EFI模式请慎重安装KB4512486 KB4512506 KB4512514
物理机或者虚拟机EFI模式启动将有问题,BIOS模式启动的没问题!
| IA64 设备(在任何配置中)和使用预配的 EFI 启动的 x64 设备在安装 7 月 9 日的更新和/或跳过建议的更新 (KB3133977) 之后,可能无法启动并出现以下错误: “文件: \Windows\system32\winload.efi 状态: 0xc0000428 信息: Windows 无法验证此文件的数字签名。” |
要解决此问题,请按照针对错误代码 0xC0000428 的 SHA-2 支持常见问题解答文章中概述的步骤进行操作。 |
| IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error: "File: \Windows\system32\winload.efi Status: 0xc0000428
扫描二维码关注公众号,回复:
7619941 查看本文章
Info: Windows cannot verify the digital signature for this file."
|
To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428. |
处理方法如下:
自动进入修复模式,界面如下(如没自动进入修复模式,也可以从安装光盘引导,选择R进入修复模式):
此时按下一步按钮,之后的界面选命令行恢复,在命令行提示符下输入dism.exe /image:c:\ /cleanup-image /revertpendingactions
如下图:
完成后按提示选择重启动,系统可以启动到更新回滚界面,如下图:
回滚完成后可正常登录系统;
登录系统后需要先安装KB3133977更新,重启动系统后再安装KB4512486 KB4512506 KB4512514;
以上修复方法经过测试。
另一种方法,恢复模式下DISM安装KB3133977更新包,测试重启动后还是进入恢复模式,不能恢复正常,该方法无效。
操作命令如下:
再另一种方法,恢复模式下删除更新包,测试重启动后还是进入恢复模式,不能恢复正常,该方法无效。
操作命令如下:
参考国外谈论:
Site Feedback
Fearless96Created on August 17, 2019
KB4512506 / KB4512486 winload.efi Windows cannot verify the digital signature
TLDR - After you uninstall the broken update to get your OS working again, install KB3133977 and try again.
The full story:
Until I fixed it, I couldn't boot after installing KB4512506 or KB4512486 - Windows cannot verify the digital signature of winload.efi.
On the first boot failure I had to recreate the BCD. On every subsequent failure I had to uninstall the update via the recovery console.
I already had KB4474419-v2 installed and no 3rd party antivirus. Dism /Online /Cleanup-Image /CheckHealth found no corruption.
I restored a system image to a spare HDD and booted it to troubleshoot. I found that installing all optional updates fixed the issue. I didn't want that to be the solution for my permanent OS so I investigated further. I eventually installed only KB3133977 to fix the issue. (That update is for a BitLocker issue but I don't use BitLocker. I don't know why it helped.)
Reply
I recommend this discussion (81)
Discussion Info
Last updated September 9, 2019Views 2,167Applies to:
Replies (3)
DannyMosesReplied on August 20, 2019
Thank you for the tip. Downloading and installing KB3133977 allowed me to finally, successfully install KB4512506 on my Windows 7 SP1 X64 system.
Reply
Up vote (7)
EdwardG1345Replied on August 22, 2019
This fix applies to Windows Server 2008 R2 as well. After installing, in August 2019, Microsoft Security Only Patch KB4512486, all our physical 2008 R2s rebooted into System Recovery and the only fix we could find was to revert via "dism.exe /image:C:\ /cleanup-image /revertpendingactions". Needless to say, this prevented the patch from being installed. I recently found this post, gave it a shot with the 2008 R2 x64 version of KB3133977, and now the servers are good to go. Thanks for finding this.
Reply
Up vote (9)
sleightyReplied on August 27, 2019
Just an FYI for those having issues getting KB3133977 to install - KB3125574 supersedes 3133977.
Reply
Up vote (4)
Windows Updates KB4512506/KB4512486 drops error 0x80092004
Posted on 2019-08-14 by guenni
[German]A brief information for users who install the August 2019 security updates KB4512506 or KB4512486 for Windows 7 SP1 and Windows Server 2008 R2 in an installation error 0x80092004. It is highly likely that updates to retrofit SHA-2 support will then be missing.
