By default, it’s no longer possible to install updates on any version of Windows that is older than Windows 7 with Service Pack 1 and the SHA-2-signing servicing stack update installed. On this page, I’ll explain how I found this out, what causes this problem, and what options you have left to update old versions of Windows.
Background story: Re-installing Windows Vista
In August 2020, just a month after I’ve restored my VAIO UX, I was fixing another old computer and had to reinstall Windows Vista Home Premium on it. Yes, I know that’s old and unsupported since 3 years, but it’s not a computer that’s going to be used for any sensitive things online.
Like with the VAIO UX, I manually updated it with Service Pack 2, but this time I couldn’t get it to install any updates.
Normally, Windows Update would take almost forever to search at first, and I’ve frequently used the website http://wu.krelay.de/en/vista.htm to fix this issue. Afterwards, I could install the rest of the updates relatively easy.
Error 80072EFE or 80244019 when searching for updates
This time, however, Windows update kept giving me error 80244019. “Windows Update encountered an unknown error” was all it said. The help of Windows Vista contained nothing about this error and by Googling it, i couldn’t find much initially.
Then, I decided to check out C:\Windows\WindowsUpdate.log and noticed something interesting. In the log, there were dozens of message like this:
2020-08-17 11:34:55:310 1044 d80 PT + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://www.update.microsoft.com/v6/ClientWebService/client.asmx
2020-08-17 11:34:55:466 1044 d80 PT WARNING: GetConfig failure, error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status code = 404
What interested me, was that the HTTP status code was 404. That’s something *very* usual for Windows Update, as it litteraly means that the webpage which Windows update tries to use no longer exists.
You need SHA-2 support!
After searching the error code on Google again, this time only showing results from last week, I finally found someone with the same issue in a discussion thread (https://answers.microsoft.com/en-us/windows/forum/all/vista32-home-premium-error-0x80244019/b90c631c-328a-44d5-89f0-cac285d5250e) . The answer given basically said that Microsoft disabled Windows Update on purpose, without having any user-friendely informative page available and without displaying a banner inside the control panel.
The discussion also linked me to a technical document about why Microsoft disabled Windows Update. This document is posted on https://support.microsoft.com/en-us/help/4569557/windows-update-sha-1-based-endpoints-discontinued.
The document states that: “In compliance with the Microsoft Secure Hash Algorithm (SHA)-1 deprecation policy, Windows Update is discontinuing its SHA-1 based endpoints in late July 2020. This means that older Windows devices that have not updated to SHA-2 will no longer receive updates through Windows Update. Your older Windows devices can continue to use Windows Update by manually installing specific SHA-2 enabling updates.”.
A few months later, Microsoft probably restored a bit of the service, thus resulting in a different error 80072EFE.
What now?
This problem occurs due to a security related change. The old SHA-1 code signing options are no longer supported. But hey, it seems like all you need to do is installing the “SHA-2 enabling update” and then you should be able to get Windows Update working again, right?
Nope, it’s not that simple. this update is only available for Windows 7 (with SP1) and newer. So if you have older Windows, you cannot install it. Thus this marks the end of official Windows updates for 2000, XP and Vista – for good.
What options do I have left?
Initially, when this article was written in 2020, there was no easy fix, other than an old copy of WSUS offline update that had all updates backed up.
Since then, the community has created Legacy Update, which is a free program that restores the update functionality on all mentioned operating systems. It is a very easy and reliable way to update your old computer, so I highly recommend installing this. It works by using a custom update server, which still has the old updates and is compatible with the older security mechanism used by 2000, XP and Vista.