First published on TECHNET on Sep 30, 2010
UPDATE (2/8): Based on some recent questions, additional information has been posted about SHA2 and Windows.
We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows XP and 2003. This has been more important recently, as NIST has recommended the migration off of SHA-1 by end of the year. More details about the NIST recommendation can be found in SP 800-78-2 and SP 800-57 . Hopefully this blog post can help clear up the confusion surrounding scenarios that work and the ones that don’t.
Prior to Windows XP Service Pack 3, there was no SHA2 functionality within Windows XP. With the release of Service Pack 3 some limited functionality was added to the crypto module rsaenh.dll. This includes the following SHA2 hashes: SHA-256, SHA-384, SHA-512. SHA-224 was not included.
Windows Server 2003 Service Pack 2 does not ship with support for SHA2. This limitation can become an important concern when processing smart card logons and for mutual TLS authentications to web servers. As unlike other technologies, smart card logon and mutual TLS both use strict revocation checking; so should either the certificate itself or the revocation information (CRL/OCSP) use SHA2, the logon would fail.
Though support SHA2 is not included in Windows Server 2003 Service Pack 2, it is available for download. KB 938397 will bring Windows Server 2003 to the same level of functionality as Windows XP with Service Pack 3. KB 938397 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page . Note, KB 938397 is also offered for Windows Server 2003 Service Pack 1.
With the release of Windows Server 2008 it was found that Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 with KB 938397 were unable to request certificates from a Windows Server 2008 (and 2008 R2) certificate authority (CA) who’s certificate was signed with a SHA2 hash. KB 968730 was release to address this issue. Incidentally, KB 968730 completely supersedes KB 938397; so if a Windows Server 2003 Service Pack 2 system would need to both enroll from a SHA2 certificate authority and process SHA2 certificates, only KB 968730 would need to be installed. As before, KB 968730 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page . Note, KB 968730 is not offered for Windows Server 2003 Service Pack 1.
Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system. It is worth noting that even though the algorithms are available, it is up to the individual applications to implement support.
Besides logon, another very popular use for smart cards is S/MIME. But before diving into Outlook and S/MIME, the following warning should be given: Regardless of the functionality Windows and Outlook provide; in order for mail to be delivered between two users, there are any number of spam filters, relays, mailboxes, etc between sender and recipient. Each of these can be made by a wide range of vendors; running on a wide range of platforms. So before deploying SHA2, testing should be done against one’s own email infrastructure, in addition to the email infrastructure of external organizations from whom S/MIME signed mail needs to be exchanged with.
All those warnings aside, the basic functionality for Outlook is a follows. Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 can sign and validate certificates when that certificate itself is SHA2 signed. Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 cannot validate email messages when the message itself is SHA2 signed (regardless of the certificate used). Outlook 2003, 2007, and 2010 running on Windows XP Service Pack 3 cannot sign a message with SHA2; only SHA-1 and MD5 are available.
In order to validate SHA2 messages, Windows Vista with Outlook 2003 (or newer) is needed. In order to both sign and validate SHA2 messages, Windows Vista or 7 with Outlook 2007 or 2010 is needed.
For organizations looking to deploy SHA2 or organizations that interact with 3 rd parties that will soon begin using SHA2, the following is recommended.
- If Windows XP is used in the environment, Service Pack 3 should be deployed. In addition to SHA2 functionality, Service Pack 3 is currently the only Windows XP service pack that is supported.
- If Windows XP systems would need to enroll in certificates from a SHA2 certificate authority, KB 968730 should be deployed.
- If Windows Server 2003 is used in the environment, Service Pack (1 or 2) and KB 938397 should be deployed.
- If Windows Server 2003 would need to enroll in certificates from a SHA2 certificate authority, Service Pack 2 and KB 968730 should be deployed. If planning on deploying KB 968730, installing KB 938397 is not necessary.
