On February 15, Microsoft issued a warning that Windows 7 and Windows Server 2008 users need to have SHA-2 support enabled, in order to receive monthly Windows Updates.
The previous Windows Updates were dual-signed (SHA-1 and SHA-2) to prove authenticity. Going forward, the software updates from Microsoft will be using the more secure SHA-2 exclusively and not the weak SHA-1.
The August 2019 monthly updates for Windows 7 are SHA-2 exclusive and the update is blocked on devices with software that cannot handle SHA-2 code-signing support.
Today, Microsoft confirmed that it is blocking the update on PCs with Symantec Antivirus and Norton Antivirus because Symantec software cannot handle SHA-2 certificates. Microsoft says it has placed a temporarily safeguard hold on devices with incompatible versions of Symantec software.
“Updates that are only SHA-2 signed are not visible as an available download when certain versions of Symantec Endpoint Protection are installed,” Symantec documented the problem.
Microsoft is recommending Windows 7 customers to not manually install affected updates until a solution is available. If the update is forced, Windows updates could be blocked or deleted incorrectly by antivirus program during installation. This could break the installation of Windows or the system may fail to boot.
“Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available,” Microsoft said.