SHA-2 support in Microsoft Windows for installing Kaspersky business solutions

This article concerns:

• Kaspersky Security 11.0.1 for Windows Server (version 11.0.1.897)
• Kaspersky Endpoint Agent 3.10 MR3 and later
• Kaspersky Industrial CyberSecurity for Nodes 3.0 and later
• Kaspersky Embedded Systems Security 3.1 and later

Microsoft stops the support of root certificates that allow signing the code of the drivers that works on the operating system kernel level. Now drivers are signed with the WHQL (Windows Hardware Quality Lab) signature which is based on the SHA-2 (SHA-256) algorithm. Verification of such a signature requires SHA-2 support in the operating system.

Before installing a Kaspersky business solution on a protected device with an operating system from the list below, please make sure that the system has updates that bring SHA-2 support. If SHA-2 is not supported, installation will be interrupted.

If the installation is performed:

• When installing using the Installation Wizard, a notification about the lack of SHA-2 support is displayed, allowing you to abort or continue the installation.
• When installing from the command line or remotely, you can ignore the verification by specifying the SKIP_SHA2_KB = 1 parameter.

Skip the check only if you are sure that the operating system on the protected device supports SHA-2.

If the OS on the protected device lacks SHA-2 support, the correct installation of the application modules and their operation cannot be guaranteed. The operating system might not work correctly.

The table below contains a list of supported Microsoft Windows OS versions that require updates for SHA-2 support:

This table does not include the operating system updates with SHA-2 support that were published after the release of Kaspersky business solutions mentioned in this article.