Starting July 16, 2019, Windows systems will need SHA-2 code-signing support in order to continue receiving security updates. Windows 10 systems already support SHA-2 code-signing, it’s only Windows 7 and Windows Server 2008 systems will be impacted by this requirement.
Windows updates are dual-signed using both SHA-1 and SHA-2 hash algorithms to authenticate that the updates are straight from Microsoft without being altered during the delivery. However, due to the weaknesses in SHA-1 algorithm, Microsoft has decided to drop the support to it and only sign the updates with more secured SHA-2 hash moving forward.
The deadline of this change is set on July 16, 2019. To help users who are still using legacy systems like Windows 7, Windows Server 2008, Microsoft will deliver standalone SHA-2 updates in stages.
On March 12, 2019, Microsoft will release a standalone update that introduces SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1 systems.
On April 9, 2019, a standalone update will be released for Windows Server 2008 SP2.
Click here for more details about the timeline of SHA-2 code-signing for Windows updates.
Note that if you are still running a legacy version of WSUS 3.0, you will need another standalone SHA-2 update for WSUS 3.0 installed.
If you are using Windows Update service on Windows Server 2012 and later, we will see if the standalone update can be delivered through the system.