[German]On March 12, 2019, Microsoft released updates for SHA-2 support for Windows 7 SP1 and Windows Server 2008/R2 as well as WSUS 3.0 SP2. Here is some information about this topic and some hints about first issues.
The blog post is an attempt to pick up some loose ends and bring them together to an article describing the odds and evens. You can add missing information to the comments..
What is SHA-2 support about?
Microsoft had announced in 2018 that it would only add SHA-2 signatures to its Windows updates from mid-2019 onwards – signing with SHA-1 would then no longer be necessary for security reasons. I’ve had published the article Windows 7: From April 2019 ‘SHA-2-Support’ is about that.
Users of Windows 7 SP1 (as well as its server counterparts) and WSUS will therefore need a special update from April 2019, which will enable the machine for SHA-2 code signatures. Without this update, these machines will not be able to process new updates in the future. In the blog post SHA-2 patch for Windows 7 arrives on March 2019 I had announced an update for this month, but I had to leave some details to it. As of March 12, 2019, Microsoft has provided the required updates as part of the patchday.
Updates KB4474419 and KB4490628
Effective March 12, 2019, Microsoft has extended the support article 4472027 titled 2019 SHA-2 Code Signing Support requirement for Windows and WSUS with the details and named the required updates.
Security Update KB4474419
Update KB4474419 (SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7: March 12, 2019) adds support for SHA-2 signature evaluation for Windows 7 SP1 and its server pendants. The update is automatically downloaded and installed via Windows Update. The update is also available via Windows Server Update Services (WSUS) or for manual download via Microsoft Update Catalog. The update is also linked to the Microsoft Update Catalog on the ADV90009 advisory page.
Servicing Stack Update KB4490628
In addition, the Servicing Stack Update (SSUs) KB4490628 was released for Windows 7 SP1 and Windows Server 2008 R2 SP1. This update fixes a problem with the Servicing Stack when installing updates that were signed using only the SHA-2 hash algorithm. I already pointed this out in the blog post Patchday: Updates for Windows 7/8.1/Server (March 12, 2019).
More issues with these updates
When installing the updates mentioned above to support SHA-2 only update packages, various errors and issues may occur. Microsoft states that the SSU need to be installed before installing the March 2019 updates to avoid subsequent errors and installation problems. But that seems not true – because on my systems this update had been offered only after installing Update KB4474419 first.
Update KB4490628 hangs on reboot
Update KB4490628 comes with a known issue during its installation, which Microsoft lists here. After you have installed the SSU together with other updates, a restart may be required to complete the installation.
(Update hangs, Source: Microsoft)
During this reboot, the system may hang when the message “Level 2 of 2” or “Level 3 of 3” appears. If this problem occurs, press Ctrl+Alt+Del to log on to Windows. This problem should occur only once.
Update KB4490628 is not offered
In KB article 4490628, Microsoft states that this update is offered automatically by Windows Update. In this comment blog reader Joe_Gerhard points out that the update is not offered to him. I checked it on my machine – this update was missing there as well, while update KB4474419 has been offered. Later I learned (see my remark above), that update KB4474419 is required, before update is KB4490628 offered. If required, the Microsoft Update Catalog is also available for download.
German blog reader Markus B. informed me a few days ago via e-mail about an observation:
I was able to install the Win7 cumulative first via the WSUS. Then I installed the SSU. MS it says in its support article, that there would be some issues, but that seems not be true. Installing SSU after the cumulative update, does not need a restart.
In an other installation order with SSU first and then the cumulative for SHA-2 support, it would take much longer to distribute the patches. Because I would need to wait, until the maintenance windows has bee shown – in cause, Windows need some administrator prompts.
Thank to Markus for his feedback. There is now a huge discussion thread beneath my German blog post about issues.
Restart loop in 32-bit Windows 7
Within this comment (German) blog reader Gregor (thanks) writes, that the SHA-2 support update led to a reboot loop on three 32-bit Windows 7 machines. Gregor does not specify which update KB4474419 or KB4490628 is meant. Has anyone ever had similar experiences?
Update KB4484071 for WSUS 3.0 SP2
In addition, Microsoft has provided the standalone update KB4484071 for WSUS 3.0 SP2 (SHA-2 Support for Windows Server Update Services 3.0 SP2) in this support article. This update enabled WSUS 3.0 SP2 for SHA-2 support.
Administrators using WSUS 3.0 SP2 need to install this update manually until June 18, 2019. This ensures that updates for Windows 7 and Windows Server 2008/R2 can be redistributed via WSUS 3.0 SP2 from that point. However, the prerequisite for manually installing update KB4484071 is that the following updates:
- Windows Monthly Rollup KB4489880 (or newer) for Windows Server 2008 SP2
- KB4489878 (or newer) for Windows Server 2008 R2 SP1
- and .NET 3.5 need to be installed first
If this is overlooked, errors may occur during installation. Microsoft also recommends backing up the WSUS database before installing these updates.