News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Installing or re-installing Win7? Make sure you get the BitLocker patch

    Home Forums AskWoody blog Installing or re-installing Win7? Make sure you get the BitLocker patch

    Viewing 20 reply threads
    • Author
      Posts
      • #1911985 Reply
        woody
        Da Boss

        No, I don’t make this stuff up. On Friday Microsoft added three little gotchas to the bottom of its SHA-2 patching advisory for Win7. Long story short
        [See the full post at: Installing or re-installing Win7? Make sure you get the BitLocker patch]

        6 users thanked author for this post.
      • #1912067 Reply
        PKCano
        Da Boss

        Did you HIDE KB3133977 at some point?
        If it’s not already installed on your computer you may have the same problem.

        1 user thanked author for this post.
        • #1912172 Reply
          GoneToPlaid
          AskWoody Plus

          Another issue is that KB3133977 will not install on Windows 7 versions which do not support Bitlocker, and it was reported that KB3133977 could brick some Asus computers. I recall that only Win7 Enterprise supports Bitlocker.

          From your AskWoody article:

          “Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.”

          I had that problem when I installed an unsigned driver. UEFI refused to allow my Windows 7 computer to boot. Fortunately, I was able to use Macrium Reflect to repair the EFI partition to allow Windows to boot again.

          Yet the issue remains that KB3133977 simply will not install on my Win7 Pro computers since Pro doesn’t support bitlocker.

          • #1912245 Reply
            satrow
            AskWoody MVP

            Have you checked the Services available on your W7 version?

            Blackviper’s take supports what I see on W7 Pro. and Home Premium.

            • #1912448 Reply
              GoneToPlaid
              AskWoody Plus

              I think you are on to something. On my Win7 Pro computers, Bitlocker is set to manual instead of automatic startup. You reckon this might be why I couldn’t get the update to install?

              • #1912486 Reply
                satrow
                AskWoody MVP

                Manual is the default and it’s fine for the Bitlocker Service.

                No idea why the KB failed, you’ve not detailed the error(s) yet. We need hard data to work with, as much as you can get.

                1 user thanked author for this post.
          • #1912251 Reply
            PKCano
            Da Boss

            Yet the issue remains that KB3133977 simply will not install on my Win7 Pro computers since Pro doesn’t support bitlocker.

            Hmmmm…  Interesting.
            Because I find it installed on every Win7 of mine that I have checked: Win7 Pro 32-bit, Win7 Pro 64-bit, Win7 Ultimate 64-bit.

            Edit: Hmmmm… It gets even more interesting. I find it installed on my 2006 vintage Dell Inspiron 9400 laptop, Win7 Home Premium,  32-bit, centrino duo, max 2GB RAM, up to date as of July 2019 patching.

            • This reply was modified 10 months, 4 weeks ago by PKCano.
            2 users thanked author for this post.
            • #1912452 Reply
              GoneToPlaid
              AskWoody Plus

              I am about to try installing KB3133977 again via Windows Update. I will let you all know what happens. Right now, I have left bitlocker set to manual startup under services.

              • #1912565 Reply
                GoneToPlaid
                AskWoody Plus

                KB3133977 was successfully installed today on my primary Windows 7 Pro desktop and laptop computers. While the update file itself is fairly small, it does take some time after reboot to get past the three flashing dots. Just be patient. Eventually you will see a message that the update progress has reached 32%, and then things further proceed fairly rapidly.

                Now I have to manually download KB3133977 from the windows update catalog so that I can put this update into my folder of required updates which need to be installed when building a new Win7 OS installation. The other two updates and one file which must be in the same folder are:

                KB4490628 (WU servicing stack update)
                KB4474419-v2-x64 (SHA-2 code signing v2)
                pciclearstalecache.exe

                Am I missing anything which I need to perform a fresh install of Win7?

                 

                1 user thanked author for this post.
        • #1912264 Reply
          MrChaz
          AskWoody Lounger

          I remember this article on betanews gonetoplaid,

          Now Microsoft is breaking Windows 7 to get users to upgrade to Windows 10


          and the fix within link from Asus
          https://www.asus.com/support/FAQ/1016356/
          Could not help but laugh at the Microsoft solution in that betanews article:

          Microsoft also has a solution:
          The Secure Boot feature is supported in Windows 10. To learn more about the security advantages of this feature and about the upgrade path from Windows 7 to Windows 10, go to the following Windows website:

          I have Windows 7 32bit on MBR, no bitlocker activated and up to date as of July 2019 without KB3133977 installed and everything works for my needs. All imaged should anything go pong!

