[German]A brief information for users of Windows 7 and the server pendants. Microsoft will release a critical standalone security update for Windows 7 and Windows Server 2008 / R2 in March 2019, which upgrades these operating systems for SHA-2 support. Here some information about what it is about and when exactly what happens.
Advertising
What exactly is the SHA-2 topic?
Users of Windows 7 SP1 (and its server counterparts) and WSUS will need a special update from April 2019 onwards. This which will enable the machine to handle SHA2 code signatures in update packages. Without this update, these machines can no longer process updates.
The reason for this is the fact that signing updates with SHA-1 hash values has not been considered secure since a while. Microsoft will therefore discontinue signing update packages with SHA-1 and SHA-2 from July 2019 onward. Microsoft will only provide updates signed with SHA-2. While SHA-2 support is available from Windows 8.1, it is missing in Windows 7 and Windows Server 2008 /R2.
Customers using Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 (and WSUS 30. SP2) must have SHA-2 code signing support installed on these systems by April 2019. Windows systems without SHA-2 support will no longer be eligible for Windows updates from April 2019.
I had blogged about that (with more details) in November 2018 within my blog post Windows 7: From April 2019 'SHA-2-Support' is required. However, Microsoft has not provided details and a timetable for the Windows 7 update in November 2018.
A security update will be released in March 2019
Since the February 2019 updates contained nothing of the kind, there is not much time left. User @abbodi86 has now noticed that Microsoft has extended its KB article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS on February 16, 2019 with concrete dates. Here are the details:
Advertising
| Target Date | Event | Applies To |
| March 12, 2019 | Stand Alone updates that introduce SHA-2 code sign support will be released as security updates. | Windows 7 SP1, Windows Server 2008 R2 SP1. |
| March 12, 2019 | Stand Alone update will be delivered to WSUS 3.0 SP2 that will support delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be installed no later than June 18, 2019. | WSUS 3.0 SP2 |
| April 9, 2019 | Stand Alone updates that introduce SHA-2 code sign support will be released as security updates. | Windows Server 2008 SP2. |
| June 18, 2019 | Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 10 1709, Windows 10 1803, Windows 10 1809, Windows Server 2019 |
|
June 18, 2019 |
Required: For those customers using WSUS 3.0 SP2, the updates should installed by this date. | WSUS 3.0 SP2 |
| July 16, 2019 | Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2. |
| July 16, 2019 | Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 10 1507, Windows 10 1607, Windows 10 1703 |
| August 13, 2019 | Contents of updates for legacy Windows versions will be SHA2 signed (embed signed binaries and catalogs). No customer action is expected for this milestone. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2. |
| September 16, 2019 | Legacy Windows updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 |
Customers using WSUS 3.0 SP2 are encouraged to update their servers with the SHA2 updates for WSUS 3.0 SP2 by June 18, 2019. This is the only way to ensure that SHA2-signed updates can be distributed. (via)
