[German]Since August 27, 2019, Microsoft has lifted the update blockade for Windows 7 SP1 and Windows Server 2008 R2 for systems with installed Symantec/Norton antivirus software. Symantec has given Microsoft permission to release Windows updates. However, these users should install updates for the antivirus software.
Some Background information
As of August 13, 2019, Microsoft released security updates for Windows 7 SP1 (and Windows Server 2008 R2). However, if the users installed antivirus solutions from Norton or Symantec, the delivery of the updates was suspended. The reason for this was that the antivirus solutions from these vendor supposed to be not compatible with the new updates and could have potentially damaged Windows.
As a precaution, Microsoft has therefore, in consultation with Symantec, blocked the delivery of updates for affected machines. The reason for this measure was that the security solutions could not cope with the changed signing of Windows updates (since August 2019, these have only been signed with SHA-2). I reported in the blog post Symantec/Norton blocks Windows Updates (SHA-2).
Symantec provides a patch
A week ago, antivirus vendor Symantec released a patch to fix the update problem under Windows 7 / Windows Server 2008 R2. The distribution for various language versions began already on August 21, 2019. I had addressed this within the blog post Symantec releases a patch for the SHA-2 bug in Windows 7. Later, in acomment to the article, German blog reader Andreas confirmed that the updates were offered by Microsoft after updating his Symantec antivirus software (thanks for the feedback).
Update ban lifted
A few days ago, Symantec completed its internal assessment of the impact of incorrectly detected August 2019 updates and future updates for Windows 7/Windows 2008 R2. It was determined that the risk of false-positive detection is not increased for all in-field versions of Symantec Endpoint Protection previously installed on systems. Symantec has thus given Microsoft the go-ahead to lift the update blockade.
Yesterday I got a comment from German blog reader Hermann informing me, the update hold has been lifted by Microsoft (thanks for that). Microsoft has added the following note to KB article 4512506 as of August 28, 2019:
The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7 and Windows 2008 R2. Symantec has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional details and please reach out to Symantec or Norton support if you encounter any issues.
In order to be able to process the updates properly, Norton/Symantec users should update their AV programs to the following versions as a precautionary measure
- SEP 14.2 RU1 MP1 (14.2.4814.1101) has been certified and is available for download via MySymantec.
- SEP 14.2 RU1 (14.2.3357.1000) has been certified and is available upon request through Symantec Technical Support.
- SEP 14.2 MP1 (14.2.1057.0103) has been certified and is available upon request through Symantec Technical Support.
Only then full SHA-2 signature support is given for the updates. Then updates KB4512506 / KB4512486 and subsequent updates for Windows 7 SP1 and Windows Server 2008 R2 must be successfully installed.