Technology

Recent Windows updates cause problem with Linux boot process

Microsoft’s August Patch Day leads to unexpected problems with Linux systems. A change to Secure Boot Advanced Targeting (SBAT) blocks outdated Linux bootloaders. Installation media and live systems are particularly affected. What users need to know now.

Trigger suspected in August Windows patch

Microsoft has introduced a change in the Windows updates of August 13 that has unexpected consequences for Linux users – this is reported heise Some Linux installation media and live systems can no longer be started on Windows computers with a freshly installed update. The reason for this is an innovation in Secure Boot Advanced Targeting (SBAT), which Microsoft introduced with the updates KB5041571 and KB5041580 for Windows 10 and Windows 11.

The change affects the SBAT system developed by the open source community. This is intended to solve the problem of limited storage space in some BIOS versions, which only offer little space for the DBX database with signatures of vulnerable bootloaders. In many cases, SBAT now replaces the previous method of blocking insecure bootloaders via blacklist entries in the DBX database.

Outdated Linux bootloaders in the crosshairs

The main reason for the current boot problems are outdated Linux bootloaders, which have been considered unsafe for some time. In contrast to previous updates, in which the UEFI BIOS refused to start a bootloader that was recognized as unsafe, it is now the Linux bootloaders Shim and Grub themselves that are failing.

They recognize that Secure Boot is no longer guaranteed and therefore prevent the system from starting. Various Linux distributions are affected. According to heise, this includes the widely used Ubuntu 24.04 LTS and live systems based on it, such as Desinfec’t. Linux systems already installed on hard drives or SSDs that have the latest updates can therefore continue to boot without problems.

Ambiguities and contradictions

Interestingly, Microsoft states in its knowledge base entry that the update “does not apply to systems on which Windows and Linux are dual-booted.” Nevertheless, there are reports that the update also prevents the boot process from starting on systems with parallel installations. Microsoft has not yet confirmed an error message. There are several ways for affected users to deal with the problem:

  • 1. Wait for updated images: The affected Linux distributors need to update their installation media, which will take a few days.
  • 2. Disabling Secure Boot: As an alternative, users can disable Secure Boot on their computer. However, caution is advised: Before disabling, the Bitlocker recovery key should be written down or printed out, as encrypted Windows installations can be sensitive to changes in Secure Boot.

The introduction of SBAT by Microsoft is a double-edged sword. On the one hand, it improves security by blocking outdated and potentially insecure bootloaders. On the other hand, it once again shows the Linux community’s dependence on Microsoft.

Despite the optimizations provided by SBAT, the need to have the Linux bootloader Shim regularly certified and signed by Microsoft for Secure Boot remains. What do you think of this development? Are you affected by the boot problems yourself or have you noticed other bugs? Share your experiences with us in the comments!