Microsoft Fixes the Linux Dual Boot Issue

Microsoft Fixes Linux Dual Boot Issue – Definitive Solutions (May 2025) | SafeITExperts

×

Microsoft Fixes Linux Dual Boot Issue – Definitive Solutions (May 2025)

Expertise Technical Analysis 10 min read

By Marc — Editor SafeITExperts | March 8, 2026 (updated)

Updated March 8, 2026 – All information remains current.

Context: Since August 2024, thousands of dual boot users (Windows + Linux) were unable to boot their Linux systems after installing Windows security updates. The issue, related to Secure Boot and SBAT technology, was finally resolved by Microsoft in May 2025 with cumulative update KB5058405.

Conceptual illustration: The Secure Boot shield now protects both systems after the KB5058405 fix.

This article details:

The technical origin of the block (CVE-2022-2601, SBAT)

Temporary workarounds used during the 9-month wait

The official fix KB5058405 and how to apply it

Residual issues and their fixes (ACPI.sys, BitLocker)

Problem Origin

The issue stems from a security vulnerability identified in GRUB2 (CVE-2022-2601) allowing Secure Boot bypass. To fix it, Microsoft updated the SBAT (Secure Boot Advanced Targeting) revocation list via update KB5041585 in August 2024. Unfortunately, this update was applied too aggressively, revoking legitimate Linux bootloaders and preventing many distributions from booting.

Component	Problem	Impact
GRUB2	Flaw in grub_font_construct_glyph()	Secure Boot bypass possible
SBAT (Microsoft)	Poorly calibrated update	Linux dual boot blocked

Microsoft: "Dual boot detection didn't identify some custom methods and applied SBAT where it shouldn't have."
— Windows Release Health

Global Impact

Affected Distributions

Ubuntu	versions prior to 24.04.1
Debian	11/12 (with older shim)
Fedora	some ISOs
Linux Mint, Zorin OS	similar

Versions with shim ≥15.8 and GRUB2 ≥2.12 are unaffected.

Typical Error Messages

Verifying shim SBAT data failed: Security Policy Violation
Invalid SBAT data structure

Appeared immediately after KB5041585.

Temporary Solutions (before May 2025)

During the 9-month wait for an official fix, the community developed several workarounds. These methods are no longer needed since KB5058405.

Solution	Procedure	Disadvantages
Disable Secure Boot	BIOS/UEFI → disable	Security risk
Delete SBAT policy	`sudo mokutil --set-sbat-policy delete`	Technical, MOK manipulation
Windows Registry	`reg add ... /v OptOut /d 1`	May block future updates
Alternative bootloader	rEFInd, custom GRUB	Complex configuration

If you used any of these, re-enable Secure Boot after installing the official fix.

Definitive Solution: KB5058405 (May 2025)

On May 13, 2025, Microsoft released cumulative update KB5058405 as part of Patch Tuesday. It corrects the dual boot detection logic: SBAT policies are now applied only when necessary, allowing legitimate Linux bootloaders to start.

Installing the Fix

Settings > Windows Update > Check for updates
Install KB5058405
Reboot

# Verify installation (PowerShell)
Get-HotFix -Id KB5058405

Important: The Microsoft fix allows Windows to stop blocking the boot, but your Linux distribution must also have updated shim and GRUB2 versions compatible with the latest SBAT revocations. Distributions (Ubuntu, Debian, Fedora…) have released updates accordingly. If you use an old installation ISO, download a recent one (post-May 2025).

Persistent Issues and Additional Fixes

System	Problem	Fix Available
Windows 11	Error 0xc0000098 (ACPI.sys) after KB5058405	KB5062170 (Microsoft Update Catalog) – resolved
Windows 10	BitLocker recovery prompt after KB5058379	KB5061768 – resolved
Virtual environments	Boot issues after update	Update Hyper-V and install KB5062170

All these fixes are available via Windows Update. No issues currently pending.

Conclusion

What is resolved

Dual boot works with Secure Boot enabled
No more workarounds needed
Automatic updates via Windows Update

Best practices

Update your Linux distribution
Re-enable Secure Boot if disabled
Use recent ISOs for new installations

Technical Glossary

UEFI feature that verifies bootloader signatures to prevent unauthorized code execution.

Secure Boot Advanced Targeting: revocation mechanism for vulnerable bootloader versions.

Modern interface replacing BIOS, manages secure boot.

Grand Unified Bootloader version 2, used by most Linux distributions.

Verified Sources

Source	Contribution
Phoronix	Initial problem announcement (Aug 2024)
Microsoft Release Health	Acknowledgment and workarounds
BleepingComputer	KB5058405 fix (May 2025)
JustGeek	Details of the fix

About the Author

Marc is the lead editor of SafeITExperts, a bilingual technical blog (FR/EN) dedicated to cybersecurity, Linux, digital sovereignty, and IT strategy. He covers regulatory news, open-source tools, and privacy issues with a constant focus on clarity and source verification.