Install Windows 7 from backup? You need to use the BitLocker patch immediately
There is no doubt that you recall the warning in February that the Windows 7, Server 2008 and Server 2008 R2 patches starting in July will use the SHA-2 encryption protocol. If you want to install the Win7 patch released after July, you must install the SHA-2 converter.
A few days ago, Microsoft in its SHA-2 post for Windows and WSUS, the bottom of the 2019 SHA-2 code signing support required to the FAQ. The post now says that you must install a seemingly unrelated patch, KB 3133977, titled, because the service in the svchost.exe process in Windows 7 or Windows Server 2008 R2 crashes, BitLocker cannot encrypt the drive.
This should immediately draw your attention. This is a BitLocker fix. For the sake of heaven, Microsoft now says that you can install the fix better before trying to run a new instance of Win7 - whether or not you have BitLocker.
Specifically, the SHA-2 post was updated on August 16th, saying you can run into trouble in any of these scenarios:
You are using the installer to perform a fresh installation of Win7 using an updated custom image (possibly created by DISM).
You are burning an image of Win7 directly to disk without running the installer.
You installed an image that supports SHA-2, but the system fails to boot, throwing error 0xc0000428, "Windows cannot verify the digital signature of this file. Recent hardware or software changes may have installed a file that was not properly signed or corrupted, or It is malware of unknown origin."
The remedy in each case is slightly different, but in general it includes installing the BitLocker fix KB 3133977 (even if you have hidden it!) and running the bcdboot.exe program to refresh the startup file.