2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Si applica a: Windows 7 Service Pack 1Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2

Summary


To help protect the security of the Windows operating system, updates were previously signed (using both the SHA-1 and SHA-2 hash algorithms). The signatures are used to authenticate that the updates come directly from Microsoft and were not tampered with during delivery. Because of weaknesses in the SHA-1 algorithm and to align to industry standards, we have changed the signing of Windows updates to use the more secure SHA-2 algorithm exclusively. This change was done in phases starting in April 2019 through September 2019 to allow for smooth migration (see the "Product update schedule" section for more details on the changes).

Customers who run legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) are required to have SHA-2 code signing support installed on their devices to install updates released on or after July 2019. Any devices without SHA-2 support will not be able to install Windows updates on or after July 2019. To help prepare you for this change, we released support for SHA-2 signing in starting March 2019 and have made incremental improvements. Windows Server Update Services (WSUS) 3.0 SP2 will receive SHA-2 support to securely deliver SHA-2 signed updates. Please see the "Product update schedule" section for the SHA-2 only migration timeline.

Background details


The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a part of code-signing. Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time because of the weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing. Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not experience the same issues. For more information about of the deprecation of SHA-1, see Hash and Signature Algorithms.

Product update schedule


Starting in early 2019, the migration process to SHA-2 support began in stages, and support will be delivered in standalone updates. Microsoft is targeting the following schedule to offer SHA-2 support. Please note that the following timeline is subject to change. We will continue to update this page as needed.

Target Date

Event

Applies To

March 12, 2019

Stand Alone security updates KB4474419 and KB4490628 released to introduce SHA-2 code sign support.

 

Windows 7 SP1,
Windows Server 2008 R2 SP1

March 12, 2019

Stand Alone update, KB4484071 is available on Windows Update Catalog for WSUS 3.0 SP2 that supports delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be manually installed no later than June 18, 2019.

WSUS 3.0 SP2

April 9, 2019

Stand Alone update, KB4493730 that introduce SHA-2 code sign support for the servicing stack (SSU) was released as a security update.

Windows Server 2008 SP2
May 14, 2019 Stand Alone security update KB4474419 released to introduce SHA-2 code sign support. Windows Server 2008 SP2
June 11, 2019 Stand Alone security update KB4474419 re-released to add missing MSI SHA-2 code sign support.
 
Windows Server 2008 SP2
 
June 18, 2019 Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019
June 18, 2019 Required: For those customers using WSUS 3.0 SP2, KB4484071 must be manually installed by this date to support SHA-2 updates. WSUS 3.0 SP2

July 9, 2019

Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in April and May (KB4493730 and KB4474419) will be required in order to continue to receive updates on these versions of Windows.

All legacy Windows updates signatures changed from SHA1 and dual signed (SHA-1/SHA-2) to SHA-2 only at this time.

Windows Server 2008 SP2
July 16, 2019 Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.

Windows 10 1507,
Windows 10 1607,
Windows Server 2016,
Windows 10 1703

August 13, 2019

Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March (KB4474419 and KB4490628) will be required in order to continue to receive updates on these versions of Windows. If you have a device or VM using EFI boot, please see the FAQ section for additional steps to prevent an issue in which your device may not start.

All legacy Windows updates signatures changed from SHA-1 and dual signed (SHA-1/SHA-2) to SHA-2 only at this time.

Windows 7 SP1,
Windows Server 2008 R2 SP1
September 10, 2019 Legacy Windows update signatures changed from dual-signed (SHA-1/SHA-2) to SHA-2 only. No customer action required. Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2
September 10, 2019 Stand Alone security update KB4474419 was re-released to add missing EFI boot mangers. Please make sure that this version is installed. Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2

Current status


Windows 7 SP1 and Windows Server 2008 R2 SP1

The following required updates must be installed and then the device restarted before installing any update released August 13, 2019 or later. The required updates can be installed in any order and do not need to be reinstalled, unless there is a new version of the required update.

  • Servicing stack update (SSU) (KB4490628). If you use Windows Update, the required SSU will be offered to you automatically. 
  • SHA-2 update (KB4474419) released September 10, 2019. If you use Windows Update, the required SHA-2 update will be offered to you automatically.

Important You must restart your device after installing all the required updates, before installing any Monthly Rollup, Security-only update, or Preview of Monthly Rollup.

Windows Server 2008 SP2

The following updates must be installed and then the device restarted before installing any Rollup released September 10, 2019 or later. The required updates can be installed in any order and do not need to be reinstalled, unless there is a new version of the required update.

  • Servicing stack update (SSU) (KB4493730). If you use Windows Update, the required SSU update will be offered to you automatically. 
  • The latest SHA-2 update (KB4474419) released September 10, 2019. If you use Windows Update, the required SHA-2 update will be offered to you automatically.

Important You must restart your device after installing all the required updates, before installing any Monthly Rollup, Security-only update, or Preview of Monthly Rollup.

Frequently Ask Questions


General information, planning and issue prevention

Issue recovery