- If S/MIME using SHA2 signing for the message body is needed, workstations should be upgraded to at least Windows Vista running Office 2003.
|
XP SP3 |
XP SP3 with KB968730 |
2003 R2 SP2 |
2003 R2 SP2 with KB968730 |
Windows Vista, 7, 2008, 2008 R2 |
||
Basic Functionality |
||||||
|
Browsing a website using SHA2 certificate |
Works |
Works |
Unable to validate certificate |
Works |
Works |
|
|
Open a certificate and viewing properties |
Works |
Works |
Unable to validate certificate |
Works |
Works |
|
Interactive logon and mutual TLS (client system) |
||||||
|
Client with SHA2 certificate; server with SHA1 certificate |
Works |
Works |
Works |
Works |
Works |
|
|
Client with SHA2 certificate; server with SHA2 certificate |
Works |
Works |
Unable to login |
Works |
Works |
|
Interactive logon and mutual TLS (domain controller / IIS server) |
||||||
|
Client with SHA2 certificate; server with SHA1 certificate |
N/A |
N/A |
Unable to login |
Works |
Works |
|
Certificate Enrollment |
||||||
|
V3 certificate template enrollment from any type of root |
Unable to select template |
Unable to select template |
Unable to select template |
Unable to select template |
Works |
|
|
V2 certificate template enrollment from SHA2 root |
Request fails |
Works |
Request fails |
Works |
Works |
|
S/MIME (Outlook 2003) |
||||||
|
Validate and sign to a SHA2 certificate |
Works |
Works |
N/A |
N/A |
Works |
|
|
Validate message body signed with SHA2 |
Unable to validate certificate |
Unable to validate certificate |
N/A |
N/A |
Works |
|
|
Sign message body with SHA2 |
Not an available option |
Not an available option |
N/A |
N/A |
Not an available option |
|
S/MIME (Outlook 2007 and 2010) |
||||||
|
Validate and sign to a SHA2 certificate using SHA-1 for the message signature |
Works |
Works |
N/A |
N/A |
Works |
|
|
Validate message body signed with SHA2 |
Unable to validate certificate |
Unable to validate certificate |
N/A |
N/A |
Works |
|
|
Sign message body with SHA2 |
Not an available option |
Not an available option |
N/A |
N/A |
Works |
-Adam Stasiniewicz
UPDATE (2/8): Based on some recent questions, additional information has been posted about SHA2 and Windows.
Feb 12, 2025
Introduction
SHA-2 is a set of cryptographic hash functions which includes SHA-224, SHA-256, and SHA-512. The 256 in SHA-256 represents the bit size of the hash output or digest when the hash function is performed. Not all software supports every digest size within the SHA-2 family. This article focuses specifically on SHA-256 and its compatibility with various software platforms and operating systems. As a general rule, SHA-256 is supported on OS X 10.5+ and Windows XP SP3+.
Read our Hash Functions article for a better understanding of how they work and how they are used to validate certificates and documents.
For GlobalSign’s policy on SHA-256 issuance as well as important dates set by Microsoft, Google, and Mozilla, please read the SHA-256 Rollout article.
To purchase a trusted SHA-256 certificate, contact a GlobalSign representative.
Index:
- OS, Browser, and Server Support
- Firewall Support
- Toolkits, Libraries, Frameworks, etc.
- Database Support
- Detailed Operating System Support
- E-Mail Clients
- Document Signing
- Windows Code Signing
- SafeNet iKey / eToken Compatibility
- Mainframe
- Citrix Support
- Services
OS, Browser, and Server Support
|
Minimum OS Version (SSL Certificates) |
Minimum OS Version (Client Certificates) |
|
|---|---|---|
| Apple OS X | 10.5+ | 10.5+ |
| Apple iOS | 3.0+ (Required in iOS 9+) [30] |
3.0+ |
| Android* | 1.0+ (1.6 / 2.2) | 1.0+ |
| Blackberry | 5.0+ | 5.0+ |
| ChromeOS | All Versions | All Versions |
| Windows [1] [2] | XP SP3+ | XP SP3+ |
| Windows Phone | 7+ | 7+ |
| Windows Server | 2003 SP2 +MS13-095 | 2003 SP2 +MS13-095 |
| Minimum Browser Version | ||
| Chrome** [7] | 1.0+ (38+) | |
| Firefox [7] | 1.0+ | |
| Internet Explorer [7] | 6+ (On a SHA-2 Compatible OS) |
|
| Konqueror | 3.5.6+ | |
| Mozilla [7] | 1.4+ | |
| Netscape [7] | 7.1+ | |
| Opera [7] | 6.0+ | |
| Safari | 3+ (Ships with OS X 10.5) |
|
| Minimum Server Version | ||
| Active Directory Federation Server (AD FS) [28] | 2.0+ (Must use non-CNG CSP) |
|
| Apache HTTP Server*** | Dependent on OpenSSL or GnuTLS version. |
|
| Apache Tomcat | Dependent on Java version | |
| IBM Domino Server [9] | 9.x with Fix Pack | |
| IBM HTTP Server [10] | Any version with GSKit 7.0.4.14 | |
| IBM WebSphere Server [26] | 7.0.0.25 / 8.0.04 with PM62842 | |
| Microsoft Exchange Server | Dependent on Windows Server version | |
| NGINX | Dependent on OpenSSL version | |
| Oracle Wallet Manager | 11.2.0.1+ | |
| Oracle Weblogic**** [27] | 10.3.3+ |
* Android has the technical capability of handling SHA-256 certificates right from version 1.0. In practice, some users may encounter issues with validating certificates that use cross certificates (these help chain certificates to alternate roots). 1.6 improved this issue for some users, with the issue being resolved as of version 2.2.
