The case for sunsetting it was made clearer after researchers at Google and CWI Amsterdam in Februaryrevealed a technique for creating a SHA-1 collision, demonstrated with two PDFs containing different content that had the same SHA-1 hash. A secure hashing algorithm shouldn't output the same hash or digest for two different pieces of data.
Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.
Microsoft's broader plan to phase out SHA-1 certificates will eventually apply to self-signed SSL/TLS certificates used in the enterprise.
The current policy "will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1".
Microsoft notes in its advisory that self-signed SHA-1 TSL certificates will not be impacted, but it urged all customers to "quickly migrate" to SHA-2 based certificates.
The Windows 10 Creators Update also automatically blocks SHA-1 in the browser. Microsoft flagged these changes in a blogpost in April and offered admins instructions for immediately blocking SHA-1.