-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The latest Microsoft update marks multi-boot setups as "violating security policies." #682
Comments
These revocations should not be revoking any of the most up-to-date binaries. Systems that run into this can likely be recovered by disabling secure boot and clearing the SbatLevel via "sudo mokutil --set-sbat-policy delete" and then updating to the latest packages before booting Windows again. Windows is supposed to check for signs of an installed OS that could be revoked by SBAT and, if it finds one, leave managing SBAT based revocations up to that OS. Based on the public reports there are some cases that are not being caught, impacting some boot devices more than others. This is being investigated. This check can not find an OS that's booted at a later point from removable (USB) media. While in general such removable media should be updated regularly, that may not be common practice in all places yet. However we should not assume that any Windows PC will be able to boot arbitrarily old media without system owner (UEFI Setup access) intervention. Client systems that ship with Windows pre-installed may also have SBAT revocations applied. The recommended approach is to always provision a client device using the latest update release for the Linux distro being installed. However if there is a need to install an older update release on a system that is in a state where it rejects it, the following steps can be used to clear these revocations:
Systems that routinely run both Windows and older Linux release where the Linux root is not visible while Windows is running can use a registry setting to prevent Windows from applying SBAT based revocations. |
15.7 shims require "sudo mokutil --set-sbat-policy delete" when Secure Boot is disabled to clear SbatLevel. The current revocations are revoking 15.7 shims, so an installed OS being blocked will require the mokutil command to clear SbatLevel once Secure Boot is disabled. |
Thank you for your response. I found that 15.8 is normal, and only shims less than 15.8 are abnormal. |
Just reopening this for visibility |
I will keep updating my top comment with the most concise information that I have available. Please feel free to share that with anyone that needs it. |
https://support.microsoft.com/en-us/topic/august-13-2024-kb5041571-os-build-26100-1457-d218c08d-8de2-4f9a-8fe1-a2c2fd83ca9a
https://forums.linuxmint.com/viewtopic.php?t=427297
How should we respond to this?
The text was updated successfully, but these errors were encountered: