Windows 7 updates are causing VMS servers to fail to boot.
After running the update, impacted systems do not boot as normal, instead display this warning screen:
In this note, we examine:
- Which systems are impacted
- What is causing the issue?
- Vendor recommendations to fix
- Dahua and Hikvision not impacted
- End-of-Life Win 7 is coming
- Is this a win for VSaaS?
IPVM has received multiple reports of Windows 7 and Windows Server 2008R2 systems that will no longer boot after installing Microsoft 8/2019 Security update 'KB4512506 Security Monthly Quality Rollup'.
The problem occurs because this update uses now required SHA-2 signing, but mistakenly assumes the embedded OS servers and NVRs have been upgraded from SHA-1, which is not the case for many systems.
One site gave this explanation:
It looks like Microsoft forgot to make this update available for Windows 7 Embedded OS which installs the ability to use SHA-2 code signing.
As soon as the Aug 2019 security rollup update is installed, " KB4512506 " upon reboot, the OS indicates "Windows cannot verify the digital signature for this file " which of course is caused by the lack of the SHA-2 code sign support. I've had two NVR's go down due to this issue.
Below, we cover the impacted security vendors and how to fix the issue.