2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Applies to: Windows 7 Service Pack 1Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2

Summary


To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.

Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by April 2019. Any devices without SHA-2 support will not be offered Windows updates after April 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services (WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.

Background details


The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a part of code-signing. Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing. Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not suffer from the same issues. For more information about of the deprecation of SHA-1, see Hash and Signature Algorithms.

Product updates


Starting in early 2019, support for SHA-2 will be available in the monthly updates. The migration process to SHA-2 exclusive support will occur in stages, and support will be delivered in multiple update packages. Only one update package containing SHA-2 support must be installed to enable support. Microsoft is targeting the following schedule to offer SHA-2 support. Please note that the timeline below is subject to change. We will update this page as the process begins.

Target Date

Event

February 2019

Legacy Windows operating systems will receive Stand Alone and Preview of Monthly Rollup updates that introduce SHA-2 code sign support.

An update will be delivered to WSUS 3.0 SP2 that will support delivering SHA-2 signed updates.

March 2019

The Monthly Rollup and Security-only Update in March includes SHA-2 code sign support.

April 2019

Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed.

Note: Installing any of the previous Windows updates listed above will provide the necessary support to continue receiving Windows updates after April 2019

July 2019

Starting in July customers using WSUS 3.0 SP2 will be required to have SHA-2 support installed, and all Windows servicing updates will be SHA-2 signed only.