Microsoft is not sending updates to customers with Symantec software running on their machines. The company says it is withholding updates because Symantec’s software cannot manage SHA-2 certificates, causing issues in Windows 7 and Windows Server 2008 R2.

In February, Microsoft announced it would SHA-2 standalone updates for Windows 7 and Windows Server 2008 in August. In other words, Symantec had plenty of time to get its software ready to handle SHA-2 signed updates.

However, the company’s antivirus software cannot manage SHA-2 signatures. Microsoft has reacted by halting updates on some hardware.

The company updated a note for Windows 7 and Server 2008 R2, pointing out the problems. Specifically, devices using Symantec of Norton antivirus solutions will have SHA-2 updates blocked by the program or deleted.

“Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available,” Microsoft says.

“We recommend that you do not manually install affected updates until a solution is available.”

SHA-2 Adoption

Microsoft explained earlier this year that its decision to move to SHA-2 was because of weaknesses in SHA-1.

“Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing,” Microsoft said at the time.

“Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not suffer from the same issues.”

Symantec has responded to the update pause and said it is working on Endpoint Protection that will handle SHA-2.