An update was released today that adds SHA-2 code signing support to Windows 7 SP1 and Windows Server 2008 R2 SP1. If this update is not installed, these Windows operating systems will no longer be able to receive Windows updates starting on July 16th, 2019.
Currently all Windows updates are dual signed with both SHA-1 and SHA-2 code signing certificates. As there are flaws in the SHA-1 algorithm that make it less secure, Microsoft has stated that starting on July 16th 2019, Windows updates will only be signed using the SHA-2 algorithm going forward.
“To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.”
As both Windows 7 SP1 and Windows Server 2008 R2 SP1 do not support SHA-2 code-signing certificates, Microsoft has stated that they were going to release an update that would introduce this feature into the operating systems.
As part of the March 2019 Patch Tuesday updates, Microsoft released updates KB4490628 and KB4474419 to add SHA-2 support to both Windows 7 SP1 and Windows Server 2008 R2 SP1. These updates will be installed automatically and should not be prevented as doing so will cause Windows Update to no longer work in the future.
“Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Windows Server Update Services (WSUS) 3.0 SP2 will receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.”
Microsoft also released KB4484071 for those using WSUS 3.0 SP2 that supports the delivering of SHA-2 signed updates.