          ‘Extended support’ makes me wonder what will be dished out beyond Windows 7 EOL for enterprises, should they wish to continue using the OS. The current state of ‘extended support’ is bearly palatable.

          Should I need to reinstall Windows 7, Linux IS my port of call on this device.

          illegitimi Non Carborundum
      • #1912071 Reply
        T
        AskWoody Plus

        Lol whut? Is this for real? Even if you don’t use bitlocker and have never had it on your system you still need this patch?

        shakes head in disbelief

        You couldn’t make this stuff up.

        1 user thanked author for this post.
        • #1912107 Reply
          woody
          Da Boss

          Not only that, but the warning is buried in pull-down line-items in a FAQ at the bottom of the old SHA-2 announcement.

          I don’t know how @abbodi86 finds this stuff, but maaaaaaannnnnn…..

          1 user thanked author for this post.
          T
          • #1912259 Reply
            T
            AskWoody Plus

            It’s Kafkaesque madness which seems par for the course with microsoft these days. I’m glad for people like abbodi86 though who keep track of this stuff and tell us.

            I’m curious now if anyone has run into this issue without the required patch because i see it on my hidden list and i’m loathe to install anything optional that i don’t specifically need but then my HDD might go belly up tomorrow. Also, does this affect the ability to create a system image through backup and restore in the first place?

      • #1912246 Reply
        JNP
        AskWoody Plus

        I successfully installed kb3133977 in May 2016. Do I have to run bcdboot.exe, which I have in two locations, system32 and winsx64\amd64, on my hard drive and do I have to run it in both locations?  Thanks.

        1 user thanked author for this post.
      • #1912247 Reply
        NoLoki
        AskWoody Lounger

        I think it is actually worth backing up the BCD anyways. Use EasyBCD 2.3 on W7, as it is just a matter of clicking on ‘backup’ for it to make a copy. If you need the BCD at a later date, just open the GUI again and select ‘restore’.

        It is freeware. I got it from NeoSmart Technologies (neosmart.net/easybcd)

        2 users thanked author for this post.
        • #1913210 Reply
          GoneToPlaid
          AskWoody Plus

          I just installed EasyBCD 2.4 and used it to make a backup of my EFI boot loader. That was easy! It looks like Neosmart also has a USB version which can be used to fix computers which BSOD on bootup.

      • #1912277 Reply
        anonymous
        Guest

        Long story short, if you’re trying to install Win7 (either on bare metal, or a VM) and you:

        • Are using setup to install a customized image (e.g., created by DISM)
        • Are burning an image directly to the new machine, or
        • Installing an image with SHA-2 support, but it won’t start with error 0xc0000428

        My gobbledygook is rusty.  I have Win7 Home Premium, with updates frozen as of Dec 2017.  The last time I used a system image after a preventive hard drive replacement (4-5 yrs ago) it was successful, no hiccups or glitches.

        If I understand what is being said in this article, because I have a “closed system”, and my system image backups are created by and within that closed system, I conclude this hullabaloo does not affect me.

        Please advise if I am mistaken.  Thank you.

        • #1912345 Reply
          PKCano
          Da Boss

          If you are not doing a clean install of Windows you do not have to worry about it.
          If you have not updated since Dec 2017, and you are not currently updating Windows, then current Windows updates do not concern you. The conflict is caused by the installation of a current August 2019 Windows patch.

          6 users thanked author for this post.
        • #1912692 Reply
          dg1261
          AskWoody_MVP

          My gobbledygook is rusty. […] If I understand what is being said in this article, because I have a “closed system”, and my system image backups are created by and within that closed system, I conclude this hullabaloo does not affect me.

          I also had a hard time parsing the risk scenarios in the article. I wonder if it would be fair to read the conditions as:

          Long story short, if you’re trying to install Win7 (either on bare metal, or a VM) and you want to install post-July updates and you:

          • Are using setup to install a customized image (e.g., created by DISM)
          • Are burning an image directly to the new machine, or
          • Installing an image with SHA-2 support, but it won’t start with error 0xc0000428

          I think that’s what PKCano’s reply is implying — that the issue doesn’t affect you if you’re not interested in post-July updates. If I’m misreading between the lines, I hope PKCano will correct me.