** Chrome is capable of supporting SHA-2 certificates as of version 1.0, however through version 37 it is dependent on the operating system. For instance, on Windows Server 2003 without MS13-095 or Windows XP SP2 Chrome will not connect to pages using SHA-2 certs. Applying MS13-095 to Server 2003, or SP3 to Windows XP will allow Chrome to support SHA-2 on these legacy systems.
Chrome 38+ can validate SHA-2 certificates independently, even on systems like Server 2003 without MS13-095 applied.
*** Apache 2.0 is bundled with mod_ssl by default. Versions prior to 2.0 require manual installation of mod_ssl for any SSL support at all. Mod_gnutls is an alternative to mod_ssl, leveraging GnuTLS instead of OpenSSL libraries.
**** Oracle Weblogic Server 10.3.3 and above have JSSE available to support SSL/TLS certificates & connections. Older versions leverage Certicom extensions, which is now considered deprecated.
10.3.3 is the first version to officially support JSSE, it can be enabled by logging in to the admin console and clicking Environment > Servers > ManagedServerName > Configuration > SSL > Advanced > Use JSSE SSL. Click Save; restart your server. Versions prior to 10.3.3 can manually enable JSSE, but it is not officially supported by Oracle.
Firewall Support
| Minimum Version | |
|---|---|
| Cisco ASA 5500 [29] | 8.2 (3.9) |
Toolkits, Libraries, Frameworks, etc.
| Minimum Version | |
|---|---|
| Java [19] | Java 1.4.2+ |
| Mozilla NSS [18] | 3.8+ |
| OpenSSL* [3] | 0.9.8 / 0.9.8o+ |
| GNUTLS [12] | 1.7.4+ |
| .NET FX[13] | 3.5 SP1+ |
Support for SHA-2 was introduced in OpenSSL 0.9.8, but is not enabled by default with SSL_library_init(). In 0.9.8, SHA-2 hash functions must be called specifically or by using OpenSSL_add_all_algorithms() which may not be desired. OpenSSL 0.9.8o enables the SHA-2 hash algorithms in the default configuration.
Database Support
| Minimum Version | |
|---|---|
| MYSQL[23] | 5.5.5+ |
| PostgreSQL [24] [25] | 8.1 / 8.2* |
* The pgcrypto module for PostgreSQL introduced support for the SHA-2 family of hash algorithms with the 8.1 release but only for the standalone module. 8.2 incorporated the SHA-2 functions of the pgcrypto module into PostgreSQL core allowing these hashes to be available to PostgreSQL even if the installed version of OpenSSL does not support it.
