Dual booters are now faced with a new demon from Microsoft:

https://www.tenforums.com/general-support/214963-windows-10-aug-13-update-broke-my-linux-installation.html

Brave A.I. solution:

Workaround SBAT Microsoft update to install Linux

The Secure Boot Advanced Targeting (SBAT) update, introduced in KB5041580, prevents older Linux ISO images from booting on Windows systems. To circumvent this issue, follow these steps:

1. Disable Secure Boot: Enter your BIOS settings (usually by pressing F2, F12, or Del during boot) and disable Secure Boot. Save the changes and exit the BIOS settings.
2. Boot into Linux: Use a bootable Linux media (e.g., USB drive or CD/DVD) to boot into Linux. This will allow you to bypass the SBAT restrictions.
3. Run mokutil command: Once booted into Linux, run the following command to list and revoke SBAT revocations:

sudo mokutil --list-sbat-revocations

This will display the revoked SBAT levels. Note the SBAT level and shim version mentioned in the output. 4. Revoke SBAT revocation: Run the following command to revoke the specific SBAT level and shim version:

sudo mokutil --revoke-sbat sbat,<SBAT_level>,<shim_version>

Replace <SBAT_level> and <shim_version> with the values obtained in step 3. 5. Re-enable Secure Boot: Re-enter your BIOS settings and re-enable Secure Boot. Save the changes and exit the BIOS settings. 6. Verify Linux boot: Attempt to boot your Linux installation again. If successful, the SBAT restrictions should no longer prevent Linux from booting.

Additional Tips

• If you’re using a dual-boot setup, you may need to disable Secure Boot only for the Linux boot process and re-enable it for Windows.
• Make sure to update your Linux distribution to a version that includes shim 15.7 or later, as this provides the necessary security updates to address vulnerabilities in the boot stack.
• Consider setting your Windows Update policy to “Notify” instead of “Automatic” to prevent future SBAT updates from being applied without your consent.

By following these steps, you should be able to circumvent the SBAT Microsoft update and install Linux on your system.

Interesting post on SBAT in general here:

https://lwn.net/Articles/938422/

Thanks @swarfendor437 , I've followed your instructions as I do indeed dual boot with WX. Setting the update policy hasn't worked for me in the past - it has been overridden. If that happens, going to Settings - Security and Updates- pause updates for 7 days, gives you breathing room to do whatever is necessary before Windows finally updates.

I got this output in the terminal after following your instructions (I hope I did it correctly!):
picasso@picasso-HP-Pavilion-TS-15-Notebook-PC:~$ sudo mokutil --list-sbat-revocations
[sudo] password for picasso:
sbat,1,2022052400
grub,2
picasso@picasso-HP-Pavilion-TS-15-Notebook-PC:~$ sudo mokutil --revoke-sbat sbat,1,2022052400, grub,2
mokutil: unrecognized option '--revoke-sbat'
Usage:
mokutil OPTIONS [ARGS...]

Options:
--help Show help
--list-enrolled List the enrolled keys
--list-new List the keys to be enrolled
--list-delete List the keys to be deleted
--import Import keys
--delete Delete specific keys
--revoke-import Revoke the import request
--revoke-delete Revoke the delete request
--export Export keys to files
--password Set MOK password
--clear-password Clear MOK password
--disable-validation Disable signature validation
--enable-validation Enable signature validation
--sb-state Show SecureBoot State
--test-key Test if the key is enrolled or not
--reset Reset MOK list
--generate-hash[=password] Generate the password hash
--ignore-db Ignore DB for validation
--use-db Use DB for validation
--import-hash Import a hash into MOK or MOKX
--delete-hash Delete a hash in MOK or MOKX
--set-verbosity <true/false> Set the verbosity bit for shim
--set-fallback-verbosity <true/false> Set the verbosity bit for fallback
--set-fallback-noreboot <true/false> Prevent fallback from automatically rebooting
--trust-mok Trust MOK keys within the kernel keyring
--untrust-mok Do not trust MOK keys
--set-sbat-policy <latest/previous/delete> Apply Latest, Previous, or Blank SBAT revocations
--pk List the keys in PK
--kek List the keys in KEK
--db List the keys in db
--dbx List the keys in dbx
--timeout <-1,0..0x7fff> Set the timeout for MOK prompt
--list-sbat-revocations List the entries in SBAT

Supplimentary Options:
--hash-file Use the specific password hash
--root-pw Use the root password
--mokx Manipulate the MOK blacklist
--ca-check Check if CA of the key is enrolled/blocked
--ignore-keyring Don't check if the key is the kernel keyring
picasso@picasso-HP-Pavilion-TS-15-Notebook-PC:~$

I still find these "walls of text" confusing I don't think I did what I was trying to do... "mokutil: unrecognized option '--revoke-sbat'" kind of gives it away

That could mean one of two things, either SBAT is not present or MS has written some new code!

@swarfendor437 I'll reboot into Windows and let you know what happens!

If the worst comes to the very worst, this machine can lose Windows for good!

EDIT
Replying from inside WX

defender update1366×768 127 KB

Well now reboot back into Zorin_OS to see if I can!

EDIT 2
I'm back safely from Windows Land! I do have Secure Boot disabled.