Updated April 26, 2017 5:10: https://blogs.windows.com/msedgedev/2016/11/18/coun

1. Updated April 26, 2017 5:10: https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/
2.  
3. Frequently asked questions
4. How can I disable SHA-1 today?
5.  
6. You can disable SHA-1 today test by running the following commands from an Administrator Command Prompt:
7.  
8. First, create a logging directory and grant universal access:
9.  
10. 1 set LogDir=C:\Log
11. 2 mkdir %LogDir%
12. 3 icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
13. 4 icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
14. 5 icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
15. 6 icacls %LogDir% /setintegritylevel L
16.  
17. Next, enable certificate logging and SHA-1 blocking:
18.  
19. 1 Certutil -setreg chain\WeakSignatureLogDir %LogDir%
20. 2 Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80040004
21.  
22. Important: Use the following commands to remove the settings after you have completed your testing.
23.  
24. 1 Certutil -delreg chain\WeakSha1ThirdPartyFlags
25. 2 Certutil -delreg chain\WeakSignatureLogDir
26. How will other Windows applications and older versions of Internet Explorer be impacted?
27.  
28. Third party Windows applications that use the Windows cryptographic API set and older versions of Internet Explorer will not be impacted by the mid-2017 changes by-default.
29. How will SHA-1 client authentication certificates be impacted?
30.  
31. The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.
32. What about cross-signed certificates?
33.  
34. Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. A certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root would not be impacted by the changes planned for mid-2017.
35.  
36. ? Alec Oot, Senior Program Manager
37. ? Jody Cloutier, Senior Program Manager