An update is available that improves management of weak certificate cryptographic algorithms in Windows

Introduction

An update is available that improves management of weak certificate cryptographic algorithms in Windows. The 2862966 update provides a framework to help improve management of certificates that use specific cryptographic and hashing algorithms in Microsoft Windows. This update does not restrict the use of certificates by itself, but may be a prerequisite for later updates that do restrict the use of certificates.

Notice
You must install this update before you install security update 2862973. For more information, click the following article number to go to the article in the Microsoft Knowledge Base:
2862973 Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013

More Information

This update provides functionality that can be used to monitor the usage of weak cryptography and to block its use in enterprise environments. This update gives administrators logging capabilities and controls for the way that hashing algorithms and asymmetric cryptography are used in a managed environment. This functionality includes setting minimum key sizes for asymmetric algorithms such as RSA, DSA, and ECDSA, and blocking the use of weak hashing algorithms such as MD5.

After this update is applied, administrators can do the following: 
  • Define policies to selectively block cryptographic algorithms that override settings that were provided by the operating system
  • Opt-in to or opt-out of each policy independently
  • Enable logging for each policy
For more information, go to the following Microsoft TechNet webpage:

Known issues with this security update

  • Windows Update will not offer this security update to Windows RT-based computers until update 2808380 is installed. For more information, click the following article number to go to the article in the Microsoft Knowledge Base:
    2808380 Windows RT-based device cannot download software updates or Windows Store apps
Notice
On December 16, 2013, a detection change was made to correct an offering issue for Windows RT. The detection change helped to make sure that Windows Update correctly offers this security update (2835361) to Windows RT-based computers after update 2808380 is installed or after a later update rollup (that includes the 2808380 update) is installed. This was a detection change only. No changes were made to the update files. Customers who have successfully installed the update do not have to take any action. 

File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows Vista and Windows Server 2008 file information
Windows 7 and Windows Server 2008 R2 file information
Windows 8 and Windows Server 2012 file information


Properties

Article ID: 2862966 - Last Review: Dec 18, 2013 - Revision: 1

Windows RT, Windows 8, Windows 8 Enterprise, Windows 8 Pro, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows 7 Service Pack 1, Windows 7 Enterprise, Windows 7 Professional, Windows 7 Ultimate, Windows 7 Home Premium, Windows 7 Home Basic, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Service Pack 2, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Windows Vista Service Pack 2, Windows Vista Business, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Starter, Windows Vista Ultimate, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Business 64-bit Edition

Feedback