On August 14th, Microsoft blocked installation of the Windows 7 and Windows Server 2008 R2 updates that were co-signed using a SHA-2 certificate. Devices with Symantec or Norton antivirus installed were also placed on safeguard hold, as the antivirus software was deleting the updates during installation and preventing startup from occurring
Microsoft mentioned this in the known issue’s description:
The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Now, the safeguard hold has been lifted for the following updates:
• KB4512514 (August Preview of Monthly Rollup),
• KB4512486 (August Security-only update),
• KB4512506 (August Monthly Rollup).
Symantec have addressed the issue in an advisory:
Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection.
Microsoft KB4512506/KB4512486 and future updates can be safely installed and the soft block was removed on August 27th, 2019.
Microsoft will require Windows Server 2012, Windows 8.1 and Windows Server 2012 R2 to only support SHA-2 signed updates during the September 2019 Patch Tuesday.
With only 5 patch Tuesdays left for Windows 7, users are encouraged to consider making a much bigger switch to Microsoft’s latest operating system.