      • #1912364 Reply
        anonymous
        Guest

        I had two different systems, one server and one laptop, fail to boot yesterday after installing this month’s cumulative update.  I traced the issue directly to not having KB3133977 installed before installing the August update.  Both systems were x64 UEFI.  The installs were several years old, not fresh installs or reinstalls.

        The server… I restored to before the update.  The laptop took installing KB3133977 using the recovery console and DISM, rebooting back to the recovery console and running BCDBoot.exe.  Laptop came right back up after that.

        3 users thanked author for this post.
        • #1913212 Reply
          GoneToPlaid
          AskWoody Plus

          A question. Were you actually using Bitlocker on these two computers? I ask since I am not using Bitlocker on my Win7 computers, and I had no issues after installing the August SO without KB3133977 being installed on any of my Win7 computers.

      • #1912725 Reply
        Bob99
        AskWoody Plus

        This patch must also be installed on machines that boot from UEFI instead of BIOS and run Windows 7 64 bit (x64 and IA64) in order to successfully install this month’s security only patch (KB4512486) as well as this month’s rollup patch (KB4512506). See the entire thread “Caution: Windows 7 August Monthly Patch might cause BSOD” here on AskWoody, and my post at the end, post number 1911473 posted right here: https://www.askwoody.com/forums/topic/caution-windows-7-august-monthly-patch-might-cause-bsod/#post-1911473

        This is a known issue that appears in the KB articles for BOTH of this month’s Win7 security parches, about machines not rebooting after installing the patch and giving a black screen of death.
        Here’s a direct quote from KB4512506:

        IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:

        “File: \Windows\system32\winload.efi

        Status: 0xc0000428
        Info: Windows cannot verify the digital signature for this file.”

        I added the bolding in the quote above.

        So, even for folks who haven’t installed from scratch in the last 30 days or so, the bit locker patch still plays a role in the successful installation of the two Windows 7 patches this month for some folks! Basically, if your computer boots from UEFI, you’d better get the bit locker patch (KB3133977) installed BEFORE installing any security patches for August, as illustrated by Anonymous just above this post, number 1912364.

        My thanks to @abbodi86 for clarifying if I should install this patch even though I hid it on one of my machines.

        • This reply was modified 10 months, 4 weeks ago by Bob99. Reason: Added direct quote
        3 users thanked author for this post.
        • #1912759 Reply
          samak
          AskWoody Plus

          “Basically, if your computer boots from UEFI, you’d better get the bit locker patch (KB3133977) installed”.
          How do we find out if our computers boot from UEFI or not ?

          W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

          • #1912841 Reply
            Paul T
            AskWoody MVP

            How do we find out if our computers boot from UEFI or not ?

            The easiest way is to run DISKPART and enter the command LIST DISK.
            https://www.howtogeek.com/245610/how-to-check-if-a-disk-uses-gpt-or-mbr-and-how-to-convert-between-the-two/

            cheers, Paul

            1 user thanked author for this post.
            • #1912847 Reply
              JohnFDoe
              AskWoody Plus

              Nope. The failure criteria stated is not “GPT partition”, it is (U)”EFI boot”. The only sure way to check is to go to your PCs BIOS settings and see how it refers to your Windows boot: As a (longish) name or as a partition. If it is a partition, it is not (U)EFI boot.

              1 user thanked author for this post.
            • #1912851 Reply
              Alex5723
              AskWoody Plus

              How do we find out if our computers boot from UEFI or not ?

              The easiest way is to run DISKPART and enter the command LIST DISK.
              https://www.howtogeek.com/245610/how-to-check-if-a-disk-uses-gpt-or-mbr-and-how-to-convert-between-the-two/

              cheers, Paul

              System information will display Bios UEFI..

              Attachments:
              1 user thanked author for this post.
              • #1912932 Reply
                Pim
                AskWoody Plus

                This is only the case in Windows 10. System information in Windows 7 does not give you the BIOS Mode.

