Introduction
In compliance with the Microsoft Secure Hash Algorithm (SHA)-1 deprecation policy, Windows Update is discontinuing its SHA-1 based endpoints in late July 2020. This means that older Windows devices that have not updated to SHA-2 will no longer receive updates through Windows Update. Your older Windows devices can continue to use Windows Update by manually installing specific SHA-2 enabling updates.
All other Windows platforms will continue to receive updates through Windows Update as they always have because they connect to SHA-2 service endpoints.
Why is this change occurring?
An outdated Windows Update service endpoint used only for older platforms is being discontinued. This change is occurring because of weaknesses in the SHA-1 hashing algorithm and to align to industry standards.
Even though the SHA-1 endpoint is being discontinued, more recent Windows devices will continue receiving updates through Windows Update because those devices use the more secure SHA-2 algorithm. See the table in the "Which Windows devices are impacted" section to determine whether your devices are impacted.
For more information about this change, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
Which Windows devices are impacted?
Most users will not be impacted by this change. Starting with Windows 8 Desktop and Windows Server 2012, connections to Windows Update service endpoints use a more modern algorithm (SHA-256). Older versions of Windows connect to Windows Update service endpoints by using the less secure SHA-1 algorithm.
For most of the impacted versions of Windows, a SHA-2 update will add the support necessary to continue receiving updates through Windows Update. The following table shows the impact on the various versions of Windows. Some platforms are no longer supported, therefore they will not be updated.
|
Windows Desktop |
Support state |
|
Windows 2000 |
Device is out of support Windows Updates will no longer be supported. |
|
Windows XP 64-Bit Edition |
|
|
Windows XP SP3 |
|
|
Windows Vista |
|
|
Windows Vista SP1 |
|
|
Windows Vista SP2 |
|
|
Windows 7 |
Windows Update support will be impacted. Can be mitigated by manually installing KBs. |
|
Windows 7 SP1 |
|
|
Windows 8 and later versions |
Not affected No need to update |
|
Windows Server |
Support state |
|
Windows 2000 Server |
Device is out of support Windows Updates will no longer be supported. |
|
Windows Server 2003 |
|
|
Windows Server 2003 SP2 |
|
|
Windows Server 2008 |
Windows Update support will be impacted. Can be mitigated by manually installing KBs. |
|
Windows Server 2008 SP2 |
|
|
Windows Server 2008 R2 |
|
|
Windows Server 2008 R2 SP1 |
|
|
Windows 2012 and later versions |
Not affected No need to update |
What will occur to impacted devices?
According to the previous table, only older Windows devices which have not updated to SHA-2 are impacted by this change. Impacted devices will no longer be able to receive updates through Windows Update until you manually update them to SHA-2. To manually update your Windows devices, see the "How to update Windows devices to SHA-2" section.
A Windows device that is not updated to SHA-2 will try to scan for updates and will return one of following errors:
-
Error code 80072ee2: The device cannot connect to Windows Update.
-
Error code 8024402c: The device is unable to locate Windows Update.
-
Error code 80244019: The device cannot connect to Windows Update.
Some update scans occur without direct user interaction with the UI such as automatic updates, device drivers, Defender antivirus signatures, Microsoft Office updates, and so on. For these “background” scans, these failures will not be obvious. In that case, you can check the Windows Update log file (c:\windows\windowsupdate.log) for the failure codes: 0x8024402c, 8024402c, 0x80072ee2, 80072ee2, 0x80244019, or 80244019.
How to update Windows devices to SHA-2
To continue using Windows Update for your older Windows devices, you must download and install the following two specific updates:
Update 1: SHA-2 Code Signing Support When you apply this update, support is added to validate signatures by using the more secure SHA-2 hashing algorithms. Apply only the update that is appropriate for your Windows device.
-
KB4474419: SHA-2 code signing support update Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2
-
KB4484071: SHA2 Support for Windows Server Update Services Applies to: Windows Server Update Services 3.0 SP1 and Windows Server Update Services 3.2
Note Most users should only install update KB4474419. Enterprise administrators may also install update KB4484071.
Update 2: SHA-2 Related Servicing Stack Updates When you apply this update, support is added to the Windows Update servicing stack to validate SHA-2 signatures and directs affected Windows devices to communicate with the modern, SHA-2 based service endpoints in Windows Update. Apply only the update that is appropriate for your Windows device.
