Microsoft has started rolling out an update to their Windows operating system that causes systems with PBA installed to fail to start. Upon booting, the message "Verifying shim SBAT data failed: Security Policy Violation" is displayed for a short time. The system will then shutdown.


The update is included in:

2024-09 Cumulative Update for Windows 10 Version 22H2 for x86-based Systems (KB5043064)

2024-08 Cumulative Update for Windows 11 for x64-based Systems (KB5041592) 


Affected Operating Systems:

Windows 10 22H2

Windows 11 23H2


Issue cause:

The Windows update is intended to resolve a UEFI Secure Boot vulnerability by preventing vulnerable bootloaders from running. The update not only prevented vulnerable bootloaders from running but also ALL currently released Linux versions including those in which the vulnerability had already been addressed. The Cigent PBA is built on Ubuntu and is therefore effected by this update. Dual boot systems ( running Windows and Linux ) would not normally receive the policy update, however HW FDE solutions leveraging a shadow MBR like the Cigent PBA were not included.


Microsoft has documented the issue in the Known Issues and Notifications note for this release:

https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23H2

https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2


Issue avoidance:

There are two options to avoid service disruption by taking action before the update is applied:


1. Upgrade the PBA 1.0.6.30 before the system receives the Windows update. ( Strongly Recommended )

PBA version 1.0.6.30 has been updated to be compatible with the Windows update. Updating prior to the Windows update will allow the policy to be applied and PBA to continue to boot properly.


2. Follow the step f) in the Microsoft Known Issues and Notification note listed above. Doing so will prevent the SBAT policy update that causes PBA not to be able to boot from being applied. 


Here is a details of the step from the release note:

  1. Boot into Windows.
  2. Open Command Prompt as Administrator and run:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD


Immediate workaround:

If your system has already received the update and are you unable to boot to the PBA log in page, you can temporarily disabled Secure Boot BIOS setting to restore normal operation. It is strongly recommended you proceed immediately to one of the permanent remediation options below and then restore Secure Boot to the enabled state.


Remediation:

There are two options to remediate this issue. Choose the option that works best for in your environment:


1. Upgrade to PBA 1.0.6.30

PBA version 1.0.6.30 is compatible with security updates made by the Windows update. Download the PBA from the support site then follow the instructions in the user guide for creating a USB thumb drive and updating the PBA. BE SURE TO RE- ENABLE SECURE BOOT IF YOU DISABLED IT AS AN IMMEDIATE WORKAROUND.


2. Rollback the SBAT policy update. If you are unable to update the PBA, it is possible to rollback the SBAT policy update using a live Ubuntu environment.

  1. Download 22.04.5 LTS desktop. https://ubuntu.com/download/desktop
  2. Create bootable USB flash drive using the ISO ( Follow instructions on ubuntu site optional methods )
  3. Boot to flash drive.
  4. Click thru install prompts until you get to “Try Ubuntu”. Then follow prompts until you get a running desktop ( which is running from flash drive )
  5. Open terminal and run - sudo mokutil --set-sbat-policy delete
  6. Shutdown then make sure to boot to the flash drive again ( do not let it boot to another OS )
  7. Follow step 5 again until the Ubuntu is at the desktop.
  8. Shutdown and remove the USB Flash drive
  9. You should now be able to boot the regular version of PBA.