Menu

SHA-2 encryption: Phase out of SHA-1

Microsoft has phased out the use of Secure Hash Algorithm 1 (SHA-1) for verifying the authenticity and integrity of executable files and network communications in Windows. This is part of a long term industry initiative to move away from using SHA-1 in favor of the more secure SHA-2 algorithm. NIST deprecated the use of SHA-1 in 2011. Support for SHA-2 was added in Windows Server 2012 and Windows 7.

As of 2020 new attacks were demonstrated that can fully break SHA-1. In response Microsoft has released security patches that retroactively add support for SHA-2 to Windows Server 2008 and Windows Server 2008 R2.

---

U-Move 2.7 is the final version to support SHA-1

Microsoft has announced they will no longer issue Authenticode code-signing certificates that cross-sign SHA-1 and SHA-2 digital signatures for new Windows applications. This will prevent new versions of U-Move from installing on old operating systems that do not support SHA-2. This includes Windows Server 2003 and Windows Server 2003 R2. It will also prevent U-Move from installing on Windows Server 2008 and Windows Server 2008 R2 without KB4490628 and KB4474419.

Because of this, U-Move 2.7.4001 (released April 2021) is the final version of U-Move that can be installed on Windows Server 2003 and installations of Windows Server 2008 and Windows Server 2008 R2 that do not support SHA-2. It will remain available under Legacy Products at u-tools.com.

Going forward U-Move 2.8+ will support only SHA-2. For a list of compatible operating systems see Compatibility.

---

SHA-2 encryption for Kerberos KDC ticket signatures in Active Directory

Microsoft has updated Active Directory with SHA-2 to protect Kerberos service tickets issued by the Key Distribution Center (KDC) for constrained delegation (KB4598347). This will affect older domain controllers that do not support SHA-2.

Microsoft has announced that constrained delegation from unsupported domain controllers will no longer work to supported domain controllers. U-Move will warn you if it detects this situation. See the topic KDC Ticket Signatures in U-Move Help.

---

How to update Windows Server 2008 and Windows Server 2008 R2 for SHA-2

Microsoft published updates for Windows Server 2008 and Windows Server 2008 R2 to retroactively add support for SHA-2. (The updates also apply to Windows 7.) For the original announcement see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS. Additional information was published in SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019 (KB4474419).

---

Extended Security Updates

To receive Extended Security Updates (ESU) for Windows Server 2008 R2 you will need to install the Servicing stack update for Windows Server 2008 SP2: April 9, 2019. See also Extended Security Updates (ESU) Licensing Preparation Package for Windows 7 SP1 and Windows Server 2008 R2 SP1 and Procedure to continue receiving security updates after extended support ends on January 14, 2020.

---

Windows Product Key Activation for Windows Server 2008 and Windows Server 2008 R2

With U-Move version 2.8 or later, you will need to apply the SHA-2 updates in order to successfully activate your Windows Product Key (WPK) after cloning AD.

For More Information

For more information see Microsoft to Remove Windows Updates Using SHA-1 Hash (duo.com), Windows Update SHA-1 based endpoints discontinued for older Windows devices (Microsoft), and Microsoft to use SHA-2 exclusively starting May 9, 2021 (Microsoft).