Introduction
A SHA-1 deprecation coming to Windows will affect Configuration Manager, especially 2007 which doesn’t support SHA-2 algorithms.
SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Microsoft, in collaboration with other members of the industry, is working to phase out the SHA-1 protocol and to warn consumers of the possible risk when they encounter websites using the SHA-1 protocol.
Official Statement from Microsoft
Microsoft has recently posted official statements on how this change affects all supported releases:
- ConfigMgr 2007
- ConfigMgr 2012
- Current Branch
ConfigMgr 2007: https://blogs.technet.microsoft.com/configurationmgr/2017/03/13/configuration-manager-2007-and-windows-enforcement-of-sha1-certs/
ConfigMgr 2012: https://technet.microsoft.com/en-us/library/gg699362.aspx
Current Branch: https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements
If you are running ConfigMgr 2007 + 3rd Party Trusted Root CA + Native Mode + SHA-1 certificates, then you will have problems and it’s time to consider upgrading (better late than never). Configuration Manager 2012 and onwards can handle SHA-2 no problem
cheers and thanks to Adam for the insights and heads-up
niall