                ASRock Beebox J3160 - Win7 Ultimate x64
                Asus VivoPC VC62B - Win7 Ultimate x64
                Dell Latitude E6430 - Win7 Ultimate x64
                Dell Latitude XT3 - Vista Ultimate x86 (still...)
                Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

                • This reply was modified 10 months, 4 weeks ago by Pim.
                1 user thanked author for this post.
              • #1913499 Reply
                Paul T
                AskWoody MVP

                System information will display Bios UEFI

                UEFI will boot MBR so the BIOS mode may not reflect the disk format.

                cheers, Paul

            • #1913328 Reply
              samak
              AskWoody Plus

              Thanks for that, it appears mine is MBR, so BIOS mode if I understand correctly.

              W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

              • #1913498 Reply
                Paul T
                AskWoody MVP

                Actually it’s MBR as opposed to UEFI, so you don’t need the patch.

                cheers, Paul

        • #1912760 Reply
          GoneToPlaid
          AskWoody Plus

          Hi Bob99,

          Thanks for the strong alert. Yet the requirement to install KB3133977 before installing the August updates might not be entirely true. Let me explain. I do not use Bitlocker on my Win7 Pro computers. I had no issues in installing the July and August Security Only updates. Perhaps since I so not use Bitlocker?

          Anyway, I subsequently have now installed KB3133977 on my Win7 Pro computers (which do not use Bitlocker) without any issues.

          Hopefully we all will be able to figure out the latest August round of Microsoft updates. August really does seem to be a really bad month for Microsoft, not that any other month is an order of magnitude better, since there almost always is usually something which Microsoft promises to fix in future updates.

          Best regards,

          –GTP

           

      • #1912742 Reply
        James Bond 007
        AskWoody Lounger

        Even though the motherboards in my systems are all UEFI, I still boot Windows 7 using BIOS (my boot SSDs are formatted using MBR instead of GPT).

        So should I not be affected by this potential issue? I would think so, but I welcome confirmation.

        Hope for the best. Prepare for the worst.

        1 user thanked author for this post.
        • #1912795 Reply
          abbodi86
          AskWoody_MVP

          Better safe than sorry, install KB3133977 anyway 🙂

          2 users thanked author for this post.
      • #1912840 Reply
        JohnFDoe
        AskWoody Plus

        To clarify for the beginners:

        EFI boot means the BIOS searches the hidden EFI FAT partition to run the file “bootmgr*.efi” instead of running the code in the boot sector of the Windows partition (which in turn loads a boot loader from the disk containing that boot sector). This may or may not be unrelated to the use of MBR-style partition tables.

        “Image” refers to a file tree inside a Microsoft .wim file (which may contain more than one “image”), as used almost exclusively by the Windows 6/7/8/8.1/10 installer (including what counts as “Windows PE” these days). This has very little to do with an actual disk image except in the naming of related commands.

        Historically, there were all sorts of fatal bugs in the patches that upgraded Windows 6/7 Kernel Mode File signature checking from SHA-1 to SHA-2, so much that this was often a skipped update, abandoned by both Microsoft and users way back when Windows 7 was in mainstream support. Now, a few months before end of extended support, they push out a new version of these patches, and it crashes again.

        Therefore, most production Windows 7 drivers (.SYS files etc.) from vendors are signed with SHA-1 signatures chaining via old commercial CA roots to ancient Microsoft cross-certificates. So it is unclear if this brings in the lock-down to require drivers to be submitted to Microsoft Windows 10 signing services (that have stopped or will soon stop accepting Windows 7 drivers) in order to load those drivers on Windows 7, thus effectively stopping hardware vendors from updating, bug-fixing or adding Windows 7 drivers. Official Microsoft rules on this were also a muddled mess.

        1 user thanked author for this post.
        Pim
      • #1913053 Reply
        Pim
        AskWoody Plus

        I am getting confused. KB3133977 is not installed on most (at least 3) of my Windows 7 machines, nor have I hidden it or is it offered through Windows Update (not even as an optional update). I have 1 machine on which it is installed, apparently via Windows Update, because that is the way I update my machines. If this update is so important, how come I do not see and have never seen it? Does it mean I have to manually download it from the catalogue and install it? One of the machines on which I do not have any trace of KB3133977 is an Windows 7 x64 UEFI machine. The others all boot from MBR.

