2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 Service Pack 2, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709, Windows 10 version 1803, Windows 10 version 1809, Windows 10, Windows Server 2012 Standard, Windows Server 2012 R2, Windows 8.1, Windows Server 2019 all versions, Windows Server Update Services 3.0 Service Pack 2


Summary

To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.

Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Windows Server Update Services (WSUS) 3.0 SP2 will receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.

Background details

The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a part of code-signing. Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing. Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not suffer from the same issues. For more information about of the deprecation of SHA-1, see Hash and Signature Algorithms.

Product updates

Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in standalone updates. Microsoft is targeting the following schedule to offer SHA-2 support. Please note that the timeline below is subject to change. We will update this page as the process begins and as needed.

Target Date Event Applies To
March 12, 2019 Stand Alone security updates KB4474419 and KB4490628 released to introduce SHA-2 code sign support. Windows 7 SP1,
Windows Server 2008 R2 SP1
March 12, 2019 Stand Alone update, KB4484071 is available on Windows Update Catalog for WSUS 3.0 SP2 that supports delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be manually installed no later than June 18, 2019. WSUS 3.0 SP2
April 9, 2019 Stand Alone update, KB4493730 that introduce SHA-2 code sign support for the servicing stack (SSU) was released as a security update. Windows Server 2008 SP2
May 14, 2019 Stand Alone security update KB4474419 released to introduce SHA-2 code sign support. Windows Server 2008 SP2
June 11, 2019 Stand Alone security update KB4474419 re-released to add missing MSI SHA-2 code sign support. Windows Server 2008 SP2
June 18, 2019 Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019
June 18, 2019 Required: For those customers using WSUS 3.0 SP2, KB4484071 must be manually installed by this date to support SHA-2 updates. WSUS 3.0 SP2
July 9, 2019 Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in April and May (KB4493730 and KB4474419) will be required in order to continue to receive updates on these versions of Windows.

Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.
Windows Server 2008 SP2
July 16, 2019 Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. Windows 10 1507,
Windows 10 1607,
Windows 10 1703
August 13, 2019 Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March (KB4474419 and KB4490628) will be required in order to continue to receive updates on these versions of Windows.

Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.
Windows 7 SP1,
Windows Server 2008 R2 SP1
September 10, 2019 Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2

Frequently Ask Questions

How are the updates for KB3033929 and KB4039648 different from the stand-alone updates shipped in March and April?
The SHA-2 code-signing support was shipped early to ensure that most customers would have the support well in advance of Microsoft’s change to SHA-2 signing for updates to these systems. The stand-alone updates include some additional fixes and are being made available to ensure that all of the SHA-2 updates are in a small number of easily identifiable updates. Microsoft recommends that customers that maintain system images for these OSes to apply these updates to the images.

Will other versions of WSUS add SHA-2 support?
Starting with WSUS 4.0 on Windows Server 2012, WSUS already supports SHA-2-signed updates, and no customer action is needed for these versions.

Only WSUS 3.0 SP2 needs KB4484071 installed to support SHA2 only signed updates.

What should I do if I receive error code 80096010, “Windows Update encountered an unknown error” when attempting to install an update on Windows 7 SP1, Windows Server 2008 R2 SP1, or Windows Server 2008 SP2?
Install the following updates and then attempt to install the update that failed again:



Source: https://support.microsoft.com/en-us/...ndows-and-wsus