Windows 7: Updates for SHA-2 support

win7[German]On March 12, 2019, Microsoft released updates for SHA-2 support for Windows 7 SP1 and Windows Server 2008/R2 as well as WSUS 3.0 SP2. Here is some information about this topic and some hints about first issues.


Advertising


The blog post is an attempt to pick up some loose ends and bring them together to an article describing the odds and evens. You can add missing information to the comments..

What is SHA-2 support about?

Microsoft had announced in 2018 that it would only add SHA-2 signatures to its Windows updates from mid-2019 onwards – signing with SHA-1 would then no longer be necessary for security reasons. I’ve had published the article Windows 7: From April 2019 ‘SHA-2-Support’ is about that.

Users of Windows 7 SP1 (as well as its server counterparts) and WSUS will therefore need a special update from April 2019, which will enable the machine for SHA-2 code signatures. Without this update, these machines will not be able to process new updates in the future. In the blog post SHA-2 patch for Windows 7 arrives on March 2019 I had announced an update for this month, but I had to leave some details to it. As of March 12, 2019, Microsoft has provided the required updates as part of the patchday.

Updates KB4474419 and KB4490628

Effective March 12, 2019, Microsoft has extended the support article 4472027 titled 2019 SHA-2 Code Signing Support requirement for Windows and WSUS with the details and named the required updates.

Security Update KB4474419

Update KB4474419 (SHA-2 code signing support update for Windows Server 2008 R2 and Windows 7: March 12, 2019) adds support for SHA-2 signature evaluation for Windows 7 SP1 and its server pendants. The update is automatically downloaded and installed via Windows Update. The update is also available via Windows Server Update Services (WSUS) or for manual download via Microsoft Update Catalog. The update is also linked to the Microsoft Update Catalog on the ADV90009 advisory page.


Advertising

Servicing Stack Update KB4490628

In addition, the Servicing Stack Update (SSUs) KB4490628 was released for Windows 7 SP1 and Windows Server 2008 R2 SP1. This update fixes a problem with the Servicing Stack when installing updates that were signed using only the SHA-2 hash algorithm. I already pointed this out in the blog post Patchday: Updates for Windows 7/8.1/Server (March 12, 2019).

More issues with these updates

When installing the updates mentioned above to support SHA-2 only update packages, various errors and issues may occur. Microsoft states that the SSU need to be installed before installing the March 2019 updates to avoid subsequent errors and installation problems. But that seems not true – because on my systems this update had been offered only after installing Update KB4474419 first.

Update KB4490628 hangs on reboot

Update KB4490628 comes with a known issue during its installation, which Microsoft lists here. After you have installed the SSU together with other updates, a restart may be required to complete the installation.

Update hängt(Update hangs, Source: Microsoft)

During this reboot, the system may hang when the message “Level 2 of 2” or “Level 3 of 3” appears. If this problem occurs, press Ctrl+Alt+Del to log on to Windows. This problem should occur only once.

Update KB4490628 is not offered

In KB article 4490628, Microsoft states that this update is offered automatically by Windows Update. In this comment blog reader Joe_Gerhard points out that the update is not offered to him. I checked it on my machine – this update was missing there as well, while update KB4474419 has been offered. Later I learned (see my remark above), that update KB4474419 is required, before update is KB4490628 offered. If required, the Microsoft Update Catalog is also available for download.

German blog reader Markus B. informed me a few days ago via e-mail about an observation:

I was able to install the Win7 cumulative first via the WSUS. Then I installed the SSU. MS it says in its support article, that there would be some issues, but that seems not be true. Installing SSU after the cumulative update, does not need a restart.

In an other installation order with SSU first and then the cumulative for SHA-2 support, it would take much longer to distribute the patches. Because I would need to wait, until the maintenance windows has bee shown – in cause, Windows need some administrator prompts.

Thank to Markus for his feedback. There is now a huge discussion thread beneath my German blog post about issues.

Restart loop in 32-bit Windows 7

Within this comment (German) blog reader Gregor (thanks) writes, that the SHA-2 support update led to a reboot loop on three 32-bit Windows 7 machines. Gregor does not specify which update KB4474419 or KB4490628 is meant. Has anyone ever had similar experiences?

Update KB4484071 for WSUS 3.0 SP2

In addition, Microsoft has provided the standalone update KB4484071 for WSUS 3.0 SP2 (SHA-2 Support for Windows Server Update Services 3.0 SP2) in this support article. This update enabled WSUS 3.0 SP2 for SHA-2 support.

Administrators using WSUS 3.0 SP2 need to install this update manually until June 18, 2019. This ensures that updates for Windows 7 and Windows Server 2008/R2 can be redistributed via WSUS 3.0 SP2 from that point. However, the prerequisite for manually installing update KB4484071 is that the following updates:

  • Windows Monthly Rollup KB4489880 (or newer) for Windows Server 2008 SP2
  • KB4489878 (or newer) for Windows Server 2008 R2 SP1
  • and .NET 3.5 need to be installed first

If this is overlooked, errors may occur during installation. Microsoft also recommends backing up the WSUS database before installing these updates.

Similar articles
Windows 7: From April 2019 ‘SHA-2-Support’ is required
SHA-2 patch for Windows 7 arrives on March 2019
Patchday: Updates for Windows 7/8.1/Server (March 12, 2019)


Advertising


This entry was posted in Update, Windows and tagged , , . Bookmark the permalink.

3 Responses to Windows 7: Updates for SHA-2 support

  1. Sarah says:

    64-bit Windows 7 gets no Service Stack Update (SSU) KB4490628.
    Manually download: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/03/windows6.1-kb4490628-x64_d3de52d6987f7c8bdc2c015dca69eac96047c76e.msu
    with NO encryption. Hello MS, we have 1999?

    p.s.: i hope, file fingerprint 8075F6D889BCB27BE6F52ED47081675E5BB8A5390F2F5BFE4EC27A2BB70CBF5E
    is OK.

  2. Michael ILOFF says:

    To Born’s question “Has anyone ever had similar experiences?”. Yes, I unfortunately have, with KB4474419.

    As with Gregor, my 32-bit Windows 7 Home Premium suffers a restart loop: At boot, everything runs normally until the BIOS indicates that it has found the boot code. After that, the screen stays forever black: The expected “Starting Windows” no longer takes place and the machine is unusable.

    Microsoft does not seem to know anything about it. They explain https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-update and warn https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus.

    They do not provide a fix. If this is not made up, there will be no readable updates from August 2019.

Leave a Reply

Your email address will not be published. Required fields are marked *