Microsoft changed the signing of update packages for Windows 7 and Windows Server 2008 R2 devices on the August 2019 Patch Day for the first time. The company signs packages only with SHA-2 since August 2019; it signed them with SHA-1 and SHA-2 previously but decided to drop SHA-1 because of known weaknesses.
Two updates need to be installed on Windows 7 and Windows Server 2008 R2 systems so that SHA-2 signed updates are installed correctly: