No doubt you recall the warning back in February that Windows 7, Server 2008 and Server 2008 R2 patches starting in July would use the SHA-2 encryption protocol. If you want to install Win7 patches issued after July, you have to get the SHA-2 translator installed.
A few days ago, Microsoft tossed a zinger into the FAQs down at the bottom of its SHA-2 post, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. That post now says that you have to install a seemingly unrelated patch, KB 3133977, entitled, BitLocker can’t encrypt drives because of service crashes in svchost.exe process in Windows 7 or Windows Server 2008 R2.
That should immediately raise your eyebrows. It’s a BitLocker fix, fer heaven’s sake, and Microsoft now says you better install that fix before you try to run a new instance of Win7 – whether you have BitLocker or not.
Specifically, the SHA-2 post was updated on Aug. 16 to say you can run into trouble in any of these scenarios:
- You’re using setup to perform a clean install of Win7 using an image (perhaps created by DISM) that’s been customized with updates.
- You’re burning an image of Win7 directly to disk without running setup.
- You install an image with SHA-2 support, but the system won’t boot, tossing error 0xc0000428, “Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.”
The remedies in each of those situations is a little bit different, but in general it includes installing the BitLocker fix KB 3133977 (even if you’ve hidden it!) and running the bcdboot.exe program to refresh your boot files.
This, buried at the bottom of a FAQ in an old KB article.
And you thought Win10 users got all the new bizarre bugs.
Thx @abbodi86, @PKCano
Stay up on the latest — Win7, too — on AskWoody.com.
Copyright © 2019 IDG Communications, Inc.