Close Menu
    Windows

    Fix: Linux Dual Boot Issue after installing KB5041585 for Windows 11

    Viney DhimanBy Updated:1 Comment4 Mins Read
    Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation."

    Microsoft has officially acknowledged a significant issue affecting users who have set up dual-boot systems with Windows and Linux on their devices. After installing the August security update for Windows 11 versions 23H2 and 22H2, specifically KB5041585, many users are encountering problems booting into Linux.

    The issue presents itself with the error message:

    Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.”

    This error has been widely reported, leaving many users frustrated and searching for solutions.

    Contents show

    The Cause: SBAT Settings in KB5041585

    According to the information provided by Microsoft, the KB5041585 update applies a Secure Boot Advanced Targeting (SBAT) setting to devices running Windows. This setting is designed to block older, vulnerable boot managers, thereby enhancing security.

    However, the SBAT update is not supposed to apply automatically if the system detects a dual-boot configuration. Unfortunately, on some devices, the system fails to recognize custom dual-boot setups and applies the SBAT update anyway, leading to the Linux boot failure.

    Temporary Fix: SBAT Registry Method

    If you haven’t finalized the installation of the KB5041585 update with a reboot yet, Microsoft suggests using the OptOut registry method to protect your device from this issue. Here’s what you need to do:

    Open Registry Editor: Press Win + R, type regedit, and press Enter.

    Navigate to the Following Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT

    Create a New DWORD (32-bit) Value: Right-click on the right side of the window, select New > DWORD (32-bit) Value and name it OptOut.

    output sbat

    Set the Value Data: Double-click on the OptOut entry and set its value data to 1.

    This method will prevent the SBAT update from installing on your device, avoiding the Linux boot issue.

    Users who have already installed the Update (Try this)

    For those users who have already installed the KB5041585 update and are experiencing the boot issue, Microsoft has provided an official solution for them as well. Here’s what you need to do:

    Step 1: Disable Secure Boot

    Restart your device and enter the firmware settings (BIOS/UEFI) by pressing the key specified during startup (usually F2, DEL, or ESC, depending on your manufacturer).

    Please navigate to the Secure Boot settings and disable it. The exact steps may vary based on your device’s manufacturer, so refer to your user manual if needed.

    You can check the Microsoft support page to learn How to Enable or Disable Secure Boot on Windows 11 PC.

    Step 2: Delete SBAT Update in Linux

    Start your device and boot into your preferred Linux distribution.

    Once in Linux, open the terminal.

    Execute the following command to delete the SBAT update: sudo mokutil --set-sbat-policy delete

    Enter your root password when prompted.

    Restart your system and boot back into Linux to apply the changes.

    Step 3: Verify SBAT Revocations

    In the terminal, run the following command to ensure there are no SBAT revocations: mokutil --list-sbat-revocations

    Verify that the list shows no revocations.

    Step 4: Re-enable Secure Boot

    Restart your device and enter the firmware settings again. Navigate to the Secure Boot settings and re-enable it.

    Step 5: Verify Secure Boot Status in Linux

    Start your device and boot into Linux.

    Open the terminal and run the following command to check the status of Secure Boot:mokutil --sb-state

    The output should read “SecureBoot enabled.” If it doesn’t, revisit Step 4 and ensure Secure Boot is properly enabled.

    Step 6: Prevent Future SBAT Updates in Windows

    Restart your device and boot into Windows.

    Open the Command Prompt with administrative privileges.

    Run the following command to prevent future SBAT updates:reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD

    Microsoft has stated that they are actively working with Linux partners to address the problem and will provide more updates soon.

    Share.

    Viney Dhiman, the mind behind GeekerMag, is a seasoned content writer with over 12 years of experience. Specializing in simplifying complex tech concepts, he covers Windows OS, Android, iOS, web apps, and product reviews. His work can be found on popular tech websites like Gizmodo and The Verge, and he has been interviewed by the Microsoft Edge team.

    Related Posts

    View 1 Comment

    1 Comment

    1. Ildanach on

      Hi, I have difficulties with step 2. How to boot up Linux when the GRUB is not working and Windows shows up immediately?