11 versions include the latest 23H2 OS versions. After installing the August update one can face issue with booting Linux if you have enabled the dual-boot setup for Windows and Linux in your device.
Microsoft has explained that because of this issue your PC might fail to boot Linux and show the below error message.
“Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”
Explaining cause of this issue Microsoft mentions that August 2024 Windows update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old boot managers.
The August 2024 Windows security update applies a Secure Boot Advanced Targeting (SBAT) setting to devices that run Windows to block old, vulnerable boot managers. This SBAT update will not be applied to devices where dual booting is detected. On some devices, the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied.
For mitigating this issue Microsoft has advised to use below mentioned workaround on PCs that have Linux Dual-boot enabled. Microsoft is also investigating the issue and intends to provide an update when more information is available.
Workaround:
Scenario 1: Before applying the August 2024 Windows update
If you’re dual booting Linux and Windows and you haven’t finalized the installation of the August 2024 Windows update with a reboot yet, you will be able to use the below opt-out registry key. This registry prevents the SBAT update from being applied as part of the August 2024 Windows update and future Windows updates, preventing this issue from happening. Later on, you will be able to delete the registry key if you want to install future SBAT updates.
Important: This documentation contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORDScenario 2: After applying the August 2024 Windows update
If your Linux becomes unbootable after installing the August 13, 2024, or later updates, you can recover your Linux system by following these instructions.
Important: Modifying firmware settings incorrectly might prevent your device from starting correctly. Follow these instructions carefully and only proceed if you are confident in your ability to do so.
a) Disable Secure Boot:
- Boot into your device’s firmware settings.
- Disable Secure Boot (steps vary by manufacturer).
b) Delete SBAT Update:
- Boot into Linux.
- Open the terminal and run the below command:
sudo mokutil --set-sbat-policy delete
- Enter your root password if prompted.
- Boot into Linux once more.
c) Verify SBAT Revocations:
- In the terminal, run the below command:
mokutil --list-sbat-revocations
- Ensure the list shows no revocations.
d) Re-enable Secure Boot:
- Reboot into the firmware settings.
- Re-enable Secure Boot.
e) Check Secure Boot Status:
- Boot into Linux. Run the below command:
mokutil --sb-state
- The output should be “SecureBoot enabled”. If not, retry the step 4.
f) Prevent Future SBAT Updates in Windows:
- Boot into Windows.
- Open Command Prompt as Administrator and run:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORDAt this point, you should now be able to boot into Linux or Windows as before. It’s a good time to install any pending Linux updates to ensure your system is secure.
Next steps: We are investigating the issue with our Linux partners and will provide an update when more information is available.
