From July, Windows 7 and Windows Server 2008 users will need SHA-2 support to get updates
Microsoft has announced that from the middle of July, Windows 7 and Windows Server 2008 users who want to continue to receive updates will need SHA-2 code signing support.
The change is being introduced because "the security of the SHA-1 hash algorithm has become less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing".
- Microsoft reveals pricing for Windows 7 Extended Security Updates
- Windows 10 consolidates its lead over Windows 7
- Microsoft ends Windows 7 support one year from today
The news was shared by Mary Jo Foley who says that the requirement will apply to Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.
Microsoft also explains the requirements in a support document:
To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.
Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services (WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.
According to a timeline shared by Microsoft, Stand Alone updates that introduce SHA-2 code sign support will be released as security updates from 12 March. By 16 July, the company says: "Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows."