Windows Update SHA-1 Deprecation

Author by Mitchell Grande

Another upcoming security change to Windows is the transition to SHA-2 code signing certificates for Windows Update.  This change will require updates to allow Windows 7, Server 2008, and Server 2008 R2 to continue receiving updates after July 2019.

Background

Today, Windows Update packages are signed with both the SHA-1 and SHA-2 algorithms to verify that they are from Microsoft and haven't been tampered with during transit.  This is an important security feature that ensures you can trust the update packages that run on your systems.  However, SHA-1 is generally considered insecure and is being phased out both from Windows Update signing as well as across the entire industry.  For example, SHA-1 SSL certificates were phased out a couple of years ago.

To discontinue the use of SHA-1, Microsoft will begin only signing updates with SHA-2 after July 2019.  While Server 2012 and newer already support SHA-2 natively, older OSes require updates to support it.  These updates will need to be installed prior to July or August 2019, depending on the specific OS version.

Actions Required

To enable support for SHA-2, the following updates must be installed prior to the given deadline:

OS Required KBs Deadline

Windows Server 2008 SP2

KB4493730 & TBA*

July 16, 2019

Windows 7

KB4474419 & KB4490628

August 13, 2019

Windows Server 2008 R2 SP1

KB4474419 & KB4490628

August 13, 2019

*The second KB number for Server 2008 SP2 hasn't been published as the update isn't yet available.

Windows updates released after the noted deadline will only be signed with SHA-2 and will require the relevant KBs to be installed on the clients.  Any servers without the KBs will stop receiving updates on the deadline.

WSUS Server

Any servers running WSUS services will require a separate update to enable support for SHA-2 within WSUS itself.  The update is KB4484071 and is required by June 18, 2019.

Author

Mitchell Grande

Systems Engineer

Tags in this Article