Table of Contents
A Temporary Workaround for a Widespread Issue
Recently, the Windows security update KB5041585 caused significant disruption for many users with dual-boot configurations, preventing Linux from booting properly. Microsoft acknowledged the problem and announced that they were working on a fix but did not provide a specific deployment date. A week after the issue arose, Microsoft has now shared a workaround to help users temporarily resolve the conflict related to Secure Boot, which has been preventing certain Linux distributions from starting on multi-boot systems.
Step-by-Step Guide to the Temporary Solution
While awaiting an official patch, Microsoft has released a series of steps that can be used to address the issue in the meantime. The process is somewhat technical and requires users to navigate through system settings and make changes that may be daunting for those unfamiliar with such tasks. However, for those comfortable with these procedures, following these steps should help restore a functional dual-boot setup.
- Disable Secure Boot:
The first step is to disable Secure Boot. To do this, you need to boot into your PC’s firmware settings and turn off Secure Boot. The exact process for this step varies depending on the manufacturer of your PC. - Remove the SBAT Update:
Next, you’ll need to remove the SBAT update. Boot into Linux, open the terminal, and run the commandsudo mokutil --set-sbat-policy delete
. Enter your password when prompted, then restart your system into Linux. - Verify the SBAT Revocation Removal:
After removing the SBAT update, you’ll want to verify that it was successfully removed. Open the terminal again and executemokutil --list-sbat-revocations
. The list that appears should show no revocations. - Re-enable Secure Boot:
Once you’ve completed the above steps, don’t forget to re-enable Secure Boot in your firmware settings. - Prevent Future SBAT Updates:
As a precaution, you can also prevent future SBAT updates. Boot into Windows, open Command Prompt as an administrator, and run the commandreg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
.
It’s important to note that the final step is also recommended as a preventive measure for users with dual-boot Windows-Linux configurations who have not yet installed the August update on Windows 10 (versions 21H2, 22H2, Enterprise 2015 LTSB) and Windows 11 (versions 21H2, 22H2, 23H2).
A Bug That Shouldn’t Have Happened
To recap, the Windows security update KB5041585 released in August significantly disrupted many dual-boot Windows-Linux setups. The issue arose from the application of the SBAT parameter to devices running Microsoft’s OS, which blocked vulnerable bootloaders. In the case of dual-boot configurations, this patch blocked non-secure versions of GRUB used by many GNU/Linux distributions, both old and new, as evidenced by the inability to boot Ubuntu 24.04 and Debian 12.6.0.
After receiving numerous reports from the community, Dual-Boot Microsoft initially stated that the problematic update should not have been applied to multi-boot systems, acknowledging that some configurations may have escaped detection and received the update erroneously. Following widespread outcry, the company decided to address the issue more directly, stating that they were working on an official fix, although no deployment date has yet been disclosed.
Source : Microsoft