2019 2019 SHA-2 Code Signing Support requirement for Windows and WSUS
Summary
To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2
hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during
delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign
Windows updates using the more secure SHA-2 algorithm exclusively.
Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008
SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices
without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change,
we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services
(WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates
section for the migration timeline.
Background details
The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a
part of code-signing. Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time
due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing.
Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not
suffer from the same issues. For more information about of the deprecation of SHA-1, see Hash and Signature
Algorithms.
Product updates
Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in
standalone updates. Microsoft is targeting the following schedule to offer SHA-2 support. Please note that the
timeline below is subject to change. We will update this page as the process begins and as needed.
Stand Alone updates that introduce SHA-2 code sign support will
March 12, 2019 Windows 7 SP1,
be released as security updates.
Windows Server 2008 R2 SP1.
Stand Alone update will be delivered to WSUS 3.0 SP2 that will
support delivering SHA-2 signed updates. For those customers
March 12, 2019 WSUS 3.0 SP2
using WSUS 3.0 SP2, this update should be installed no later than
June 18, 2019.
Stand Alone updates that introduce SHA-2 code sign support will
April 9, 2019 Windows Server 2008 SP2.
be released as security updates.
Windows 10 1709,
Windows 10 updates signatures changed from dual signed
Windows 10 1803,
(SHA1/SHA2) to SHA2 only. No customer action is expected for
June 18, 2019 Windows 10 1809,
this milestone.
Windows Server 2019
Required: For those customers using WSUS 3.0 SP2, the updates
June 18, 2019 WSUS 3.0 SP2
should installed by this date.
Required: Updates for legacy Windows versions will require that
SHA-2 code signing support be installed. The support released in Windows 7 SP1,
July 16, 2019
March and April will be required in order to continue to receive Windows Server 2008 R2 SP1,
updates on these versions of Windows. Windows Server 2008 SP2.
July 16, 2019 Windows 10 updates signatures changed from dual signed Windows 10 1507,
(SHA1/SHA2) to SHA2 only. No customer action is expected for Windows 10 1607,
https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus 1/2
19. 2. 2019 2019 SHA-2 Code Signing Support requirement for Windows and WSUS
this milestone. Windows 10 1703
Contents of updates for legacy Windows versions will be SHA2
Windows 7 SP1,
August 13, signed (embed signed binaries and catalogs). No customer action
Windows Server 2008 R2 SP1,
2019 is expected for this milestone.
Windows Server 2008 SP2.
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Legacy Windows updates signatures changed from dual signed Windows Server 2008 SP2,
September 16,
(SHA1/SHA2) to SHA2 only. No customer action is expected for Windows Server 2012,
2019
this milestone. Windows 8.1,
Windows Server 2012 R2
For customers using WSUS 3.0 SP2, we recommend that you update your servers with the SHA2 updates for WSUS
3.0 SP2 by June 18th, 2019 to ensure that SHA2 signed updates can be delivered to your enterprise.
NEW Surface Laptop 2 Download Center Office for students Enterprise Windows Dev Center About Microsoft
NEW Surface Go Sales & support Office 365 for schools Data platform Developer Network Company news
Xbox One X Returns Deals for students & Find a solution provider TechNet Privacy at Microsoft
parents
Xbox One S Order tracking Microsoft partner resources Microsoft developer Investors
Microsoft Azure in program
VR & mixed reality Store locations education Microsoft AppSource Diversity and inclusion
Channel 9
Windows 10 apps Support Manufacturing & resources Accessibility
Office Dev Center
Office apps Buy online, pick up in store Financial services Security
Microsoft Garage
English (United States) Contact us Terms of use Privacy and cookies Trademarks Safety & eco © Microsoft 2019
https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus 2/2