Microsoft security advisory: Updated support for Diffie-Hellman Key Exchange

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials


Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To learn more about the vulnerability, see

More Information

Included with this security update is a new default minimum RSA key size that the client will accept from the server. This new minimum is 1024 bits. This brings the versions of Windows that are listed in the "Applies To" section into parity with Windows 10 which already had this minimum RSA key size. Additionally, this key size minimum can now be increased or decreased through the system registry.

ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
You can add a DWORD value named ClientMinKeyBitLength which has a default value of 1024 (Decimal) to the following registry subkey:
To add this registry value, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey:
  3. On the Edit menu, point to New, and then click Key.
  4. Type PKCS for the name of the Key, and then press Enter. Select the PKCS key.
  5. On the Edit menu, point to New, and then click DWORD Value.
  6. Type ClientMinKeyBitLength for the name of the DWORD, and then press Enter.
  7. Right-click ClientMinKeyBitLength, and then click Modify.
  8. In the Value data box, type the new minimum key length (in bits), and then click OK.

    Note You do not have to restart the computer after you add or change this registry entry for the change to take effect. However, you do have to restart the computer if you delete the entry.
  • All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update
    2919355 to be installed. We recommend that you install update
    2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see
    Add language packs to Windows.

Known issues in this security update

How to obtain and install the update

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Get security updates automatically.

Note For Windows RT 8.1, this update is available through Windows Update only.

Method 2: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.