|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
ISSUE 21.35.1 • 2024-08-27 By Susan Bradley Secure Boot is causing — once again — side effects for Windows patchers. The August updates are triggering
[See the full post at: MS-DEFCON 4: Side effects for dual booters]
Susan Bradley Patch Lady/Prudent patcher
This is one of the reasons I prefer to use virtual machines rather than dual-booting.
That’s right — always blame the user instead of the vendor when they change their security requirements.
Seriously, the Secure Boot Certificates changes issue does not just affect those who dual-boot Windows and Linux. For example, I have Linux on an internal SSD, separate from Windows 11 Pro. But the bootloader is GRUB2, so technically this is also a dual-boot. So are USB, Thunderbolt and other external drives when booted using either Windows or Linux bootloaders. This includes various Rescue Media.
I believe the patch with its SBAT updates would have been applied if the dual-boot was using GRUB2 rather than the Windows bootloader to manage the dual-boot. But I may have misread the documentation in this regard.
Most Linux distros have already adjusted their shims to accommodate the Secure Boot changes. These were announced months ago. Most Linux installers also have been adjusted. Some Linux Live and Windows and Linux Boot USB environments have not been adjusted. These will encounter exactly the same Secure Boot Warnings. In some cases no upgrades are available. Ventoy would need to update their MOK (Security Key) entry routine, but nothing more would seem to be needed there.
I use Linux Mint, Ubuntu and Ventoy with several ISOs onboard on a USB Flash Drive, and have yet to encounter any issues. I have applied the August updates per Susan’s previous advice when we were at MS DEFCON 3. I don’t use Bitlocker.
-- rc primak
Aren’t Shim/SBAT, and even the “Something has gone seriously wrong” message, open-source products to protect Linux users against bootkit/rootkit malware caused by vulnerable bootloaders?
Yes and no.
To understand the problem, consider this: SELinux had its bootloader blacklisted by this update. And SELinux is not alone in having had some of what users consider current versions blacklisted.
There are literally thousands of USB Boot ISOs which are built on SELinux. Yes, they are vulnerable. But how long and at what cost would it take to update all those boot USB images and ISOs to comply with the new Secure Boot requirements?
Ventoy is a highly-modified multiboot USB creation tool. It also uses a form of bootloader which got blacklisted. To fix this requires much more than updating a shim or importing a new GRUB2. The developers of Ventoy as of this posting have yet to come up with a newer version which passes the new SBAT requirements.
There are many, many more examples, some from Window backup and recovery programs, where boot media which worked in June will no longer work in September on many Windows PCs. Many home users are finding that out the hard way.
Consumers (home users) have no need for the added security of SBAT. That has been noted in dozens of tech and popular computer advice articles.
This looks a lot like Microsoft trying to throw up roadblocks to installing Linux on our desktops, and to using third-party utilities and backup solutions. And to discourage dual-booting for some reason which I find totally baffling.
And for no good security reasons — in a stand-alone or home network consumer grade computing environment.
TPM security falls into the exact same category — for most home users, this added security is completely unnecessary. And it too interferes with launching and using Linux installers and using third party backup utility rescue media. As well as limiting dual-booting.
Heck, if folks didn’t follow up their August Windows Updates by making entirely new Windows install and recovery USB media, they may be in for a nasty surprise down the road!
-- rc primak
I have seen too many issues with dual booting and getting too old to want to deal with it. Especially these days when you can repurpose hardware.
Susan Bradley Patch Lady/Prudent patcher
Susan, I empathize totally with the “I’m getting too old for this ****” mentality.
But I am not throwing in the towel. Except maybe on Windows after Windows 11.
That would end my interest in dual-booting, FWIW.
-- rc primak
If I were dual-booting Linux, I’d probably just turn Secure Boot off, it doesn’t really have much benefit over there from what I can see.
I’d probably just turn Secure Boot off,
That sadly, was my only viable option when my Intel NUC got the SBAT update. At least for most USB boot utilities. Ventoy in particular. I spent four days and three nights trying all the workarounds and nothing worked for me. Mind you, I’m not the most sophisticated person when it comes to low-level OS and hardware/firmware troubleshooting.
-- rc primak
@opti1
As far as I understand the problem is with Linux so I don’t think the Windows boot menu would be affected.
Linux Mint Cinnamon 21.1
Group A:
Win 10 Pro x64 v22H2 Ivy Bridge, dual boot with Linux
Win l0 Pro x64 v22H2 Haswell, dual boot with Linux
Win7 Pro x64 SP1 Haswell, 0patch Pro, dual boot with Linux,offline
Win7 Home Premium x64 SP1 Ivy Bridge, 0patch Pro,offline
If this ‘enable Windows boot menu’ option in Macrium Reflect has been enabled will it also be affected by the secure boot side effects mentioned in this MS-DEFCON post?
No this is not affected. You are going to use this option essentially from a partially booted Windows OS. The bootloader has already succeeded in getting as far as the selection menu, No further secure boot issues should occur. That boot option and the creation of the rescue media I believe use files from the host OS into which it is installed to prepare its WinPe/WinRE recovery environment. I have not seen these files conflict with the SBAT update. Though, maybe could it happen? I don’t think so.
