Windows Server 2008 R2 2019年8月月度更新需要注意的无法启动重大BUG问题的解释说明

2019 SHA-2 Code Signing Support requirement for Windows and WSUS

Applies to: Windows 7 Service Pack 1Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2 More

---

Summary

---

To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.

Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Windows Server Update Services (WSUS) 3.0 SP2 will receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.

Background details

---

The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a part of code-signing. Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing. Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not suffer from the same issues. For more information about of the deprecation of SHA-1, see Hash and Signature Algorithms.

Product update schedule

---

Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in standalone updates. Microsoft is targeting the following schedule to offer SHA-2 support. Please note that the timeline below is subject to change. We will update this page as the process begins and as needed.

Target Date	Event	Applies To
March 12, 2019	Stand Alone security updates KB4474419 and KB4490628 released to introduce SHA-2 code sign support.	Windows 7 SP1, Windows Server 2008 R2 SP1
March 12, 2019	Stand Alone update, KB4484071 is available on Windows Update Catalog for WSUS 3.0 SP2 that supports delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be manually installed no later than June 18, 2019.	WSUS 3.0 SP2
April 9, 2019	Stand Alone update, KB4493730 that introduce SHA-2 code sign support for the servicing stack (SSU) was released as a security update.	Windows Server 2008 SP2
May 14, 2019	Stand Alone security update KB4474419 released to introduce SHA-2 code sign support.	Windows Server 2008 SP2
June 11, 2019	Stand Alone security update KB4474419 re-released to add missing MSI SHA-2 code sign support.	Windows Server 2008 SP2
June 18, 2019	Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.	Windows 10 1709, Windows 10 1803, Windows 10 1809, Windows Server 2019
June 18, 2019	Required: For those customers using WSUS 3.0 SP2, KB4484071 must be manually installed by this date to support SHA-2 updates.	WSUS 3.0 SP2
July 9, 2019	Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in April and May (KB4493730 and KB4474419) will be required in order to continue to receive updates on these versions of Windows. Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.	Windows Server 2008 SP2
July 16, 2019	Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.	Windows 10 1507, Windows 10 1607, Windows Server 2016, Windows 10 1703
August 13, 2019	Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March (KB4474419 and KB4490628) will be required in order to continue to receive updates on these versions of Windows. If you have a device or VM using EFI boot, please see the FAQ section for additional steps to prevent an issue in which your device may not start. Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.	Windows 7 SP1, Windows Server 2008 R2 SP1
September 10, 2019	Legacy Windows updates signatures  changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.	Windows Server 2012, Windows 8.1, Windows Server 2012 R2

Current status

---

Windows 7 SP1 and Windows Server 2008 R2 SP1

The following updates must be installed and the device must be restarted before installing any Rollup released August 13, 2019 or later. The required updates can be installed in any order and do not need to be reinstalled, unless there is a new version of the required update.

1. The latest servicing stack update (SSU) (KB4490628). If you are using Windows Update, the latest SSU will be offered to you automatically. 
2. The latest SHA-2 update (KB4474419) released August 13, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically.
3. If you are using EFI Boot on your device or virtual machine (VM), you must also install KB3133977. Currently, KB3133977 is required as a workaround for a known issue when using EFI Boot and should be applied even if you are not using BitLocker. For more information on this issue, see the FAQ below.

Important You must restart your device after installing all the required updates, before installing any Monthly Rollup, Security-only update, or Preview of Monthly Rollup.

Windows Server 2008 SP2

The following updates must be installed and the device must be restarted before installing any Rollup released July 9, 2019 or later. The required updates can be installed in any order and do not need to be reinstalled, unless there is a new version of the required update.

1. The latest servicing stack update (SSU) (KB4493730). If you are using Windows Update, the latest SSU will be offered to you automatically. 
2. The latest SHA-2 update (KB4474419) released June 11, 2019. If you are using Windows Update, the latest SHA-2 update will be offered to you automatically.

Important You must restart your device after installing all the required updates, before installing any Monthly Rollup, Security-only update, or Preview of Monthly Rollup.

Frequently Ask Questions

---

General information, planning and issue prevention

1. How are the updates for KB3033929 and KB4039648 different from the stand-alone updates shipped in March and April?

The SHA-2 code-signing support was shipped early to ensure that most customers would have the support well in advance of Microsoft’s change to SHA-2 signing for updates to these systems. The stand-alone updates include some additional fixes and are being made available to ensure that all of the SHA-2 updates are in a small number of easily identifiable updates. Microsoft recommends that customers that maintain system images for these OSes to apply these updates to the images.

2. Will other versions of WSUS add SHA-2 support?

Starting with WSUS 4.0 on Windows Server 2012, WSUS already supports SHA-2-signed updates, and no customer action is needed for these versions.

Only WSUS 3.0 SP2 needs KB4484071 installed to support SHA2 only signed updates.

3. I have a Windows Server 2008 SP2 system that dual-boots with Windows Server 2008 R2 (or Windows 7). How should I update to SHA-2 support?

Assume you run Windows Server 2008 SP2. If you dual-boot with Windows Server 2008 R2 SP1/Windows 7 SP1, the boot manager for this type of system is from the Windows Server 2008 R2/Windows 7 system. In order to successfully update both of these systems to use SHA-2 support, you must first update the Windows Server 2008 R2/Windows 7 system so that the boot manager is updated to the version that supports SHA-2. Then, update the Windows Server 2008 SP2 system with SHA-2 support.

4. I have a system with two partitions, one with Windows Server 2008 SP2 and the second with a Windows 7 PE (WinPE) boot environment. How do I update to SHA-2 support?