Detailed Operating System Support
|
SSL Certificates (Client Side) |
SSL Certificates (Server Side) |
S/MIME | Code Signing | |
|---|---|---|---|---|
| Windows XP (SP1, SP2) | ✗ | N/A | ✗ | ✗ |
| Windows XP SP3 | ✓ | N/A | Partial* | Partial** |
| Windows Vista | ✓ | N/A | ✓ | Partial** |
| Windows 7 [20] | ✓ | N/A | ✓ | ✓ |
| Windows 8 | ✓ | N/A | ✓ | ✓ |
| Windows 10 | ✓ | N/A | ✓ | ✓ |
| Windows Server 2003 / 2003 SP1 | ✗ | ✗ | ✗ | ✗ |
| Windows Server 2003 SP2 + MS13-095 | ✓ | ✓ | ✓ | ✗ |
| Windows Server 2008 | ✓ | ✓ | ✓ | Partial** |
| Windows Server 2008 R2 [20] | ✓ | ✓ | ✓ | ✓ |
| Windows Server 2012 & 2012 R2 | ✓ | ✓ | ✓ | ✓ |
| Windows Mobile 5 | ✗ | N/A | ✗ | N/A |
| Windows Mobile 6 | ✗ | N/A | ✗ | N/A |
| Windows Phone 7 | ✓ | N/A | ✓ | N/A |
| Windows Phone 8 | ✓ | N/A | ✓ | N/A |
Notes on «Partial» compatibility:
* S/MIME:
- Outlook on Windows XP SP3 can utilize certificates signed with SHA-256 but cannot validate an e-mail signed using the SHA-256 hashing algorithm.
- By default Outlook signs with SHA1 even if a SHA2 cert is in use though this behavior can be changed if desired.
** Code Signing:
- Code can be signed with a SHA2 cert on any of the systems listed as having partial or full compatibility without issue.
- There is an incompatibility with SHA2 signed kernel drivers on the partially compatible platforms. Kernel drivers signed with SHA2 certs will not install on systems listed as having «Partial» compatibility.
E-Mail Clients
The signature hash algorithm on the certificate itself is independent of the signature hash placed on an e-mail. For example, Outlook 2003 on XP SP3 can utilize a certificate signed with SHA-256 to sign an encrypt e-mails. But the signature on the e-mail will be limited to SHA1.
| Verify SHA-1 Signed E-Mail | Verify SHA-256 Signed E-Mail | Send SHA-1 Signed E-Mail | Send SHA-256 Signed E-Mail | |
|---|---|---|---|---|
| Mozilla Thunderbird 1 — 4 [21] | ✓ | ✗ | ✓ | ✗ |
| Mozilla Thunderbird 5 — 37 [4] [21] | ✓ | ✓ | ✓ | ✗ |
| Mozilla Thunderbird 38+ [22] | ✓ | ✓ | ? | ✓ |
| IBM Notes 8 [8] | ✓ | ✗ | ✓ | ✗ |
| IBM Notes 9 [8] | ✓ | ✓ | ✓ | ✓ |
| Microsoft Entourage 2004 [17] | ✓ | ✗ | ✓ | ✗ |
| Microsoft Entourage 2008 [17] | ✓ | ✓ | ✓ | ✓ |
| Microsoft Outlook 2003 & 2007 on XP SP3 [1] [2] | ✓ | ✗ | ✓ | ✗ |
| Microsoft Outlook 2007 on Windows Vista [1] [2] | ✓ | ✓ | ✓ | ✓ |
| Outlook for Mac 2011 [17] | ✓ | ✓ | ✓ | ✓ |
Set Outlook Hash Algorithm to SHA-1
Outlook 2003: Tools > Options > Settings > Security > Settings > Hash Algorithm > SHA1
Outlook 2007, 2010, 2013: File > Options > Trust Center > Trust Center Settings > E-Mail Security > Settings > Hash Algorithm > SHA1
Document Signing
| Place SHA1 Signature with SHA-256 certificate | Place SHA2 Signature with SHA-256 certificate | Validate SHA2 Signature | |
|---|---|---|---|
| LibreOffice 4[7] | ✓ | ✗ | ✗ |
| Microsoft Office 2003, 2007[7] | ✓ | ✗ | ✗ |
| Microsoft Office 2010, 2013 | ✓ | ✓ | ✓ |
| Adobe Acrobat 8.0+ | ✓ | ✓ | ✓ |
| Adobe Reader 8.0+ | ✓ See Note |
✓ See Note |
✓ |
Note: Adobe Reader 8+ can place signatures with a Digital ID if the functionality has been enabled via Adobe Acrobat Professional.
Adobe Acrobat & Adobe Reader are compatible with SHA-256 certs as of version 8.0, but still place SHA1 signatures by default. As of version 9.1, Acrobat & Reader will prefer SHA-256 for the signature hash if available, otherwise it will fall back to SHA1. SHA-2 signatures can be preferred in versions prior to 9.1 through edits to the registry.
Digital signatures placed with newer versions of Microsoft Office may not be backwards compatible with older versions. Legacy compatibility can be specified manually.
