U-Tools: Unique Tools for Windows System Administrators
U-Move Help

SHA-2 encryption: Phase out of SHA-1

Microsoft has phased out the use of Secure Hash Algorithm 1 (SHA-1) for verifying the authenticity and integrity of executable files and network communications in Windows. This is part of a long term industry initiative to move away from using SHA-1 in favor of the more secure SHA-2 algorithm. NIST deprecated the use of SHA-1 in 2011. Support for SHA-2 was added in Windows Server 2012 and Windows 7.

As of 2020 new attacks were demonstrated that can fully break SHA-1. In response Microsoft has released security patches that retroactively add support for SHA-2 to Windows Server 2008 and Windows Server 2008 R2.


U-Move 2.7 is the final version to support SHA-1

Microsoft has announced they will no longer issue Authenticode code-signing certificates that cross-sign SHA-1 and SHA-2 digital signatures for new Windows applications. This will prevent new versions of U-Move from installing on old operating systems that do not support SHA-2. This includes Windows Server 2003 and Windows Server 2003 R2. It will also prevent U-Move from installing on Windows Server 2008 and Windows Server 2008 R2 without KB4490628 and KB4474419.

Because of this, U-Move 2.7.4001 (released April 2021) is the final version of U-Move that can be installed on Windows Server 2003 and installations of Windows Server 2008 and Windows Server 2008 R2 that do not support SHA-2. It will remain available under Legacy Products at u-tools.com.

Going forward, U-Move 2.8+ will support SHA-2. For a list of compatible operating systems see Compatibility. (U-Move 2.7.4001 will also install on Windows Server 2012-2019 because it supports both SHA-1 and SHA-2, however it will not receive any new fixes or updates from U-Tools because we cannot sign them anymore.)


SHA-2 encryption for Kerberos KDC ticket signatures in Active Directory

Microsoft has updated Active Directory with SHA-2 to protect Kerberos service tickets issued by the Key Distribution Center (KDC) for constrained delegation (KB4598347). This will affect older domain controllers that do not support SHA-2.

Microsoft has announced that constrained delegation from unsupported domain controllers will no longer work to supported domain controllers. U-Move will warn you if it detects this situation. See the topic KDC Ticket Signatures in U-Move Help.


How to update Windows Server 2008 and Windows Server 2008 R2 for SHA-2

Microsoft published updates for Windows Server 2008 and Windows Server 2008 R2 to retroactively add support for SHA-2. (The updates also apply to Windows 7.) For the original announcement see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. Additional information was published in SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019 (KB4474419).


Extended Security Updates

To receive Extended Security Updates (ESU) for Windows Server 2008 R2 you will need to install the Servicing stack update for Windows Server 2008 SP2: April 9, 2019. See also Extended Security Updates (ESU) Licensing Preparation Package for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Procedure to continue receiving security updates after extended support ends on January 14, 2020.


Windows Product Key Activation for Windows Server 2008 and Windows Server 2008 R2

You will need to apply the SHA-2 updates in order to successfully activate your Windows Product Key (WPK) after cloning AD.

For More Information

For more information see Microsoft to Remove Windows Updates Using SHA-1 Hash (duo.com), Windows Update SHA-1 based endpoints discontinued for older Windows devices (Microsoft), and Microsoft to use SHA-2 exclusively starting May 9, 2021 (Microsoft).