HomeWinBuzzer NewsMicrosoft Windows Patch Causes Dual-Boot Failures for Linux Users

Microsoft Windows Patch Causes Dual-Boot Failures for Linux Users

A Microsoft security update caused boot issues for Windows-Linux dual-boot systems. The update, intended to fix a vulnerability, mistakenly applied a Secure Boot policy.

-

A recent security update from has led to boot problems for users with dual-boot systems featuring both Windows and , the company has confirmed. The update, intended to fix a vulnerability in GRUB, an open-source boot loader, has unexpectedly affected systems set up to run both . The vulnerability, known as CVE-2022-2601, allowed attackers to bypass the Secure Boot mechanism designed to ensure only trusted software runs during startup.

Misapplied Secure Boot Policy

The update, which was released as part of August 2024 Patch Tuesday, implemented a Secure Boot Advanced Targeting (SBAT) policy designed to revoke certain boot path components. It was meant to be restricted to Windows-only devices. Instead, it mistakenly affected dual-boot systems and Windows devices set to boot Linux from ISO images or USB drives, causing boot failures.

Users have encountered errors such as “Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation” while attempting to boot into Linux. The problem impacts various Linux distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, and Puppy Linux.

Microsoft's Response and Interim Measures

Microsoft acknowledged the issue and committed to resolving it. The root cause was attributed to a failure to detect dual-boot configurations, leading to the incorrect application of the SBAT policy. As a temporary measure, Microsoft advises users not to restart their Windows systems to apply the update and instead use a registry key to block the update with the command:

```
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
```

 

Temporary Fixes by Users

Some users have found workarounds such as disabling Secure Boot or removing the SBAT policy. To delete the SBAT policy, users can disable Secure Boot, log into Linux, and run the command `sudo mokutil --set-sbat-policy delete`. Afterward, Secure Boot needs to be re-enabled in the BIOS settings.

All current client and server versions of and 11, including Windows Server editions from 2012 onward, are affected. The scenario underscores the complexities of managing Secure Boot in mixed-OS environments.

Microsoft's situation is part of an ongoing struggle with Secure Boot, which has encountered several vulnerabilities in recent times. Some research has pointed out flaws such as the use of test keys labeled “DO NOT TRUST” to authenticate Secure Boot on many devices. Security analyst Will Dormann has highlighted that while Secure Boot boosts , its efficacy is compromised by such vulnerabilities.

SourceMicrosoft
Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

Mastodon