2

A recent Windows update broke my Windows/Ubuntu Dual Boot

I followed the steps described in Verifying shim SBAT data failed: Security Policy Violation to fix the dual boot

  1. Disable Secure Boot in BIOS
  2. Log into your Ubuntu user and open a terminal
  3. Delete the SBAT policy with: sudo mokutil --set-sbat-policy delete
  4. Reboot your PC and log back into Ubuntu to update the SBAT policy
  5. Reboot and then re-enable secure boot in your BIOS.

Unfortunately, I can no longer boot into Windows (except for the debug mode / secure mode), not even with disabled secure boot (UEFI).

Does anybody know or have a hint on how to resolve it?

Further information:

  • how does the broken boot process look like?
    • While booting windows there shortly appears the additional text Bitlocker recovery is being prepared
    • the text disappears, a loading spinner is displayed and windows seems to boot
    • for a splitsecond a shell with the name winspeshl.exe appears, then a bluescreen appears (with options to boot from other sources / reboot with opening the UEFI)
  • sudo mokutil --list-sbat-revocations: sbat,1,2022052400, grub,2
  • sudo mokutil --reset + restarting the system
    • forwards me to Shim UEFI key management
      • option to open MOK management with the following options:
        • Continue boot, Reset MOK, Enroll key from disk, Enroll hash from disk
        • I have choosen Continue boot so far, which does not resolve the problem, but was unsure if this is the right place to fix the issue that I have
  • sudo mokutil --sb-state
    • result depends on the secure boot selection in the UEFI, regardless of the setting windows does not boot properly
      • Secure Boot enabled in UEFI: SecureBoot enabled
      • Secure Boot disabled in UEFI: SecureBoot disabled, Platform is in Setup Mode
  • My setup worked that way that it automatically started Windows and I started ubuntu by rebooting the system (if you press shift while restarting windows) and then selecting another device -> ubuntu - saved on a separate disk, only then grub was be started, otherwise it was directly booted to windows.
  • UEFI Boot configuration
    1. Windows Boot Manager
    2. USB Storage
    3. Internal Storage
    4. Network Boot-IPV4
    5. Network Boot-IPV6
    • I tried it with Windows Boot Manager first and with Internal Storage first (bought with secure bot enabled/disabled), same result
Florian
  • 21

1 Answers1

0

One of the following actions resolved the issue for me:

  1. Booting into Windows in the advanced mode Disable Driver Signature Enforcement and allowing an windows update by this
  2. In a Windows CMD with admin permissions run the following command: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD (for details see Verifying shim SBAT data failed: Security Policy Violation)

After doing both of these steps, booting into Windows works for me again.

Florian
  • 21