WSUS 3.0 SP2 mandatory SHA-2 support update [EN]

Microsoft is planning to stop using SHA-1 algorithm when signing their updates (to prove they were not tampered with). Based on support article though it seems it only affects older, stand alone version of WSUS (3.0 SP2). If you are using WSUS as a role on Windows Server 2012 or higher, it should be 4.0 version and probably already supporting SHA-2. Anyway, there is still time before the switch. Microsoft should release SHA-2 support for 3.0 version of WSUS and older operating systems (Windows 7, Windows Server 2008/R2) in March/April of 2019 as security updates and the switch to use only SHA-2 signing will be executed on June 18, 2019.

UPDATE: i saw someone coming to this article with a search query “how to test SHA-2 support”. Well, you can’t, i think. Because Microsoft should stop signing updates with SHA-1 after June 18. I’m not sure how you can get an update signed only with SHA-2 until that point. So, you should install all security and critical updates for affected OSes, install that WSUS update and hope that everything works past that date.

Leave a Reply

Your email address will not be published. Required fields are marked *