19. 2.

2019 2019 SHA-2 Code Signing Support requirement for Windows and WSUS

2019 SHA-2 Code Signing Support requirement for Windows

and WSUS
Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 Service Pack 2, More

Summary

To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2
hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during
delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign
Windows updates using the more secure SHA-2 algorithm exclusively.

Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008
SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices
without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change,
we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services
(WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates
section for the migration timeline.

Background details

The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a
part of code-signing. Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time
due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing.
Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not
suffer from the same issues. For more information about of the deprecation of SHA-1, see Hash and Signature
Algorithms.

Product updates

Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in
standalone updates. Microsoft is targeting the following schedule to offer SHA-2 support. Please note that the
timeline below is subject to change. We will update this page as the process begins and as needed.

Target Date Event

Applies To

Stand Alone updates that introduce SHA-2 code sign support will
March 12, 2019 Windows 7 SP1,
be released as security updates.
Windows Server 2008 R2 SP1.

Stand Alone update will be delivered to WSUS 3.0 SP2 that will
support delivering SHA-2 signed updates. For those customers
March 12, 2019 WSUS 3.0 SP2
using WSUS 3.0 SP2, this update should be installed no later than
 
June 18, 2019.

Stand Alone updates that introduce SHA-2 code sign support will
April 9, 2019 Windows Server 2008 SP2.
be released as security updates.
 

Windows 10 1709,
Windows 10 updates signatures changed from dual signed
Windows 10 1803,
(SHA1/SHA2) to SHA2 only. No customer action is expected for
June 18, 2019 Windows 10 1809,
this milestone.
Windows Server 2019
 
 
Required: For those customers using WSUS 3.0 SP2, the updates
June 18, 2019 WSUS 3.0 SP2
should installed by this date.
Required: Updates for legacy Windows versions will require that
SHA-2 code signing support be installed. The support released in Windows 7 SP1,
July 16, 2019
March and April will be required in order to continue to receive Windows Server 2008 R2 SP1,
updates on these versions of Windows. Windows Server 2008 SP2.

July 16, 2019 Windows 10 updates signatures changed from dual signed Windows 10 1507,
(SHA1/SHA2) to SHA2 only. No customer action is expected for Windows 10 1607,

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus 1/2
19. 2. 2019 2019 SHA-2 Code Signing Support requirement for Windows and WSUS
this milestone. Windows 10 1703
Contents of updates for legacy Windows versions will be SHA2
Windows 7 SP1,
August 13, signed (embed signed binaries and catalogs). No customer action
Windows Server 2008 R2 SP1,
2019 is expected for this milestone.
Windows Server 2008 SP2.
 
Windows 7 SP1,
Windows Server 2008 R2 SP1,
Legacy Windows updates signatures  changed from dual signed Windows Server 2008 SP2,
September 16,
(SHA1/SHA2) to SHA2 only. No customer action is expected for Windows Server 2012,
2019
this milestone. Windows 8.1,
Windows Server 2012 R2
 
 

WSUS 3.0 SP2

For customers using WSUS 3.0 SP2, we recommend that you update your servers with the SHA2 updates for WSUS
3.0 SP2 by June 18th, 2019 to ensure that SHA2 signed updates can be delivered to your enterprise.

Last Updated: Feb 16, 2019

What's new Store & Support Education Enterprise Developer Company

NEW Surface Pro 6 Account profile Microsoft in education Microsoft Azure Microsoft Visual Studio Careers

NEW Surface Laptop 2 Download Center Office for students Enterprise Windows Dev Center About Microsoft

NEW Surface Go Sales & support Office 365 for schools Data platform Developer Network Company news

Xbox One X Returns Deals for students & Find a solution provider TechNet Privacy at Microsoft
parents
Xbox One S Order tracking Microsoft partner resources Microsoft developer Investors
Microsoft Azure in program
VR & mixed reality Store locations education Microsoft AppSource Diversity and inclusion
Channel 9
Windows 10 apps Support Manufacturing & resources Accessibility
Office Dev Center
Office apps Buy online, pick up in store Financial services Security
Microsoft Garage

 English (United States) Contact us Terms of use Privacy and cookies Trademarks Safety & eco © Microsoft 2019

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus 2/2