        ASRock Beebox J3160 - Win7 Ultimate x64
        Asus VivoPC VC62B - Win7 Ultimate x64
        Dell Latitude E6430 - Win7 Ultimate x64
        Dell Latitude XT3 - Vista Ultimate x86 (still...)
        Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

        • #1913214 Reply
          GoneToPlaid
          AskWoody Plus

          Maybe check your Windows Update settings to make sure that WU checks for optional updates?

          • #1913219 Reply
            Pim
            AskWoody Plus

            Maybe check your Windows Update settings to make sure that WU checks for optional updates?

            Thanks for your suggestion. However Windows Update always checks for optional updates, it is not a setting than can be changed.

            ASRock Beebox J3160 - Win7 Ultimate x64
            Asus VivoPC VC62B - Win7 Ultimate x64
            Dell Latitude E6430 - Win7 Ultimate x64
            Dell Latitude XT3 - Vista Ultimate x86 (still...)
            Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

      • #1913215 Reply
        GoneToPlaid
        AskWoody Plus

        A question for the experts. Now that I have KB3133977 installed on my Win7 computers, do I simply run bcdboot.exe with no parameters from an elevated command prompt?

        • #1913220 Reply
          T
          AskWoody Plus

          I thought you only needed to do that if you reinstall windows from a backup and it throws up an error message but you now have the required patch installed so i assumed that wouldn’t be necessary. This whole mess is so confusing though so it’s likely i’ve got it wrong.

        • #1913229 Reply
          abbodi86
          AskWoody_MVP

          Yes, without parameters bcdboot update/create boot files for current system

          but i think it’s not needed, installing KB3133977 should have handle that

          2 users thanked author for this post.
      • #1913257 Reply
        Zathras
        AskWoody Plus

        A question. Were you actually using Bitlocker on these two computers? I ask since I am not using Bitlocker on my Win7 computers, and I had no issues after installing the August SO without KB3133977 being installed on any of my Win7 computers.

        Hi,

        Newly registered, I’m the anonymous poster above (and in the Win7 patch August BSOD thread).

        No bitlocker installed.  The two affected systems were Server 2008 R2 (x64/UEFI) and Windows 7 (x64/UEFI).  Both did not have KB3133977 installed and both failed to boot after installing the August cumulative update.  The server showed the same error as the laptop.  As I said, it was faster to just restore the server with the backup from 8 hours prior.  I installed KB3133977 after it restored but have not tried to put the August update in as of yet.

        Once I started working on the laptop, I found the x64/UEFI warning at the bottom of the KB4512506 page.  I was having difficulty getting KB3133977 to the laptop to use with DISM so I tried running bcdboot.exe without installing KB3133977.  On the reboot it gave me the 0xc0000428 error.  I ended up pulling the laptop drive, putting it in dock on a working system, copied KB3133977 to the drive and then followed the directions using DISM and bcdboot.exe.  The laptop came right back up after that.

        Systems that were not UEFI and did not have KB3133977 installed had no trouble with the August update.

        3 users thanked author for this post.
        • #1913885 Reply
          GoneToPlaid
          AskWoody Plus

          I have been thinking about why I didn’t have any trouble installing the August SO on my three primary Win7 computers. The laptop doesn’t support UEFI, so that explains why it didn’t have any issues. My two primary desktops (virtually identical computers) have their BIOS configured to use a hybrid UEFI/legacy mode in which non-EFI partitions can also boot. I suppose that this is why I had no issues after installing the August SO even though I didn’t have KB3133977 installed? Also, I never installed the convenience rollup since it contains telemetry.

      • #1913266 Reply
        Pim
        AskWoody Plus

        Reading everything here, just consider how much time and effort is wasted sorting out this issue with KB3133977. Also the time and effort those of those that ran into the issues because they had not installed KB3133977, including the people that do not visit AskWoody. And all of that just because MS in all of its wisdom changes to SHA2 only signing for Windows 7, just 5, I repeat: just 5 months before Windows 7 is EOL. Sigh…. Any wise (wo)man would not have bothered and thought that it just is not worthwhile for just 5 months.

        I am really grateful for all of you that participate, share and respond. But would you rather not have spent that time on something more constructive? I know I would (having lost too much time this morning just trying to figure out what was going on…).