However, you will need to create the Boot Menu Option and the Rescue Media fresh after the SBAT update is installed. At least as a precaution, maybe as a necessity to update everything. Macrium Reflect probably will prompt you to do so. But even if not, do it anyway. Which reminds me, I need to do those updates in my NUC ASAP.
-- rc primak
First, the Macrium Reflect boot option is NOT effected by this issue. As said, above it is only Linux distros.
I followed the directions in the Email about removing the Windows KB. It seemed to work. I rebooted and tried to start my Linux system – Tails (from a flash drive) and got the same shim SBAT error!
Now what???
That Registry modification only works if applied BEFORE the update installs the SBAT blacklist.
To remove the SBAT blacklist, one would need to know how to get inside their BIOS, go into the UEFI section, locate the DBx database, and reset it. I was not able to do this on my Intel 11th Gen NUC. Maybe I just don’t understand my BIOS in enough technical detail?
In any event, the MOK Utilities in Linux have no effect on the error message.
I found this error with the Ventoy multi-ISO USB flash drive program. Nothing I tried fixed it. But maybe I missed something? I did not miss that Registry change.
Why should home users ever need to look into our BIOSes in this much detail??
-- rc primak
If you need/use it, turn it back on. Most ISPs still don’t support it.
Otherwise it doesn’t matter either way, the Aug. patch has you covered.
This seems to have gone through fine, and then I ran the Microsoft Store updates, and that caused an issue — never had any issues with it before. While some updates went though as they have always done before, these seem to be not doing anything.
This seems to have gone through fine, and then I ran the Microsoft Store updates, and that caused an issue — never had any issues with it before. While some updates went though as they have always done before, these seem to be not doing anything.
I just tried re-registering Microsoft Store — https://www.elevenforum.com/t/re-register-microsoft-store-app-in-windows-11.2408/#Two — and it doesn’t seem to be helping
EDIT: Actually, just restarted the computer, and now it seems to be working!
It’s hardly the first time I’ve said that advanced booting techniques can lead to side effects. This is no different.
To this I say : It is hardly the first time that Windows patches to the so-called “Secure Boot” have caused problems for dual-booters. I agree with rc primark above who said
That’s right — always blame the user instead of the vendor when they change their security requirements.
I don’t think you should blame computer users who prefer to dual-boot or multi-boot Windows with other operating systems over problems that Microsoft’s patches caused.
As far as I can see, this “Secure Boot” thing is not that secure at all (Still remember BlackLotus, the bootkit that can bypass Secure Boot and first seen in 2022?), and when Microsoft needs to make changes to it to “enhance security” it often causes problems to dual-booters. The BlackLotus patches will apparently, once fully implemented, eventually make even older Windows boot media unbootable on systems using Secure Boot.
I might be an extreme minority, but I make it a point NOT to use this rubbish when I setup a computer with a new motherboard (I never use OEM computers, one of the reasons being I am well aware some, may be most, of the OEM computers might not have an option to disable this rubbish.). One of the first things I do when I start up a new computer is to go into the BIOS / UEFI to disable Secure Boot and enable Legacy Boot (Yes, I don’t even boot using UEFI, only Legacy.). Oh, and of course, absolutely no Bitlocker or the so-called Device Encryption in Windows.
If you believe this Secure Boot thing is good for your computer security, by all means continue to use it. But please do not attempt to persuade me to believe that.
By the way, I setup (the Traditional Chinese version of) Windows 10 21H2 IoT LTSC on my main computer (based on a motherboard from over eight years ago) yesterday. It also hosts several other Windows systems : Windows 1809 LTSC / Windows Server 2019 / Windows 7 Enterprise / Windows 8.1 Enterprise / Windows Server 2012 R2 in a multi-boot configuration managed by a special boot program. I just installed KB5041580 on it and as far as I can see there were no problems with booting it and the other systems afterwards, as I boot in Legacy mode (and don’t boot Linux). All the boot SSDs (3 in total. 1 NVMe and 2 SATA) are partitioned using MBR format.
Hope for the best. Prepare for the worst.
Just install the Aug. update and you are OK.
Updated 1 x Win11 Pro 23H2 machine with August CU (KB5041585), .NET Framework update, .NET 6 update, .NET .8 update and MSRT v5.127 without issues, except the minor annoyance that the system rebooted twice during installation, first time upon reaching 30% as usual, second time upon reaching 96% (no, I did not accidentally allow the system to reboot before any of the updates had finished installing).
Updated 1 x Win10 Home 22H2 machine with August CU (KB5041580), .NET Framework update, .NET 6 update and MSRT v5.127 without issues at all, system rebooted only once upon reaching 30% installation.
I have installed this months updates and everything was normal. PC has been on for 24 hours and seem normal as well.
Updated 3 Win10 Pro and one Win11 Pro without incident after skipping prior month update.
No dual boot or other complications.
I post this because I appreciate when others post their updating success or failures.
Pioneers wear arrow shirts…appreciate their sacrifice.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
