With the July 2019 updates, Microsoft is changing how updates are verified. Unpatched older versions of Windows and Windows Server will not verify and install newer updates afterwards.
End of last year, Microsoft released information about how updates for older versions of Windows (Windows 7 and Server 2008/2008R2) will change. The problem is that Microsoft signs every update for newer Windows versions with SHA-1 and SHA-2, but the older versions do not have the SHA-2 signature and verify updates with SHA-1 only. SHA-1 is known to be weak and has been broken in 2017 (Read here for more information).
In order to ensure the security and integrity of Windows updates, Microsoft decided to add SHA-2 functionality to older clients. Therefore newer updates contain an additional SHA-2 signature. Also Microsoft released an update for WSUS 3.0 SP2 to support the new verification process.
As next step Microsoft released updates for Windows 7, Server 2008 and Server 2008R2 which enables the verification of updates using SHA-2.
As of July 2019 Microsoft will deliver updates with SHA-2 only. This means that not-updated clients will not be able to install updates afterwards.
What do I have to do?
- If your WSUS is running on a Server 2008/2008R2, you need to install the KB4484071. Please note, that KB4489880 (Server 2008 SP2) or KB4489878 (Server 2008R2) plus .Net 3.5 has to be installed prior to that update. This enables your WSUS to handle the new signatures.
- For Windows 7, Server 2008 and Server 2008R2 the update KB4474419 needs to be installed. Depending on how up-to-date you are, this might already be done.
- Even after your clients “learned” how to handle SHA-2 updates, they cannot process updates with SHA-2 signature only. Therefore make sure, that KB4490628.
I hope this article helps you to prepare and update your clients and server for the upcoming changes. Please note that Windows 7 and Server 2008/R2 is end of life in January 2020 so you have less than half a year left to update to a newer server operating system or decommission the server.