14 DAY TRIAL // This month’s Patch Tuesday rollout for Windows 7 brought new updates that enable support for SHA-2 code signing. These updates need to be installed before July 16, 2019, on Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 for additional updates after this date.
The updates adding SHA-2 support are KB4474419, KB4490628, and KB4484071, and all must be installed before the said deadline.
These updates are pushed via Windows Update to all Windows 7 and Windows Server 2008 devices as part of the Patch Tuesday cycle, and blocking them would prevent systems from getting other security fixes beginning with July.
The purpose of each update
KB4474419 is specifically supposed to introduce SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1, while KB4490628 is a servicing stack update that resolves an issue related to this hash algorithm. This would technically mean that Windows Update is now prepared to receive updates signed using SHA-2, so your device should complete updating successfully when the full switch to this system is complete.
And last but not least, KB4484071 is an update specifically aimed at Windows Server Update Services 3.0 Service Pack 2 (WSUS).
“Without applying this SHA-2 update, beginning July 2019, WSUS 3.0 SP2 (also called WSUS 3.2) will not be able to perform the necessary WSUS update tasks. Starting with WSUS 4.0 on Windows Server 2012, WSUS already supports SHA-2-signed updates, and no customer action is needed for these versions. This update is necessary for those customers still using WSUS 3.0 SP2. We recommend upgrading to the latest version of WSUS, version 10.0,” Microsoft explains.
The updates will be included in the next Patch Tuesday rollouts as well, and users can also download and install them manually by downloading the packages from the Microsoft Update Catalog.