Windows Update: Breaking News August 2019

Microsoft no longer dual signs windows updates with SHA1/SHA2

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus

Timeline
May 14, 2019 Stand Alone security update KB4474419 released to introduce SHA-2 code sign support.
June 11, 2019 Stand Alone security update KB4474419 re-released to add missing MSI SHA-2 code sign support.
June 18, 2019 Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only.
June 18, 2019 Required: For those customers using WSUS 3.0 SP2, KB4484071 must be manually installed by this date to support SHA-2 updates.
July 9, 2019 Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in April and May (KB4493730 and KB4474419) will be required in order to continue to receive updates on these versions of Windows.
Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.
July 16, 2019 Windows 10 updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.
August 13, 2019 Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March (KB4474419 and KB4490628) will be required in order to continue to receive updates on these versions of Windows.
Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.
September 10, 2019 Legacy Windows updates signatures  changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action required.

So what does this mean to me. Third Party Antivirus companies have decided to also check windows updates and block unsigned or improperly signed updates. The problem is that they only checked the SHA1 and the newest updates that don't have SHA1 were blocked. 

Shame on you Norton/Symantec. The Operating system already won't install unsigned or improperly signed updates. This is a belt and suspenders approach.

Affected Systems: Windows 7 and Windows Server 2008R2

“Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.” -- “Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available. Guidance for Symantec customers can be found in the Symantec support article. 

https://support.symantec.com/us/en/article.tech255857.html

This issue is specific to Windows 7 SP1 and Windows Server 2008 R2 SP1. All currently available versions of Symantec Endpoint Protection are affected. Newer Operating Systems (Windows 8, Windows Server 2012, Windows Server 2016, Windows 10, etc) are unaffected as they load a different Symantec component that already contains SHA-2 support.

VBScript Blocked in IE and causes other problems

The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13^th, 2019. VBScript will be disabled by default for Internet Explorer 11 and WebOCs for Internet and Untrusted zones on all platforms running Internet Explorer 11. This change is effective for Internet Explorer 11 on Windows 10 as of the July 9^th, 2019 cumulative updates.

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an "invalid procedure call error. This issue is resolved in KB4517297, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).”

• KB4517297 for Windows 7 and Windows Server 2008 R2,
• KB4517301 for Windows Server 2008 SP2,
• KB4517298 for Windows 8.1 and Windows Server 2012 R2
• KB4512494 for Windows 10 V1709

For other Windows 10 builds (1809, 1903) Microsoft has partially released new updates on August 17, 2019 with VBA fixes.

• KB4512534 for Windows 10 Version 1809
• KB4512495 for Windows 10 Version 1607
• KB4517276 for Windows 10 Version 1507

Addendum: On August 19 2019 Microsoft also released an update for Windows 10, that fixed the VB6, VBA and VBScript issue.

• KB4512509 for Windows 10 Version 1803

Note: Windows 10 Version 1903 is conspicuously absent