Windows 7: From April 2019 ‘SHA-2-Support’ is required

win7[German]Users of Windows 7 SP1 (and its server counterparts) and WSUS will need a special update from April 2019, which will enable the machine to handle SHA2 code signatures. Without this update, these machines can no longer process updates.

Background: Switching to SHA-2

Updates for Windows are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly and unmodified from Microsoft. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.

SHA-2 required from 2019 onwards (Windows, WSUS)

In a 2019 support post, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS Microsoft has now announced changes in the code signing for Windows updates for 2019. The protection of Windows updates with two hash values (SHA-1 and SHA-2) will expire in 2019. Due to weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft will sign Windows updates only with the more secure SHA-2 algorithm.

Customers using Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 (and WSUS) must have SHA-2 code signing support installed on these systems by April 2019. Windows systems without SHA-2 support will no longer be eligible for Windows updates from April 2019.

To prepare machines for this change, Microsoft 2019 will release appropriate updates to SHA-2 support. Some older versions of Windows Server Update Services (WSUS) will also receive SHA-2 support to properly deploy SHA-2-signed updates.

Support for SHA-2 will be available in the monthly updates from early 2019. The migration process to exclusive SHA-2 support will be gradual and support will be offered in multiple update packages. Only one update package with SHA-2 support may be installed to activate support. Microsoft is striving for the following schedule to provide SHA-2 support.

  • February 2019: The operating systems mentioned above receive SHA-2 support via a stand-alone update and via the preview of the monthly rollup update. In addition, Update for SHA-2 Support for WSUS 3.0 SP2 is provided.
  • March 2019: The monthly March 2019 rollup and security update includes support for SHA-2 code signing.
  • April 2019: Updates for the above Windows versions require the installation of SHA-2 code signing support. Installing one of the earlier Windows updates listed above provides the support necessary to continue receiving Windows updates after April 2019.
  • July 2019: Starting in July, customers using WSUS 3.0 SP2 must have SHA-2 support installed and all Windows Service updates will only be SHA-2 signed.

Machines with Windows 8.1 and Windows 10 are not affected by this change, SHA-2 support is already integrated. (via)

Similar articles:
SHA-2 patch for Windows 7 arrives on March 2019

This entry was posted in Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *