Skip to Content

How to resolve “Verifying shim SBAT data failed” error on Linux Dual Boot System due to security policy violation after KB5041585 update installed

Recently, Microsoft rolled out the KB5041585 security update for Windows 11, targeting versions 23H2 and 22H2. While it aims to enhance security, it’s causing serious headaches for those running dual-boot systems with Linux. The issue? A frustrating error that leaves you unable to boot into Linux. 

The Problem

After installing the update, you might see this error:

Verifying shim SBAT data failed: Security Policy Violation
Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

How to resolve "Verifying shim SBAT data failed" error on Linux Dual Boot System due to security policy violation

It’s a security measure gone wrong. Microsoft introduced Secure Boot Advanced Targeting (SBAT) to block older, vulnerable boot managers. Unfortunately, for some dual-boot setups, it’s mistakenly applying the SBAT settings, blocking Linux from booting.

Temporary Fix: Before the Reboot

If you haven’t yet rebooted after installing the update, here’s how to stop the problem before it starts:

  1. Press Windows + R keys, type regedit, and hit Enter to open Registry Editor.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT.
  3. Right-click select New > DWORD (32-bit) Value, and name it OptOut.
  4. Double-click OptOut and set its value data to 1.

This stops the SBAT update from causing trouble with your dual-boot setup.

Already Installed? Here’s How to Fix It

If you’ve already installed the update and are stuck, follow these steps:

Step 1: Disable Secure Boot

  1. Restart your device and enter the firmware settings (BIOS/UEFI). This usually involves pressing F2, DEL, or ESC during startup.
  2. Locate the Secure Boot settings and disable them.

Check Microsoft’s official page or your manufacturer’s website for detailed instructions.

Step 2: Remove the SBAT Update in Linux

  1. Boot into Linux and open the terminal.
  2. Run: sudo mokutil –set-sbat-policy delete.
  3. Enter your root password when prompted.
  4. Restart your system.

Step 3: Verify SBAT Revocations

  1. In the terminal, run: mokutil –list-sbat-revocations.
  2. Make sure no revocations are listed.

Step 4: Re-enable Secure Boot

Re-enter firmware settings and turn Secure Boot back on.

Step 5: Check Secure Boot Status

  1. Boot into Linux and run: mokutil –sb-state in the terminal.
  2. Ensure the output reads “SecureBoot enabled.”

Step 6: Block Future SBAT Updates in Windows

  1. Boot into Windows.
  2. Open Command Prompt as an administrator.
  3. Run: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD.

By following these steps carefully, you should be able to successfully resolve the Linux dual boot issue caused by the Windows 11 KB5041585 update. Don’t let this frustrating error stop you from enjoying the flexibility of a dual boot setup – with a little bit of effort, you’ll be back to seamlessly switching between Linux and Windows in no time!