News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft updates its schedule for SHA-2 ‘critical’ Win7 update, now due in March

    Posted on February 16th, 2019 at 07:05 woody Comment on the AskWoody Lounge

    Remember the dire warning, back last November, that you had to install a forthcoming Win7 security patch in order to continue to receive security patches?

    I had an article in Computerworld about it:

    Microsoft is changing its method for electronically signing patches from an old approach known as SHA-1 to the much more secure SHA-2. If you want to continue to get Win7, Server 2008 and WSUS security patches, you need to install a patch in February or March that makes Windows SHA-2-conversant.

    I hadn’t heard anything more about the transition until @abbodi86 posted an update a few minutes ago. Ends up that Microsoft will push the patch in March, according to a new bulletin posted just a few hours ago:

    Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in standalone updates. Microsoft is targeting the following schedule to offer SHA-2 support.

    March 12, 2019

    Stand Alone updates that introduce SHA-2 code sign support will be released as security updates.

    Windows 7 SP1,
    Windows Server 2008 R2 SP1

    July 16, 2019

    Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows.

    I’m sure you Win7 fans will love the fact that “legacy Windows” now includes Win7, Server 2008, and Server 2008 R2, but nevermind….

    Nothing wrong with being a legacy, eh?

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Microsoft updates its schedule for SHA-2 ‘critical’ Win7 update, now due in March

    This topic contains 34 replies, has 17 voices, and was last updated by  anonymous 1 week ago.

    • Author
    • #327790 Reply

      Da Boss

      Remember the dire warning, back last November, that you had to install a forthcoming Win7 security patch in order to continue to receive security patc
      [See the full post at: Microsoft updates its schedule for SHA-2 ‘critical’ Win7 update, now due in March]

      9 users thanked author for this post.
    • #327816 Reply

      AskWoody Plus

      Thanks Woody. It sounds like March will be a good month to take special heed of the DefCon rating!

    • #327872 Reply

      AskWoody Lounger

      not issuing this patch would be a sneaky way of forcing a migration from Win7. Of course MS would not think that way

      • This reply was modified 1 month ago by
      • This reply was modified 1 month ago by
    • #327879 Reply

      AskWoody Lounger

      Shrug. I don’t mind, as long as it’s not in a Rollup only.

      1 user thanked author for this post.
    • #327906 Reply

      AskWoody Plus

      I really don’t get why it’s taken so long for this to happen with Windows.  SHA-1 support was removed from apt a couple of years ago, meaning that Ubuntu, Debian and other Linux distributions required SHA-256 minimum.

      1 user thanked author for this post.
    • #327938 Reply

      AskWoody Plus

      I consider Windows 98 or ME to be “Legacy”.  I never thought of anything that is 10 years old to be legacy.

      Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Group B

      • #327996 Reply

        AskWoody Plus


        You didn’t think Windows 3.0 was legacy yet when Windows 2000 came out?

        • #328035 Reply

          AskWoody Plus

          Windows 3.0 was outdated practically from the time it was released.  Try not to get Legacy and Antique confused.

          Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Group B

          • This reply was modified 1 month ago by
    • #327944 Reply

      Nibbled To Death By Ducks
      AskWoody Lounger

      “Legacy” indeed! Sounds like the old “Propaganda Sandwich” thing…two truths with a twist in between. (“Down, Legacy Peasant! To the curb with ye!”)

      Take heart, all, this should be an easy patch….er, sorry… (slaps face).

      But seriously, this is really overdue.

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      "The more kinks you put in the plumbing, the easier it is to stop up the pipes!" -Scotty

      2 users thanked author for this post.
    • #327958 Reply

      AskWoody Plus

      Since this is a must-have patch, will this be the one where they sneak in something unannounced which will “help” the user to upgrade to Win 10 next year?

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      • #328039 Reply


        This must have patch also must have as many taking the time to look for anything nefarious from Redmond riding along with said patch and doing the unannounced to any windows 7 systems.


        Some Laptops with older Discrete Mobile GPU/graphics hardware that worked fine under windows 7 and 8/8.1 will simply not have those  GPU’s drivers be in any way manner or form vetted/certified to work properly with windows 10. laptops that where sold when windows 7 was relatively new, to even middle aged, have discrete mobile GPUs that are now considered legacy GPU hardware by their Makers and thus recieve no fruther updates and were never vetted or certified  to properly work for the types of changes that windows 10 has undergone under the hood and on the surface.

        Windows 8/8.1 is just windows 7 under the hood for the most part with that TIFKAM UI tacked on for 8/8.1! So maybe Redmond will have to be forced to offer some windows 7 laptop users the option of purchasng  windows 8.1 in place upgrades from 7 least that older GPU hardware not have any available drvers that work with windows 10. Maybe even offer some OEM 8.1 version licensing options and some documantation on how to get the drivers copied over from any windows 7 recovery media that shipped with the laptop.

        I’d like to find out if there are legal methods of forcing Microsoft to offer some consumers the option of purchasing extended windows 7 securuty updates like MS offers to its Enterprise/Volume Licensing customers. Microsoft still has to provide for Windows 8.1 security updates anyways until 2023  and most of the windows 8.1 security patches directly port back to windows 7 with little code refactoring needed, so similar are the 7 and 8/8.1 OS versions at the kernel/windows device driver model levels.

