Fix available for Root Certificate Update issue on Windows Server

Hi, all, Christa Anderson here. We want to make you aware of an issue that might affect your Windows Server deployments, and tell you how we’re addressing it with the help of our awesome Customer Technical Support team.

As explained in KB 931125, a package that was intended only for client operating systems was also made available to servers through WSUS and Windows Update. This package is designed to update the store of trusted root certificates, and adds a large number of certificates to the store. Windows Vista and later automatically update their own stores, but Windows XP requires regular updates.

The issue is this: the SChannel security package used to send trusted certificates to clients has a limit of 16KB. Therefore, having too many certificates in the store can prevent TLS servers from sending needed certificate information; they start sending but have to stop when they reach 16KB.  If clients don’t have the right certificate information, they cannot use services requiring TLS for authentication.  Because the root certificate update package available in KB 931125 manually adds a large number of certificates to the store, applying it to servers results in the store exceeding the 16KB limit and the potential for failed TLS authentication. 

Here’s what we’re doing to resolve this. First, in December we pulled the package from Windows Update and WSUS, so it’s no longer available to servers. If you update your WSUS servers, the package will be gone (although it will remain on any servers to which you already deployed it). Second, to help with servers that already installed the update, we’re providing a Fixit solution in KB 2801679. If you’re experiencing any outages of TLS-dependent services, we recommend that you use the Fixit solution in KB 2801679. If you have further questions, please call Customer Support Services (information at the link).