KB4512506 / KB4512486 winload.efi Windows cannot verify the digital signature

TLDR - After you uninstall the broken update to get your OS working again, install KB3133977 and try again.

The full story:

Until I fixed it, I couldn't boot after installing KB4512506 or KB4512486 - Windows cannot verify the digital signature of winload.efi.

On the first boot failure I had to recreate the BCD. On every subsequent failure I had to uninstall the update via the recovery console.

I already had KB4474419-v2 installed and no 3rd party antivirus. Dism /Online /Cleanup-Image /CheckHealth found no corruption.

I restored a system image to a spare HDD and booted it to troubleshoot. I found that installing all optional updates fixed the issue. I didn't want that to be the solution for my permanent OS so I investigated further. I eventually installed only KB3133977 to fix the issue. (That update is for a BitLocker issue but I don't use BitLocker. I don't know why it helped.)

 

Discussion Info


Last updated September 16, 2019 Views 2,550 Applies to:
Thank you for the tip.  Downloading and installing KB3133977 allowed me to finally, successfully install KB4512506 on my Windows 7 SP1 X64 system.
This fix applies to Windows Server 2008 R2 as well.  After installing, in August 2019, Microsoft Security Only Patch KB4512486, all our physical 2008 R2s rebooted into System Recovery and the only fix we could find was to revert via "dism.exe /image:C:\ /cleanup-image /revertpendingactions".  Needless to say, this prevented the patch from being installed.  I recently found this post, gave it a shot with the 2008 R2 x64 version of KB3133977, and now the servers are good to go.  Thanks for finding this.

Just an FYI for those having issues getting KB3133977 to install - KB3125574 supersedes 3133977. 

https://support.microsoft.com/en-us/help/3125574/convenience-rollup-update-for-windows-7-sp1-and-windows-server-2008-r2