And Windows Update welcomes you every day: Some Windows computers that have the update published on August 13 installed no longer start installation media and live systems for some Linux distributions. According to our research, the current Ubuntu 24.04 LTS system as well as live systems built on it such as Disinfec't are also affected.
advertisement
As with previous Windows updates that prevented Linux from booting, the culprits lie in outdated Linux bootloaders that have been known to be insecure for some time. While in previous updates, it was blacklisted entries in the Secure Boot DBX database that slowed down Linux bootloaders, with the updates (KB5041571 and KB5041580) for Windows 10 and 11, Microsoft has rolled out an update developed by the open source Secure Advanced Boot Targeting (SBAT) community. This is intended to address a memory issue in the BIOS of some motherboards, which only provide limited space for the DBX database with weak boot loader signatures.
SBAT instead of DBX database
While with DBX entries, the UEFI BIOS refuses to boot a bootloader that is recognized as insecure, with SBAT, it is the Linux bootloaders Shim and Grub that recognize that secure boot is no longer guaranteed and therefore fail to work. The improvements are also aimed at ensuring that SBAT blacklists remain as small as possible. However, this does not eliminate Microsoft’s reliance on having to get a Linux bootloader Shim certified and signed for Secure Boot over and over again: Secure Boot continues to only boot bootloaders signed by a trustworthy source – this has always been the case with almost all hardware manufacturers except Microsoft. Since these bootloaders can now be shut down via SBAT if they are found to be faulty, no new entry needs to be added to the DBX blacklist.
It’s currently unclear which systems and distributions are affected by the new boot issues. Microsoft states in a knowledge base entry that the update “does not apply to systems that dual-boot Windows and Linux.” However, there are already reports that the update will also prevent Linux machines from booting on systems with parallel installations. On other systems, our tests show that Ubuntu 24.04 LTS continues to boot without any issues. Linux systems that are already installed on a hard drive or SSD and have the latest updates installed will continue to boot anyway.
Waiting for new pictures
In order to resolve the outdated boot loader issue, affected distributors will again have to update their installation media, which could take a few days. Alternatively, you can deactivate Secure Boot on your PC—but only if you have previously written or printed your Bitlocker recovery key. Encrypted Windows installations sometimes react sensitively to changes to Secure Boot, and then require the key to be entered the next time they start.
(middle)
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.