How does SHA-1 deprecation in Microsoft products affect Symantec Endpoint Protection?

In 2015, Microsoft began the process of deprecating support for SHA-1 certificates.  This process was completed in February 2017.  The following information covers how Symantec Endpoint Protection (SEP), Symantec Endpoint Protection Manager (SEPM), Symantec Endpoint Security, and LiveUpdate Administrator (LUA) will be impacted by these changes.

Does SEP, SEPM, SES or LUA utilize SHA-1 SSL certificates? 

• SEPM: No. In 14.0 and above, the default self-signed server certificate being used for SSL is signed using the SHA-256 hash function.
• SEP/SES: SEP no longer uses SHA-1 certificates, however as of 14.3 RU6 and prior, the cloud version of the SEP client (for SES or SESC) requires SHA-1 certificates to be enabled in order to utilize FIPS technology.
• LUA: LUA uses SHA-2 certificates starting with 2.3.5.

Does Symantec Endpoint Protection utilize SHA-2 certificates?  

• SEPM: Already supported. 
• SEP/SES: SEP currently supports and uses SHA-2 certificates.
• LUA: Already supported. 

Are SHA-1 authenticode signatures in use by the SEP client?

• SEP Answer: No, only in the case of SEP client for cloud (SES) do SHA-1 certificates need to be available. If they are blocked at the network/domain level, SEP clients will be unable to register to the cloud. This is planned to be addressed in a future version of Symantec Endpoint Security.

Can I continue to use an old SHA-1 SEPM certificate or do I need to upgrade to SHA-2?

• SEPM Answer:  By default, the SEPM utilizes a self-signed certificate.  If the SEPM is utilizing a SHA-1 self-signed certificate, you can continue using this certificate until expiration.  You can also generate a new certificate using the previously linked steps.  

For more information, please see the following Microsoft Technet article: Windows Enforcement of SHA1 Certificates