        ASRock Beebox J3160 - Win7 Ultimate x64
        Asus VivoPC VC62B - Win7 Ultimate x64
        Dell Latitude E6430 - Win7 Ultimate x64
        Dell Latitude XT3 - Vista Ultimate x86 (still...)
        Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

        • #1913269 Reply
          Alex5723
          AskWoody Plus

          Any wise (wo)man would not have bothered and thought that it just is not worthwhile for just 5 months.

          What 5 months ? 3 years.

          • #1913284 Reply
            Pim
            AskWoody Plus

            What 5 months ? 3 years.

            Win7 EOL is January 2020. That is 5 months from now, not 3 years.

            Edit: this was meant as a reply to the above post by Alex5723. I do not know what I did wrong, but it apparently was not posted as a reply.

            ASRock Beebox J3160 - Win7 Ultimate x64
            Asus VivoPC VC62B - Win7 Ultimate x64
            Dell Latitude E6430 - Win7 Ultimate x64
            Dell Latitude XT3 - Vista Ultimate x86 (still...)
            Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

            • This reply was modified 10 months, 4 weeks ago by Pim.
            • #1913290 Reply
              Alex5723
              AskWoody Plus

              What 5 months ? 3 years.

              Win7 EOL is January 2020. That is 5 months from now, not 3 years.

              Edit: this was meant as a reply to the above post by Alex5723. I do not know what I did wrong, but it apparently was not posted as a reply.

              • This reply was modified 10 months, 4 weeks ago by Pim.

              Microsoft will extend support for 3 years.

              • #1913302 Reply
                Pim
                AskWoody Plus

                But only if you are an enterprise and pay. This will be a relatively (very?) small portion of all current Windows 7 users. Now THAT would have been a much better point in time to change to SHA2 only.

                ASRock Beebox J3160 - Win7 Ultimate x64
                Asus VivoPC VC62B - Win7 Ultimate x64
                Dell Latitude E6430 - Win7 Ultimate x64
                Dell Latitude XT3 - Vista Ultimate x86 (still...)
                Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

                1 user thanked author for this post.
      • #1913346 Reply
        opti1
        AskWoody Plus

        Systems that were not UEFI and did not have KB3133977 installed had no trouble with the August update.

        So confused. like others here I have multiple Windows 7 Home Premium SP1 PCs that DO NOT have KB3133977 installed NOR hidden and all three are legacy BIOS not UEFI.

        Zathras’s experience quoted above leads me to think those of us in my situation should be able to install the August update(s) without problems.

        Can anyone else confirm?

        Can we ignore KB3133977?

        Thanks!

        • #1913405 Reply
          T
          AskWoody Plus

          That is my understanding as well, those who still use BIOS should be fine but what really grinds my gears about this utter mess is what happens when you need to reinstall windows? Say an image restore to a new HDD? Will that work or will those who use BIOS still run into this issue as the support article suggests? In that case, you have to take the risk of installing the bitlocker patch and the SHA-2 v.2 patch and hope it doesn’t break anything else and when the inevitable time comes to restore you’re plain sailing. I would love to see some test cases here because i certainly ain’t trying it.

      • #1913356 Reply
        opti1
        AskWoody Plus

        –> Never mind. I think PKCano’s post #1912345  answers my question. <–

        Another thing –

        Maybe a silly question, but does this (from Woody’s Computer World article where he lays out three situation where this KB3133977 update comes into play):

        • “You’re burning an image of Win7 directly to disk without running setup.”

        include restoring a Windows image backup over an existing Windows installation?

        Thanks!

        • This reply was modified 10 months, 4 weeks ago by opti1.
      • #1913357 Reply
        anonymous
        Guest

        What a mess, Win7 Pro here and i have not installed KB3133977, nor is it hidden.
        According to multiple sources KB3133977 is included in KB3125574 ‘Convenience rollup update’.

        Can anyone confirm for sure that you do not need to install KB3133977 if KB3125574 is installed ?

        • #1913441 Reply
          Bob99
          AskWoody Plus

          If you have installed KB3125574, I would go take a look at the file list of KB3133977 for your bittedness (x64 or x86, 64 bit or 32 bit) and see if the file versions on your machine meet or exceed the version numbers quoted in the list in the article for KB3133977. If they meet or exceed those version numbers, then you’re probably all set, and don’t need to install KB3133977 prior to any of the August patches.

