In November 2018, Microsoft communicated upcoming changes to Windows 7 security, moving to the SHA-2 algorithm exclusively. We now know the timeline for these changes.
The company will deploy the changes methodically, but start the process with March 2019 updates and finishing up in July 2019.
Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services (WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.
Starting in early 2019, the migration process to SHA-2 support will occur in stages, and support will be delivered in standalone updates.
For full information, including the full timeline for the rollout, see: 2019 SHA-2 Code Signing Support requirement for Windows and WSUS