TLDR - After you uninstall the broken update to get your OS working again, install KB3133977 and try again.
The full story:
Until I fixed it, I couldn't boot after installing KB4512506 or KB4512486 - Windows cannot verify the digital signature of winload.efi.
On the first boot failure I had to recreate the BCD. On every subsequent failure I had to uninstall the update via the recovery console.
I already had KB4474419-v2 installed and no 3rd party antivirus. Dism /Online /Cleanup-Image /CheckHealth found no corruption.
I restored a system image to a spare HDD and booted it to troubleshoot. I found that installing all optional updates fixed the issue. I didn't want that to be the solution for my permanent OS so I investigated further. I eventually installed only KB3133977 to fix the issue. (That update is for a BitLocker issue but I don't use BitLocker. I don't know why it helped.)