Microsoft reacts to paralyzed Linux bootloader due to Windows update
The Windows updates from August have paralyzed Linuxes and prevented them from booting. Microsoft is now naming the cause.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
At the weekend, it emerged that the Windows updates in August caused numerous Linux distributions to no longer start. The cause is bootloaders blocked by the Windows updates – Microsoft now explains that too many were blocked.
In an entry in the Windows Release Health Center, Microsoft explains that boot problems with Linux can occur after installing the Windows updates from August if dual-boot operation with Windows and Linux has been set up. As a result, the device cannot start Linux and the error message "Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation".
Change of settings in SBAT
The August update adds a setting to Secure Boot Advanced Targeting (SBAT) on devices running Windows to block old, vulnerable boot managers. This SBAT update will not be installed on devices running a dual-boot configuration. On some devices, this detection has failed, for example because customized dual-boot options are used there, which has added the SBAT changes even though this should not happen, Microsoft explains.
The authors suggest a somewhat half-hearted workaround: Provided that the installation of the August update has not yet been completed with a reboot, potentially affected users can use a registry key to opt out so that the SBAT update is not installed. The key can also be deleted later if SBAT updates are to be installed after all. According to Microsoft, the command to add the key is
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
According to Microsoft, it is continuing to investigate the problem together with its Linux partners. If further information comes to light, Microsoft will release it. Microsoft lists Windows 11 23H2, 22H2, 21H2, Windows 10 22H2, 21H2 and Windows 10 Enterprise 2015 LTSB as well as Windows Server 2022, 2019, 2016, 2012 R2 and 2012 as affected Windows versions.
As a rule, affected users will therefore still only have to wait for updated images of the Linux distributions that can be started due to updated boot loaders. As a further workaround, those affected can deactivate Secure Boot – however, they should ensure that they have backup copies of the Bitlocker recovery keys, as Windows sometimes reacts to changes in Secure Boot by requesting these keys at startup.
Last Saturday it became clear that the Windows updates from last Wednesday night caused some installation media and live systems of Linux distributions to no longer start. This also affects popular distributions such as Ubuntu 24.04 LTS or live systems based on it such as Desinfec't. These apparently use outdated boot loaders that are marked as insecure by new entries for SBAT.
(dmk)