Heads up: A ‘critical’ Win7/Server 2008 patch coming in February/March that’s really critical

There’s an important move afoot, if you’re using Windows 7 or Server 2008, or an older version of Windows Server Update Services. Starting in April, Windows updates will all be sent out with SHA-2 encryption, usurping the old SHA-1. Before the cutoff, you need to get SHA-2 running. Other versions of Windows already speak SHA-2, but if you have Win7 or Server 2008, and you want to keep getting security patches, you need to install an SHA-2 Babel fish patch coming in February or March.

Microsoft’s official announcement says:

Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by April 2019. Any devices without SHA-2 support will not be offered Windows updates after April 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019.

The timeline says that this coming February’s Monthly Rollup preview will have the SHA-2 code, as will a standalone patch. (No indication about whether that patch will be installed automatically.) Then, in March, the usual Monthly Rollup and Security-only patches will both include the new SHA-2 conversant code.

Then, in April, all new patches will require SHA-2.

Microsoft tends to use the “critical” label for about a quarter of all of its monthly patches, and “critical” patches are rarely a make-or-break-right-now proposition for the typical Windows customer. This time, in March, this critical patch really will be critical.

Let’s hope they get it right the first time.

Thx, @abbodi86

Join us in wild anticipation on the AskWoody Lounge.