This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Sha1 hotfix for Windows Serer 2016

Question
0

Sign in to vote

I found this article, but I can't see files for Windows Server 2016
https://support.microsoft.com/en-us/help/3123479/microsoft-security-advisory-deprecation-of-sha-1-hashing-algorithm-for

Maybe Windows Server 2016 already had it?
But Nessus scanner appear issue about it:

It appears KB3123479 has not been installed since the following registry value does not exist and/or does not contain the expected data :

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\default Name :
WeakSha1ThirdPartyAfterTime
Expected value : 0018df076244d101
Actual value : (does not exist)

Monday, February 4, 2019 11:03 AM

All replies

0

Sign in to vote

Hi,

Did you have a look at the following page?
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/3123479

There's a listed KB update for Windows Server 2016, you can find it here: https://www.catalog.update.microsoft.com/Search.aspx?q=kb3200970

Do note that this update has been replaced by Cumulative Update for Windows Server 2016 (check the list).

Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:

Monday, February 4, 2019 11:41 AM
0

Sign in to vote

Hello SIDERMANN,

This issues is based on the security scanning mechanism of Nessus. I do not think removing or installing a specific update would fix it.

However, it is already safe enough to keep patching Windows Server with latest security updates. If you want to remove this warning message, just add above registry key value manually.

Here is an similar case for your reference.

https://social.technet.microsoft.com/Forums/en-US/3a3e34e7-b7e0-48de-a447-f3e9d76d4a91/weaksha1thirdpartyflags-and-weaksha1thirdpartyaftertime-registry-keys-removed-by-latest-windows?forum=winserverwsus

Hope my answer could help you and look forward to your feedback.

Best Regards,
Ray
Please remembers to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, February 4, 2019 12:50 PM
0

Sign in to vote
https://www.catalog.update.microsoft.com/Search.aspx?q=kb3200970

I can't see 3123479 in list of replaced updated on link above

Maybe in any of cumulative updates?
- Edited by siderman1 Tuesday, February 5, 2019 11:45 AM
- Proposed as answer by siderman1 Tuesday, February 5, 2019 4:07 PM
- Unproposed as answer by siderman1 Tuesday, February 5, 2019 4:07 PM
Tuesday, February 5, 2019 11:45 AM
0

Sign in to vote
Hello,

KB3123479 is not applicable for Windows Server 2016, corresponding update for Windows 2016 is KB3200970 which is superseded by cumulative updates.

Best Regards,
Ray
Please remembers to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by siderman1 Tuesday, February 5, 2019 4:07 PM
Tuesday, February 5, 2019 1:29 PM
0

Sign in to vote
OK. thanks. the misunderstanding was that in the article about update KB3123479 there is no link to update KB3200970 for windows 2016.
- Edited by siderman1 Tuesday, February 5, 2019 4:08 PM
Tuesday, February 5, 2019 4:07 PM
0

Sign in to vote

My first link had a link and KB number for the patch for Windows Server 2016, sometimes it’s difficult to find these so it requires a bit more digging :-)
Blog: https://thesystemcenterblog.com LinkedIn:

Tuesday, February 5, 2019 4:11 PM