Introduction

A SHA-1 deprecation coming to Windows will affect Configuration Manager, especially 2007 which doesn’t support SHA-2 algorithms.

SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Microsoft, in collaboration with other members of the industry, is working to phase out the SHA-1 protocol and to warn consumers of the possible risk when they encounter websites using the SHA-1 protocol.

Official Statement from Microsoft

Microsoft has recently posted official statements on how this change affects all supported releases:

• ConfigMgr 2007
• ConfigMgr 2012
• Current Branch

ConfigMgr 2007: https://blogs.technet.microsoft.com/configurationmgr/2017/03/13/configuration-manager-2007-and-windows-enforcement-of-sha1-certs/

ConfigMgr 2012: https://technet.microsoft.com/en-us/library/gg699362.aspx

Current Branch: https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements

If you are running ConfigMgr 2007 + 3^rd Party Trusted Root CA + Native Mode + SHA-1 certificates, then you will have problems and it’s time to consider upgrading (better late than never). Configuration Manager 2012 and onwards can handle SHA-2 no problem

cheers and thanks to Adam for the insights and heads-up

niall