Windows 7 and Server 2008 getting mandatory updates killing SHA-1 patches
Microsoft has announced via a new support article that it will be phasing out the Secure Hash Algorithm 1 (SHA-1) based portion of its cryptographic signing of Windows updates across all actively supported distributions (Windows 7, Windows Server 2008, Windows 8, Windows Server 2012, Windows 10, and Windows Server 2019) in favor of solely signing with the newer and more secure SHA-2 algorithm.
According to Microsoft, the reason for this transition from dual signing operating system updates with both SHA-1 and SHA-2 to just using SHA-2 is because of SHA-1 "...[becoming] less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing." For users on Windows 10 and Server 2019, no action is needed for the process. However, for users on Windows 7 and Server 2008, a mandatory update is required in order to ensure the ability to download and install future security updates.
The support article contains a time table of events shows that the critical dates for Windows 7 and Windows Server 2008 are March 12th, when the update to support SHA-2 code sign support goes live, and July 16th, which is when Windows 7 and Windows Server 2008 users should have downloaded and installed the update from March 12th by in order to continue receiving security updates.