Similar to the dual-boot scenario, the Windows 7 PE environment must be updated to SHA-2 support. Then, the Windows Server 2008 SP2 system must be updated to SHA-2 support.

5. I am using setup to perform a clean installation of Windows 7 SP1 or Windows Server 2008 R2 SP1. I'm using an image that has been customized with updates (for example, using dism.exe). How do I update to SHA-2 support?

1. Run Windows setup to completion and boot into Windows prior to installing August 13, 2019 or later updates
2. Open an administrator command prompt window, run bcdboot.exe. This copies the boot files from the Windows directory and sets up the boot environment. See BCDBoot Command-Line Options for more details.
3. Before installing any additional updates, install the August 13, 2019 re-release of KB4474419, KB4490628 , and  KB3133977 for Windows 7 SP1 and Windows Server 2008 R2 SP1.
4. Restart the operating system. This restart is required
5. Install any remaining updates.

6. I am installing an image of Windows 7 SP1 or Windows Server 2008 R2 SP1 directly to the disk without running setup. How do I make this scenario work?

1. Install the image on the disk and boot into Windows.
2. At the command prompt, run bcdboot.exe. This copies the boot files from the Windows directory and sets up the boot environment. See BCDBoot Command-Line Options for more details.
3. Before installing any additional updates, install the August 13, 2019 re-release of KB4474419, KB4490628 , and KB3133977 for Windows 7 SP1 and Windows Server 2008 R2 SP1.
4. Restart the operating system. This restart is required
5. Install any remaining updates.

Note Currently, KB3133977 is required as a workaround for a known issue when using EFI Boot and should be applied even if you are not using BitLocker. 

7. Is my x64 device or VM using EFI Boot supported by this SHA-2 update on Windows 7 SP1 and Windows Server 2008 R2 SP1?

Yes, you will need to install the required updates before proceeding: SSU (KB4490628), SHA-2 update (KB4474419) and KB3133977.  Also, you are required to restart your device after installing the required updates before installing any further updates.  Currently, KB3133977 is required as a workaround for a known issue that may prevent your EFI boot device or virtual machine (VM) from starting up and should be applied even if you are not using BitLocker.

8. Windows 10, version 1903 is not listed in the table above, does it support SHA-2 updates? Is there any action required?

Windows 10, version 1903 supports SHA-2 since it's release and all updates are already SHA-2 only signed.  There is no action needed for this version of Windows.

Issue recovery

1. My x64 device or virtual machine (VM) is not starting and I'm receiving an error 0xc0000428 (STATUS_INVALID_IMAGE_HASH) or my device starts into the recovery environment upon restarting after installing updates released August 13, 2019 or later. I have installed KB4474419 and KB4490628 to include SHA-2 support. How do I recover my install?

If you are seeing error 0xc0000428 with the message “Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.” please follow these steps to recover.

1. Start the operating system using recovery media.
2. Before installing any additional updates, install KB3133977 using Deployment Image Servicing and Management (DISM) for Windows 7 SP1 and Windows Server 2008 R2 SP1.
3. Reboot into the recovery media. This restart is required
4. At the command prompt, run bcdboot.exe. This copies the boot files from the Windows directory and sets up the boot environment. See BCDBoot Command-Line Options for more details.
5. Restart the operating system. 

Note Currently, KB3133977 is required as a workaround for a known issue when using EFI Boot on x64 and should be applied even if you are not using BitLocker. 

2. I have deployed a rollup update to all the devices or virtual machines (VMs) in my environment and upon restarting, I'm receiving an error 0xc0000428 (STATUS_INVALID_IMAGE_HASH) or my device starts into the recovery environment.  What should I do on the remaining devices or VMs that have not yet restarted?

1. Halt deployment to other devices and do not restart any devices or VMs that have not already restarted.

2. Identify devices and VMs in restart pending state with updates released August 13, 2019 or later and open an elevated command prompt

3. Find the package identity for the update you want to remove by using the following command using the KB number for that update (replace 4512506 with the KB number you are targeting, if it is not the Monthly rollup released August 13, 2019): dism /online /get-packages | findstr 4512506

4. Use the following command to remove the update, replacing <package identity> with what was found in the previous command: Dism.exe /online /remove-package /packagename:<package identity> 

5.  You will now need to install the required updates listed in the How to get this update section of the update you are trying to install, or the required updates listed above in the Current status section of this article.

Note Any device or VM you are currently receiving an error 0xc0000428 or that is starting into the recovery environment, you will need to follow the steps in the FAQ question for error 0xc0000428.

3. What should I do if I receive error code 80096010 or error code 80092004 (CRYPT_E_NOT_FOUND), “Windows Update encountered an unknown error” when attempting to install an update on Windows 7 SP1, Windows Server 2008 R2 SP1, or Windows Server 2008 SP2?

If you encounter these errors, you need to install the required updates listed in the How to get this update section of the update you are trying to install, or the required updates listed above in the Current status section of this article.

4. My Intel Itanium IA64 device is not starting up and I'm receiving error 0xc0000428 (STATUS_INVALID_IMAGE_HASH) but I installed KB4474419 and KB4490628. How do I recover my install?

If you are seeing error 0xc0000428 with the message “Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.” please follow these steps to recover.

1. Start the operating system using recovery media.
2. Install the latest SHA-2 update (KB4474419) released August 13, 2019, using Deployment Image Servicing and Management (DISM) for Windows 7 SP1 and Windows Server 2008 R2 SP1.
3. Reboot into the recovery media. This restart is required
4. At the command prompt, run bcdboot.exe. This copies the boot files from the Windows directory and sets up the boot environment. See BCDBoot Command-Line Options for more details.
5. Restart the operating system.