        Microsoft will be forcing more folks to have no other option but to go with some Linux Distro in hope that their still working laptop with that older GPU hardware can be made to fuction under Linux after 7 goes EOL.

        There are some fortunate business laptop customers that where able to purchase laptops, at the hight of the windows 8, before it was replaced by 8.1, usage where the business laptops came with the Pro version of windows 8 with the Windows 8 Pro License sticker on the laptop! Those Windows 8 Pro Business Laptops  came with  Windows 7 Pro downgrade rights and the Business Laptop OEMs where not too shy, at that time, in offering/applying that Windows 7 Pro Downgrade at the factory before the laptop was shipped. So come 2020 some Business laptop owners have the rights to 8/8.1 via that windows 8 Pro license sticker on their Busness laptops.

        I have one business grade laptop that came with a Windows 8 Pro License and the Laptop’s OEM excerised that Windows 7 Pro downgrade right at the factory and that Laptop’s OEM shipped the laptop with 2 sets of recovery DVDs, one for windows 7 Pro and one for Windows 8 Pro. And both the recovery DVDs have the proper vetted/certified GPU drivers for the discrete mobile GPU that shipped with the laptop.

        Desktop PC users have it so good as they can just upgrade their GPU by removing the old GPU from the PCIe slot and plugging a new one in that’s been certified to work with the latest Windows OS. Laptop users, except for rare laptop SKUs, are stuck with the discrete mobile GPU that’s soldered onto the laptop’s Motherboard.

        1 user thanked author for this post.
        • #330875 Reply

          AskWoody Lounger

          Oh yeah, that.

          I happen to have one laptop… well, luggable workstation… at home… (a Dell) that was never supported even with Windows 7. Officially Vista or older. Yes, I tried to find the drivers manually anyway, never got everything to work on 7. (SD card slot, for example.)

          But, it’s an excellent system for running Linux, all the integrated devices work too.

          The discrete nVidia GPU (the only one, it predates the dual integrated/discrete craze,) has been out of support on Windows for years now. On Linux, it still has official driver support, and that’s not counting the opensource drivers.

          I mean, it isn’t like GPUs are the only “important” hardware people may have. Seen more problems with SD card slots and on modern devices even RS232… and some people really need the FireWire and…

      • #330133 Reply


        Not unless they bring back  the free upgrade promo.  You can’t sneak in an OS upgrade and then send in the BSA for piracy.

    • #327933 Reply


      It is pretty funny that M$ refers to Win7 as legacy now. As usage numbers indicate a virtual tie between W7 and W10, imo I think that more people would be buying W7 units over W10 if M$ still allowed the sales of it. This begs the question:  Which OS is really legacy? :>)

      2 users thanked author for this post.
    • #327967 Reply

      AskWoody Plus

      I agree with Seff #327816 and March will be a good month for taking my very good time before patching. See first what, why, and how much grief this change brings along before it is fixed. Not that is a bad thing to do, but MS has not been particularly good at changing things, for as long as I can remember (and that is really long). As for the “legacy” thing: a revealing choice of words, but not worse than the rest of what is going on with Windows in general, so: not something worth my worrying about.

    • #327974 Reply


      Hmm.  Does this mean that a fresh Win7 install from existing media won’t be able to obtain the 500-odd updates in future?  Or will we just get hold of this patch first (along with the latest SSU, e.g. KB3177467)?

      Tony H.
      Bristol UK

      P.S. One of Gartner’s researchers once defined legacy as ‘the programmer is dead or should be’!

      • #327985 Reply

        Da Boss

        It probably means you will have to download and install the patch offline before you can update from Windows Update or WSUS.

        1 user thanked author for this post.
        • #328275 Reply


          All updates are dual signed sha1/sha2 since late 2014 or starting 2015
          so the new WU infastructure will still work with them

          not sure if thesame applies about older updates (sha1 only)

          2 users thanked author for this post.
    • #328024 Reply

      AskWoody Lounger

      Remember the dire warning, back last November, that you had to install a forthcoming Win7 security patch in order to continue to receive security patc[See the full post at: Microsoft updates its schedule for SHA-2 ‘critical’ Win7 update, now due in March]


      SO, will this updatebe available as a KB number in Windows Update Catalog, or will we have to get it some other way? Not trying to rush things, just trying to stay informed for when the time is right.


      • #328028 Reply

        Da Boss

        They will have to distribute it somehow through Windows Update for the general non-business people. Otherwise, most people would miss it, not knowing how to download from the catalog.

        2 users thanked author for this post.
    • #328027 Reply

      AskWoody Plus

      What did I tell you a couple days postings ago.  ”  All hands on deck” .  In order to force all W7 users to get W10 they will  use all personnel to throw up road blocks and  other things .  They will in the mean time  neglect W10 and put out sloppy patches while concentrating on W7`s demise because they know millions of W7 users won’t be switching.