          Most all of the individual files (the .dll, .efi, .mof and .sys files) mentioned in the bulletin should be found in the \Windows\system32 folder right after the long list of subfolders within the system32 folder. All of the individual .dll, .efi, .mof and .sys files should be there. The file “Tpm.sys” might be found in the drivers subfolder of the system32 folder if it isn’t listed with the other files in the system32 folder.

          I wouldn’t worry about the files on the list labeled “Tpm.inf_loc”, as those are for specific locales that MS doesn’t specify in the bulletin for some reason. If this is wrong, MVP’s/”DaBoss”es please feel free to correct this statement.

        • #1913489 Reply
          abbodi86
          AskWoody_MVP

          Yes, CR KB3125574 include (supersede) KB3133977
          you don’t need it

          @Bob99
          the updated boot files are in C:\Windows\Boot\EFI

          • #1913495 Reply
            BobbyB
            AskWoody Lounger

            Phew that’s a relief here got 2 Machine specific SYSPREPed Win 7 x64 Images here and for added enjoyment the .WIM’s are actually .SWM’s (Split WIM’s) and were compiled using the KB3125574 aka unofficial SP2 roll up.
            So recombining the .WIM and updating them, Mount, unmount and commit, creating a fresh .ISO, and at 3 indices per Image would be time consuming to say the least.
            Thanks for that snippet 🙂

      • #1927749 Reply
        Marty
        AskWoody Plus

        My system’s patches are up to date.  If I create an image of my Win7 computer today, and “restore” it to a brand-new hard drive tomorrow, do I need the bitlocker patch?  It’s hard to see why I would, but I’d like to have this clarified.  Thanks.

        • #1927778 Reply
          PKCano
          Da Boss

          If the Bitlocker patch is installed in the image you restore from, you do not need to install it again.
          If you are installing from an image created before 5/3/2016 (when the Bitlocker patch was issued), you will need to install KB3133977 along with the latest Servicing Stack and the SHA-2 coding update prior to using Windows Update..

          1 user thanked author for this post.
      • #1934666 Reply
        anonymous
        Guest

        I have a few Win 7 systems, some X64 Ultimate and one x64 Home Premium.

        All of them already have KB4490628 (Servicing Stack update) and KB3125574 (a roll-up that includes KB3133977).

        I downloaded the latest standalone KB4474419 (SHA2 v2) update from the MS update catalog.

        The 1st system to be updated is the Home Premium system.

        Launched the update & it seemed to install OK initially.  But after I clicked on the post-install restart it has been stuck on the “Preparing to configure Windows” screen for almost an hour so far.  The system is a laptop with a modest CPU but fast SSD.  There’s consistent modest disk activity… but it’s taking forever.  The last time I experienced this was with the last servicing stack update.  I have my fingers crossed the update will complete…

        • #1934688 Reply
          ek
          AskWoody Lounger

          I have a few Win 7 systems, some X64 Ultimate and one x64 Home Premium.

          All of them already have KB4490628 (Servicing Stack update) and KB3125574 (a roll-up that includes KB3133977).

          I downloaded the latest standalone KB4474419 (SHA2 v2) update from the MS update catalog.

          The 1st system to be updated is the Home Premium system.

          Launched the update & it seemed to install OK initially.  But after I clicked on the post-install restart it has been stuck on the “Preparing to configure Windows” screen for almost an hour so far.  The system is a laptop with a modest CPU but fast SSD.  There’s consistent modest disk activity… but it’s taking forever.  The last time I experienced this was with the last servicing stack update.  I have my fingers crossed the update will complete…

          So this was posted by me (ek).  I had to post as anonymous because I was not on one of the home systems at the time.

          Anyway…

          I gave up trying to install KB4474419 on the Win 7 Home Premium laptop.  The update just wouldn’t complete.  The laptop is an old Acer AMD A6 system and has a weird hybrid UEFI/BIOS boot that cannot be configured at all in BIOS.  It has always made setting up dual boot Win/Linux a pain and I suspect the quirk got in the way of the update.

          In fact, all of my other Win 7 systems are BIOS MBR boot and do not have bitlocker installed.  So, no real need for me to do the updates.