Office 2003 — 2010 work with SHA-2 certs, but place SHA1 signatures. Office 2013 uses SHA2 as the default signature hash when available. You can specify the signature hash in Office 2010 & 2013 via the registry.
Windows Code Signing
| Executables | Kernel Drivers |
VBA Macros: Office 2003, 2007 |
VBA Macros: Office 2010 |
VBA Macros: Office 2013 |
|
|---|---|---|---|---|---|
| Windows XP (SP1, SP2) | ✗ | ✗ | ✗ | ✗ | N/A |
| Windows XP SP3 | ✓ | ✗ | ✗ | ✓ | N/A |
| Windows Vista [15] | ✓ | ✗ | ✗ | ✓ | N/A |
| Windows 7 [20] | ✓ | ✓ | ✗ | ✓ | ✓ |
| Windows 8 | ✓ | ✓ | ✗ | ✓ | ✓ |
| Windows 10 | ✓ | ✓ | ✗ | ✓ | ✓ |
Office 2010 on Windows 7 requires hotfix kb 2598139 to add SHA-256 support for Code Signing Certs.
Windows 7 and Windows Server 2008 R2 require kb 3033929 to validate SHA-2 signed kernel drivers. This update is not available for XP, Vista, 2003, or 2008.
For a more detailed look at hash algorithm support on both certificates & file digests in Windows, read the Windows Code Signing Hash Algorithm Support article.
| Minimum Version | |
|---|---|
| Visual Studio Tools for Office (VSTO) [16] | 10.0.50325 |
SafeNet iKey / eToken Compatibility
| Works with SHA2 Certificate | Place SHA1 Signature | Place SHA2 Signature | |
|---|---|---|---|
| iKey 4000 [5] | ✓ | ✓ | ✗ |
| eToken 5100 [6] | ✓ | ✓ | ✓ |
Mainframe
| Minimum Version | |
|---|---|
| IBM z/OS [11] | v1r10 |
Citrix Support
| Minimum Version | |
|---|---|
| Citrix Receiver | Varies — See PDF |
Sources:
[1] SHA2 and Windows.
[2] Common questions about SHA2 and Windows.
[3] OpenSSL 0.9.8 Branch Release notes
[4] Bug 222179 — User preferences should control ciphers used when sending encrypted S/MIME messages
[5] iKey 4000 Specifications
[6] eToken 5100 Specifications
[7] Verified In-House
[8] IBM Notes SHA2 Support
[9] IBM Domino Planned SHA-2 Support
[10] IBM HTTP Server
[11] IBM z/OS
[12] GnuTLS
[13] .NET Security Blog
[14] Security Advisory 2949927 (SHA-2 Hash Support for Kernel Drivers — Currently Retracted)
[15] SHA-2 Signed Executables Windows Vista & Server 2008
[16] VSTO Runtime Update to Address “Unknown Publisher” for SHA256 Certificates
[17] Digital Certificate Requirements (Technet)
[18] Mozilla NSS 3.8 Release Notes
[19] Java 1.4.2 Release Notes
[20] Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2
[21] Add recognition of SHA-2 hashes when verifying S/MIME messages
[22] Thunderbird 38 Release Notes
[23] MYSQL 5.5 Release Notes
[24] PostgreSQL 8.1 Release Notes
[25] PostgreSQL 8.2 Release Notes
[26] PM62842: Web Services Security Runtime Update to Support SHA-2 Signature Algorithms
[27] Oracle Weblogic — Configuring SSL
[28] Certificate Requirements for Federation Servers
[29] Release Notes for the Cisco ASA 5500
[30] App Transport Security Technot
A little while back I ran into an issue where I was trying to get a new certificate to work on a Windows XP (full patched) box, but for the life of me it just would not work. I spent a lot of time going through and checking the usual suspects (typo with the name, valid dates, certificate chain, etc.) and I finally came across these two interesting links regarding Windows XP and SHA2:
http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx http://support.microsoft.com/en-us/kb/938397
It would seem that you can get it to work in most cases, however some things just aren’t going to be supported. The first link actually has a real nice table detailing what will and will not work.
Long story short, XP is dead and it will only get worse as time goes on.
Hi all,
If you try to use any SHA-2 algorithm (SHA-256, SHA-384 and SHA-512) onWindows XP, you may getthe following error when using i.e. CryptCreateHash: NTE_BAD_ALGID or -2146893816 or 0x80090008 or «Invalid algorithm specified». Same algorithms are supported on Vista, though.
