UPDATE: SHA-1 signed content to be retired

Originally published: August 10, 2020
Updated: April 28, 2021

Please go here to search for your product's lifecycle.

As previously announced, Microsoft no longer uses Secure Hash Algorithm (SHA)-1 to authenticate updates due to the weaknesses in the algorithm.

For customers still reliant upon SHA-1, Microsoft recommends moving to stronger authentication alternatives, such as the SHA-2.

As a next step, Microsoft is removing SHA-1-signed content:

• On August 3, 2020, SHA-1 signed Windows content was retired and removed from the Microsoft Download Center. Go here to learn more.
• On April 26, 2021, Visual Studio 2015 and older web installer files were removed from the Microsoft Download Center. These products can be installed from ISO images available at Downloads - Visual Studio Subscriptions Portal.
• On May 9, 2021, Microsoft will allow the SHA-1 Trusted Root Certification Authority to expire^*. All major Microsoft processes and services—including TLS certificates, code signing and file hashing—will use the SHA-2 algorithm. Go here to learn more.
• On July 26, 2021, all bundles, installers, packages, and updates for .NET Framework 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5, and 4.5.1 will be removed from the Microsoft Download Center. Go here to learn more.
• On April 26, 2022, .NET Framework 4.5.2, 4.6, and 4.6.1 – versions digitally signed using SHA-1 and therefore no longer secure – will retire. Go here to learn more.

We will continue to update this article with additional changes and removals, as they are announced.

^*The Microsoft SHA-1 Trusted Root Certificate Authority expiration will impact SHA-1 certificates chained to the Microsoft SHA-1 Trusted Root Certificate Authority only. Manually installed enterprise or self-signed SHA-1 certificates will not be impacted. Go here to learn more.