Advertising
Users report error 0x80092004
It didn’t take long after the release of the security updates KB4512506 (Monthly Rollup) or KB4512486 (Security Only) for Windows 7 SP1 and Windows Server 2008 R2 until the first users reported issues within my German blog. German blog reader Heidemann wrote in this comment:
The attempt to install the update to W2K8R2 fails here with Installation Failure: Windows failed to install the following update with error 0x80092004: Security Update for Windows (KB4512486).
No Symantec or Norton (but McAfee) on the systems.
And a short time later M. Gruber posted this comment with the same tenor, but to another German blog post.
I repeatedly fail to install KB4512506 (Monthly Security Quality Rollup) with code 80092004 under a naked Win7 x64 without AV software.
Am I the only one or is there a workaround?
The user then pointed out similar feedback from users in the English DSL forum.
I can’t install KB4512506 on two different Windows 7 64 bit systems. Each one fails with the error code: 80092004. Multiple restarts and retries result in same error. Anyone else seeing this?
I found also a japanese post mentions this error code without giving further hints.
The error has already occurred with .NET
I mentioned the error code 0x80092004 in some blog posts (see links at the end of the article) and Microsoft also published a KB article about the error. However, this KB article refers to a bug in the .NET framework that prevents updates from being installed. However, I don’t consider this to be a valid cause, as these are currently Windows updates.
Advertising
What does error code 0x80092004 stands for?
Before you start any wild experiments, it’s good to know what the cause of the error is. The error code 0x80092004 stands for CRYPT_E_NOT_FOUND. Windows Update could not find any cryptographic value and rejects the update.
There was something SHA-2 signing?
I had it mentioned in the blog post Symantec/Norton blocks Windows Updates (SHA-2). Microsoft changed the signing of update packages for Windows 7 SP1 and Windows Server 2008/R2 for the first time in August 2019. Instead of signing the packages with both SHA-1 and SHA-2, only a SHA-2 hash value is stored in the package. The above error code indicates that Windows Update is looking for the SHA-1 signature in the package and does not find it.
What should be checked
One possibility is that an external virus scanner recognizes and modifies the update packets incorrectly. The blog post Symantec/Norton blocks Windows Updates (SHA-2) mentions that Symantec and Norton security solutions cause trouble. In this scenario, however, Microsoft blocks the delivery of security updates.
Weighting the above information, there is a lot of evidence that the support for the new updates and Windows signed exclusively by SHA-2 is simply missing. As of March 12, 2019, Microsoft had extended support article 4472027 (2019 SHA-2 Code Signing Support requirement for Windows and WSUS) to include the SHA-2 updates required for Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, and Windows Server 2008 Service Pack 2.
- Update KB4474419 (SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7: March 12, 2019) adds support for SHA-2 signature checks for the above operating systems.
- In addition, the Servicing Stack Update KB4490628 was published in March 2019. This fixes a problem in the Servicing Stack, which occurs as soon as packages are signed with SHA-2 only.
I had mentioned within my blog post Windows 7: Updates for SHA-2 support, that it’s required both updates are installed. Within my German comment here I had recommended checking to see if the relevant updates were available. In fact, blog reader M. Gruber reported here that the SSU KB4490628 was missing on his machine. After installing the Servicing Stack Update (SSUs) from March 2019, the August 2019 security update for Windows 7 SP1 and Windows Server 2008 R2 was successfully installed. And I got a 2nd feedback, that this was the root cause for the update install error. Perhaps it will help one or the other affected person.
Similar articles
Fix for .Net Framework Update KB4340558 error 0x80092004
.Net Framework: Update KB4340558 drops error 0x80092004?
Patchday: Updates for Windows 7/8.1/Server (August 13, 2019)
Symantec/Norton blocks Windows Updates (SHA-2)
Windows 7: Updates for SHA-2 support