2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Applies to: Windows 7 Service Pack 1Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2 More

Summary


To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.

Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services (WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.

Background details


The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a part of code-signing. Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing. Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not suffer from the same issues. For more information about of the deprecation of SHA-1, see Hash and Signature Algorithms.

Product updates


Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in standalone updates. Microsoft is targeting the following schedule to offer SHA-2 support. Please note that the timeline below is subject to change. We will update this page as the process begins and as needed.

Target Date

Event

Applies To

March 12, 2019

Stand Alone updates that introduce SHA-2 code sign support will be released as security updates.

Windows 7 SP1,
Windows Server 2008 R2 SP1.

March 12, 2019

Stand Alone update will be delivered to WSUS 3.0 SP2 that will support delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be installed no later than June 18, 2019.

WSUS 3.0 SP2
 

April 9, 2019

Stand Alone updates that introduce SHA-2 code sign support will be released as security updates.

Windows Server 2008 SP2.
 
June 18, 2019 Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone.
 
Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019
 
June 18, 2019 Required: For those customers using WSUS 3.0 SP2, the updates should installed by this date. WSUS 3.0 SP2

July 16, 2019

Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows.

Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2008 SP2.
July 16, 2019 Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. Windows 10 1507,
Windows 10 1607,
Windows 10 1703
August 13, 2019 Contents of updates for legacy Windows versions will be SHA2 signed (embed signed binaries and catalogs). No customer action is expected for this milestone.
 
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2008 SP2.
September 16, 2019 Legacy Windows updates signatures  changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2008 SP2,
Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2
 

 

WSUS 3.0 SP2

For customers using WSUS 3.0 SP2, we recommend that you update your servers with the SHA2 updates for WSUS 3.0 SP2 by June 18th, 2019 to ensure that SHA2 signed updates can be delivered to your enterprise.