Can we use SHA-2 algorithms in Windows XP at all?The answer is yes, but it will depend on the CSP (Cryptographic Service Provider) that we use to perform the cryptographic operations.
According to our documentation, Windows XP SP3 supports all SHA-2 algorithms except SHA-224:
Overview of Windows XP Service Pack 3
«
Implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation. This has been added to the crypto module rsaenh.dll.
«
Our «Microsoft Base/Strong/Enhanced Cryptographic Providers» are implemented on Rsaenh.dll. If you try to use CryptCreateHashwith any SHA-2 Algid (CALG_SHA_256, CALG_SHA_384, CALG_SHA_512)and any of these CSP, you will still get a NTE_BAD_ALGID error on XP SP3. Why? The issue is that those Algid’s are only valid with providers of type PROV_RSA_AES, and these CSP are of type PROV_RSA_FULL.
«Microsoft Enhanced RSA and AES Cryptographic Provider» (or «Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)» as it’s called on Windows XP SP3) is implemented in rsaenh.dll and is of type PROV_RSA_AES.
Note that technically speaking, Microsoft AES Cryptographic Provider is just Microsoft Enhanced Cryptographic Provider with support for AES encryption algorithms.
If you open regedit.exe and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults, you will be able to see the available Providers in the system («Microsoft Enhanced Cryptographic Provider v1.0», «Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)», etc.) and the Provider Types («Type 001» which is «RSA Full (Signature and Key Exchange)», «Type 024» which is «RSA Full and AES»). For each Provider you will also see which dll implements (rsaenh.dll, etc.) it and its Provider Type (1, 24, etc.). For each Provider Type you will see the name of the default Provider for that type. On Vista, default Provider for PROV_RSA_AES is «Microsoft Enhanced RSA and AES Cryptographic Provider», and on XP is «Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)».
Regarding SHA-224 support, SHA-224 offers less security than SHA-256 but takes the same amount of resources. Also SHA-224 is not generally used by protocols and applications. The NSA’s Suite B standards also do not include it. We have no plans to add it on future versions of our CSPs.
Fortunately, Microsoft’s CryptoAPI is based on a model which allows us to use anyCSP which implements any algorithm. So we don’t and won’t implement SHA-224 in our own CSPs, but that doesn’t mean that we can’t use SHA-224 at all on Windows. We just need a third-party CSP which implements it, or create our own.
I hope this helps.
Regards,
Alex (Alejandro Campos Magencio)
Наиболее подробно тема необходимости поддержки SHA-256 на пользовательских ОС раскрыта на этой странице, а также в нашей новости. Здесь можно ознакомиться с официальной информацией от Microsoft.
Какие версии Windows считаются устаревшими и требуют установки указанных обновлений?
Речь идет об ОС Windows Vista, Windows 7, Windows Server 2008 или Windows Server 2008 R2.
Почему обновления системы безопасности Microsoft необходимы для корректной работы обновлений ПО Dr.Web?
Необходимость обновления связана с политикой компании Microsoft, которая более не позволяет сторонним центрам сертификации (DigiCert, COMODO и др.) выпускать сертификаты, которыми можно подписывать модули для работы в ядре ОС Windows. Только Microsoft может подписывать модули для ядра своим WHQL-сертификатом, который существует только в виде версии SHA256. Более подробная информация приведена в документации Microsoft.
Dr.Web продолжает планомерно поддерживать устаревшие версии Windows.
Какие конкретно обновления требуются для моей ОС?
Если при установке или обновлении Dr.Web появляется сообщение о том, что ваша операционная система не поддерживает алгоритм хеширования SHA-256, установите нужное обновление из списка ниже.
- Для Windows Vista установите последовательно пакеты обновлений SP1 и SP2, затем установите обновление KB4090450.*
- Для Windows 7 установите пакет обновлений SP1, затем — KB3033929 или KB4474419 или KB4054518.
- Для Windows Server 2008 установите пакет обновлений SP2, затем обновление KB4474419 или KB4039648 или KB3033929.
- Для Windows Server 2008 R2 установите пакет обновлений SP1, затем — KB4474419.
Обновления для работы с SHA-256 могут также содержаться в других обновлениях Windows.