Microsoft removes August patch block on Win7/2008R2 systems running Norton, Symantec AV
Credit to Author: Woody Leonhard| Date: Wed, 28 Aug 2019 06:07:00 -0700
If you’re using Symantec Endpoint Protection or any Norton Antivirus product on a Windows 7 or Server 2008 R2 machine, you didn’t get the August patches. Shortly after the August Monthly Rollup and Security-only patches were released, Microsoft put a freeze on systems running Symantec or Norton antivirus products.
The conflict stemmed from a long-anticipated change in the way Microsoft signed the August patches: Starting in August, all patches are signed using the SHA-2 encryption method. Somehow, Symantec didn’t get the message back in November that the shift was underway, and missed the deadline.
Per Symantec (which owns the Norton brand):
This issue is specific to Windows 7 SP1 and Windows Server 2008 R2 SP1. All currently available versions of Symantec Endpoint Protection are affected. … Out of an abundance of caution, Symantec and Microsoft worked together to only allow the update to be visible to versions of Symantec Endpoint Protection that fully support SHA-2 signed Windows executables replaced by this and future updates to Windows 7 SP1 and Windows 2008 R2 SP1.
Yesterday, in a coordinated reveal, both Symantec and Microsoft say that all is now well. Symantec now says:
Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection. Microsoft KB4512506/KB4512486 and future updates can be safely installed and the soft block was removed on August 27th, 2019.
Microsoft has updated its Release Information Status page to say:
The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.
The change applies to
As best I can tell, there were no changes made to either the Symantec or the Microsoft products.
Only took ‘em two weeks.
AskWoody poster RDRGuy nails it by asking:
Now the real question is, was there ever any problem with Symantec Endpoint Protection not being able to properly handle the Windows 7 SHA-2 updated files?
Patch problems? We feel your pain on AskWoody.