          Back in July I decided to no longer do any updates to Win 7.  But I got the recent impression I needed to re-update bitlocker/SHA2 updates with the latest versions to assure I could restore a Win 7 disk image backup.  Appears not to be the case for me.  So, hopefully, I’ll return to ignoring Win 7 updates.

          • This reply was modified 10 months, 2 weeks ago by ek.
          • #1934698 Reply
            anonymous
            Guest

            ? says:

            hi ek,

            did you get any error codes? or did it get stuck before generating any? is it the march version or did you get that one to install and now you’re sticking on the august v2 version? or in my case too much more brain damage

      • #1934705 Reply
        ek
        AskWoody Lounger

        ? says:

        hi ek,

        did you get any error codes? or did it get stuck before generating any? is it the march version or did you get that one to install and now you’re sticking on the august v2 version? or in my case too much more brain damage

        No error codes.  Just the “Preparing to configure Windows” screen and some meager repetitive disk activity.  I gave it 2 hours and no change.  So I did a hard powerdown & then booted into safe mode, which announced the update failed and recovered to the previous state/version.

        That was with 8/12/2019 version of KB4474419.

        The update failed on my old Acer X64 Win 7 Home Premium laptop, which has the weird non-configurable UEFI/BIOS boot mode.  That is, it will boot UEFI if – when during OS install – I choose UEFI.  If I config a disk for good ‘ol BIOS MBR boot, the BIOS will boot that too.  And the BIOS will allow boot into UEFI mediated recovery.  But the BIOS itself has no options to control this.

        My other Win 7 systems are plain ‘ol BIOS MBR boot.  No UEFI in the BIOS at all (AMD 970 boards).  I think it’s likely KB4474419 will install OK on these systems… but I’m not going to bother finding out.

        On all my systems, I run Linux 99% of the time (some 100% now).  That’s been my practice for years now.  At this point I’d lose very little if I went full 100% Linux.  Man, MS missed the boat with me.

      • #1934717 Reply
        ek
        AskWoody Lounger

        ? says:

        i looked around a bit and found this one;

        https://www.sevenforums.com/windows-updates-activation/418834-unable-install-kb4474419-win7-x64-ultimate.html

        and:

        https://www.bleepingcomputer.com/forums/t/696802/cant-install-kb4474419-it-fails-and-reverts/

        don’t know if they would help? so did the March version install w\o trouble? anyway i hope you get past this glitch and then on to whatever else they throw our way…

        Aha!  Thanks for the pointers.

        First, I did review the update log and saw error #80070643 for my earlier attempts to install KB4474419.  I researched this and found no consistent answer on that code.  But it did seem sometimes to correlate to file permissions issues.

        And, yes, the earlier March version of KB4474419 installed fine, per review of my update history.

        Anyway… fix discovered:

        Well, per one of the links you provided, the “fix” was to login to the Administrator account and install the standalone 8/12/2019 version of KB4474419.  Perhaps I could have just done a right-click “run as Adminstrator” on the standalone update via my normal account (which has admin privs), but I chose to just login as Administrator as others had done to get the update to install clean.

        The bottom line: KB4474419 installed successfully (and relatively quickly) when running the standalone update when logged in as the Administrator user.

        I did the same thing on my other Win 7 systems. No issues.  I suspect I could have done a normal install of the update on those systems as they are Win 7 Ultimate.

        I have to say: it’s been a loooong time since I had to resort to installing an update this way.  I’m kicking myself for not remembering & giving it a shot initially.

        Note:
        On one system I had to actually make the Administrator user visible in the login screen.  To do that, I right-click selected “Run as Administrator” for CMD.EXE.  Then in the resulting CMD window, I entered:

        net user administrator /active:yes

        Then I logged out from my account & immediately logged in as the Administrator user.  Note that no password was set for the Administrator user yet, so I could initially login as Administrator without a password (!!!!).  Thus, immediately after login I set a password for the Administrator user. 

        So if you choose to make Administrator visible on the login screen:  PLEASE make sure the Administrator user has a reasonably secure password set.

        • This reply was modified 10 months, 1 week ago by ek.
    Viewing 20 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Installing or re-installing Win7? Make sure you get the BitLocker patch

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.