      • This reply was modified 1 month ago by
      • #328030 Reply

        Da Boss

        This is not a roadblock. It is necessary for security and should have been done before this.

        6 users thanked author for this post.
        • #328171 Reply


          I’m not sure I agree. Windows has gone without it for a while, and there are, to my knowledge, no fake updates out in the wild. It also would be a smaller burden to just keep both setups running, or at least keep the old one running and putting out a single update that then allows you to install the rest.

          The time to move off of SHA-1 was a couple years ago, when the web itself moved off of it. It seems weird that they are doing it now. What has happened that makes them suddenly decide security on updates matters?

        • #339446 Reply

          AskWoody Lounger

          @pkcano:  I have been in a hospital for quite some time, and I am now attempting to get back to where I ended (about 2-9-19).  I don’t know of anyone who is more knowledgeable than you are, and you have been a Godsend in helping me.

          I presently only have 2 Important updates listed (not including the MSRT & Win Def Update).  These are as follows:

          KB4487078     64.2 MB  Security & Quality Rollup for .NET, pub. 2-12-29.

          KB 4486565    240.8MB  Security Monthly Quality Rollup for Win7 for 64 based systems

          Could you please, please provide the information I need for these two?  I need your help desperately.  You are the BIGGEST STAR we have, and I cannot thank you enough for your invaluable help to all of us.  Thank you, thank you, thank you.

          • #339459 Reply

            Da Boss

            KB4487078 64.2 MB Security & Quality Rollup for .NET, pub. 2-12-29.
            KB 4486565 240.8MB Security Monthly Quality Rollup for Win7 for 64 based systems

            You can install both of those updates plus MSRT & Win Def Update. You should be fine.

            • #340871 Reply

              AskWoody Lounger

              @pkcano:  I thank you so very, very much for the information which will allow me to get back to a starting point.     You are a “TRUE GEM“, PK, and I shall never be able to adequately express my gratitude for your invaluable information.     Thank you, thank you, and thank you once again!

      • #329186 Reply


        Micro$oft can do whatever they like, I’m not giving up Win 7!!! I’ll run it without updates. Been doing that for most of 2018. Picking and choosing my updates based on what I’ve read on here. Woody, the Patch Lady and others have helped greatly. Win 7 isn’t going away, just because Micro$oft wants it to. New software and old will still work on it. The same way it still works with XP. My guess is ( and only me guessing ) much of Win 10 code is the same as Win 7 and that both are partly old Win NT and/or Win 2000. If true,,, everything is “legacy”.

    • #330134 Reply


      With less than 1 year of support remaining, Windows 7 and Server 2008 / R2 _are_ legacy.

      • #330204 Reply

        AskWoody Plus

        “Legacy” or not, people should keep in mind, and plan accordingly as soon as possible, that come the end of life of Windows 7 next January, and possibly even before:

        If a printer breaks, there may be no printers to be found with Windows 7 drivers.

        Application software “for Windows 7” may no longer be supported.

        Security patches will no longer be available, except, perhaps, in some dire situations, as has happened with Windows XP after it ceased to be supported by MS.

        So, although none of this might happen very fast, given the large number of people one can expect will be still using Windows 7 after its EOL, nevertheless, as time goes by, there will be more and more such problems, and their solutions might be increasingly harder to find. In consequence, functionality will be gradually lost.

        So I would like to suggest now that, at Woody’s, someone opens a forum (not a thread) on the problems I have outlined above and others of the same nature, when the EOL of Windows 7 is already getting very closer. “Transitioning from Windows 7 ” could be its title.

        • #337895 Reply


          I will concede in part to what you have mentioned, but the sky won’t be
          falling on January 2nd. of next year. Win 7 will work in the same way it does
          now. As time goes by, yes,,, hardware will be harder to find as suppliers
          inventories change over. Namely the drivers for hardware.
          Application/program software will have a much long way to go. Case in point, is the fact many of them still support Windows XP. In some rare cases, Windows 2000 security patches have become a joke. They are the very reason most of us come to this site and forum, to find the truth about security updates. I have put my trust into much wiser people than myself, to inform me what I should and shouldn’t do. EOL will come to Win 7, it just won’t happen overnight. Everyone will have to make a decision of, when and what to do next. For me it’s Linux Lime. A year from now, I could still be using Win 7 or maybe Lime, but that’s my decision not someone else’s!


          Edited for HTML. Please use the “Text” box for copy/paste

          1 user thanked author for this post.
    • #330803 Reply

      AskWoody Plus

      What would be the outcome if a non computer person didn’t know of the update or receive it thru normal “Windows Update” to install?

      • #330845 Reply


        It will be published thru normal “Windows Update” to install

    • #341239 Reply


      window 7 SHA 2 should it be installed now or wait

      • #341251 Reply

        Da Boss

        You should wait until the DEFCON number for the March patches is 3 or above. The SAH-2 requirements do not take effect until July or August, so NOW isn’t necessary.

    • #341264 Reply


      Win 7 SP1 SHA-2 patch is KB4474419

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft updates its schedule for SHA-2 ‘critical’ Win7 update, now due in March

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: