The issue:

A monthly Windows update pushed on August 13 has disrupted dual-boot systems running both Windows and Linux.
The update, released on August 13, aimed to fix a two-year-old vulnerability (!) (CVE-2022-2601) related to the GRUB bootloader but, according to Microsoft, inadvertently caused boot failures for many users:

• "the update would apply to "dual-boot systems that boot both Windows and Linux and should not affect these systems."
• But in fact... after update several users, reported that they were shown the following (lovely and generic) error: Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation'

Why this patch?

The decision to apply a Secure Boot Advanced Targeting (SBAT) update was meant to block malicious actors from carrying out-of-bound writes, and possibly bypass GRUB2 secure boot.

Workaround:

1. Disable Secure Boot
2. Log into your Ubuntu user and open a terminal
3. Delete the SBAT policy with:
Code: Select all
sudo mokutil --set-sbat-policy delete
4. Reboot your PC and log back into Ubuntu to update the SBAT policy
5. Reboot and then re-enable secure boot in your BIOS.

Next steps?

After Microsoft statement:
"We are aware that some secondary boot scenarios are causing issues for some customers, including when using outdated Linux loaders with vulnerable code. We are working with our Linux partners to investigate and address." we expect an official Workaround.

Update

Now -August 23th/24- MS stated "the dual-boot detection did not detect some customized methods of dual-booting and applied the SBAT value when it should not have been applied." and recommends deleting the SBAT update and ensuring that future SBAT updates will no longer be installed.

1. Disable Secure Boot after booting into your device's firmware settings (this requires different steps for every manufacturer).
2. Delete the SBAT update by booting Linux and running the sudo mokutil --set-sbat-policy delete command and rebooting.
3. Verify SBAT revocations by running the mokutil --list-sbat-revocations command and ensuring it's empty.
4. Re-enable Secure Boot from your device's firmware settings.
5. Check the Secure Boot status by booting into Linux, running the mokutil --sb-state command, and ensuring the output is "SecureBoot enabled." If not, retry the 4th step.
6. Prevent Future SBAT Updates in Windows by running the following command from a Command Prompt window as Administrator:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD

Credits:
Microsoft: Impact-linux-boot-in-dual-boot-setup-devices
Ars Technica: Dual boot mess for some linux users
The Register:Microsft dual boot patch
CVE: CVE-2022-2601