Windows Update SHA-1 based endpoints discontinued for older Windows devices

Applies to: Windows 7 Service Pack 1Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2

Introduction


In compliance with the Microsoft Secure Hash Algorithm (SHA)-1 deprecation policy, Windows Update is discontinuing its SHA-1 based endpoints in late July 2020. This means that older Windows devices that have not updated to SHA-2 will no longer receive updates through Windows Update. Your older Windows devices can continue to use Windows Update by manually installing specific SHA-2 enabling updates.

All other Windows platforms will continue to receive updates through Windows Update as they always have because they connect to SHA-2 service endpoints.

Why is this change occurring?


An outdated Windows Update service endpoint used only for older platforms is being discontinued. This change is occurring because of weaknesses in the SHA-1 hashing algorithm and to align to industry standards.

Even though the SHA-1 endpoint is being discontinued, more recent Windows devices will continue receiving updates through Windows Update because those devices use the more secure SHA-2 algorithm. See the table in the "Which Windows devices are impacted" section to determine whether your devices are impacted.

For more information about this change, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Which Windows devices are impacted?


Most users will not be impacted by this change. Starting with Windows 8 Desktop and Windows Server 2012, connections to Windows Update service endpoints use a more modern algorithm (SHA-256). Older versions of Windows connect to Windows Update service endpoints by using the less secure SHA-1 algorithm.

For most of the impacted versions of Windows, a SHA-2 update will add the support necessary to continue receiving updates through Windows Update. The following table shows the impact on the various versions of Windows. Some platforms are no longer supported, therefore they will not be updated.

Windows Desktop

Support state

Windows 2000

Device is out of support

Windows Updates will no longer be supported.

Windows XP 64-Bit Edition

Windows XP SP3

Windows Vista

Windows Vista SP1

Windows Vista SP2

Windows 7

Windows Update support will be impacted.
Can be mitigated by manually installing KBs.

Windows 7 SP1

Windows 8 and later versions

Not affected
No need to update

Windows Server

Support state

Windows 2000 Server

Device is out of support

Windows Updates will no longer be supported.

Windows Server 2003

Windows Server 2003 SP2

Windows Server 2008

Windows Update support will be impacted.
Can be mitigated by manually installing KBs.

Windows Server 2008 SP2

Windows Server 2008 R2

Windows Server 2008 R2 SP1

Windows 2012 and later versions

Not affected
No need to update

What will occur to impacted devices?


According to the previous table, only older Windows devices which have not updated to SHA-2 are impacted by this change. Impacted devices will no longer be able to receive updates through Windows Update until you manually update them to SHA-2. To manually update your Windows devices, see the "How to update Windows devices to SHA-2" section.

A Windows device that is not updated to SHA-2 will try to scan for updates and will return one of following errors:

  • Error code 80072ee2: The device cannot connect to Windows Update.

    Error code 80072ee2

  • Error code 8024402c: The device is unable to locate Windows Update.

    Error code 8024402c

  • Error code 80244019: The device cannot connect to Windows Update.

    Error code 80244019

Some update scans occur without direct user interaction with the UI such as automatic updates, device drivers, Defender antivirus signatures, Microsoft Office updates, and so on. For these “background” scans, these failures will not be obvious. In that case, you can check the Windows Update log file (c:\windows\windowsupdate.log) for the failure codes: 0x8024402c, 8024402c, 0x80072ee2, 80072ee2, 0x80244019, or 80244019.

How to update Windows devices to SHA-2


To continue using Windows Update for your older Windows devices, you must download and install the following two specific updates:

Update 1: SHA-2 Code Signing Support
When you apply this update, support is added to validate signatures by using the more secure SHA-2 hashing algorithms. Apply only the update that is appropriate for your Windows device.
 

  • KB4474419: SHA-2 code signing support update
    Applies to: Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2

     
  • KB4484071: SHA2 Support for Windows Server Update Services
    Applies to: Windows Server Update Services 3.0 SP1 and Windows Server Update Services 3.2

     

Note Most users should only install update KB4474419. Enterprise administrators may also install update KB4484071.

Update 2: SHA-2 Related Servicing Stack Updates
When you apply this update, support is added to the Windows Update servicing stack to validate SHA-2 signatures and directs affected Windows devices to communicate with the modern, SHA-2 based service endpoints in Windows Update. Apply only the update that is appropriate for your Windows device.

  • KB4490628: Servicing stack update
    Applies to: Windows 7 SP1 and Windows Server 2008 R2 SP1

     
  • KB4493730: WU Service Stack Updates
    Applies to: Windows Server 2008 SP2