MS-DEFCON 4: Side effects for dual booters

By Susan Bradley

Secure Boot is causing — once again — side effects for Windows patchers.

The August updates are triggering issues for those who dual-boot into Linux. Because this is unlikely to affect very many users, and because the IPv6 bug I alerted you to ten days ago is now well understood, I feel that lowering the MS-DEFCON level to 4 is safe.

That assumes you do not ignore the IPv6 matter.

It’s hardly the first time I’ve said that advanced booting techniques can lead to side effects. This is no different. Both Windows 10 (see KB5041580) and Windows 11 (see KB5041585) are triggering an issue where your device might fail to boot Linux and instead show the following error message:

Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation.

This is one of the reasons I prefer to use virtual machines rather than dual-booting.

Current patches are not supposed to fix this problem, but the problem is that the Secure Boot Advanced Targeting (SBAT) setting will not be applied to devices on which dual booting is detected. In addition, and making the situation more confusing, the dual-boot detection mechanism failed in this case, meaning that the SBAT patch would be applied inappropriately.

To remedy this situation, Microsoft provided a workaround:

Alternatively, you can uninstall the updates for August and pause until next month. To uninstall updates, go into Settings | Windows updates | Update History | Uninstall updates, then click on Uninstall next to the updates you’d like to remove.

Where’s our worm? I still haven’t seen any worm targeting the IPv6 Windows 10 and 11 vulnerability (CVE-2024-38063) that was patched earlier in August. If you recall, I did a special alert to recommend that you install the update or disable IPv6. Researchers have indicated that it will take a ton of packets before this vulnerability can be launched against any Windows target. As noted by Farmpoet on X:

the vulnerability can’t be triggered with a single packet. In fact, you’ll have to flood the destination with packets just to reach the vulnerable path.

He goes on to say:

My current assessment is that at best we’re talking about a remote denial of service and full RCE is intractable in this case. Not that a pre-firewall remote DoS isn’t bad but 9.8 CVE score seems over the top.

Okay, I’ll say it: I told you so. This has turned into a nothingburger. Next time I will trust my gut instinct more.

Office 2019 resolved its updating issues; the error message 30088-27 finally got fixed. Forum poster Mark Reyes indicated that he had found a workaround; soon after, Microsoft fixed the issue on their back end. Bottom line: You should have no issues getting up to date now.

For businesses with Windows Server 2019, be aware of a performance issue that impacts servers after the August updates (KB5041578). As noted in a Microsoft 365 console note, you might observe that some Windows Server 2019 devices experience system slowdowns, unresponsiveness, and high CPU usage — particularly with Cryptographic Services. A limited number of organizations reported that the issue was observed when the device was running an antivirus software package that performs scans against the %systemroot%\system32\catroot2 folder for Windows updates, due to an error with catalog enumeration. Microsoft notes that the issue is limited to specific scenarios. The side effects include increased disk latency/disk utilization; degraded OS or application performance; the CryptSVC service failing to start; booting into a black screen; and slow booting, freezing, or hanging. Home users of Windows Home or Pro editions are unlikely to face this issue because this scenario is more commonly found in enterprise environments.

This issue is resolved using Known Issue Rollback, so IT administrators can install and configure the special Group Policy found in Computer Configuration, Administrative Templates. It can be downloaded from Microsoft.

For businesses that rely on Group policy, KB041578 appears to be impacting you. As forum poster Rich Easton noted:

[W]hen adding new mapped drives to a gpo, and item level targeting it to a security group, I’ve found that the “User in Group” is greyed out and it’s defaulting to Computer in group, even when selecting a security group that only has users in.

As I mentioned in a forum post last Friday, Group Policy guru Jeremy Moskowitz posted a note on X in which he identified a workaround:

Workarounds are (a) Copy an existing item with ILT already in it and edit contents (don’t edit ILT). Or, hand-edit the ILT from XML (takes advanced skills… but do-able.) NOTE Existing policies are not affected. Only CREATING NEW and EDITING of EXISTING policies affected.

Resources

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts