Hello Jane,

Your case is not related to Windows for Business or Windows 365 Enterprise. What you are dealing with is an application dependency issue around OpenSSL versions on Windows. Winget installs the latest OpenSSL binaries into a system path, but applications do not automatically switch to using them. Each program either links statically to its own bundled OpenSSL libraries or dynamically loads them from a specific path. That means even if you have the newest OpenSSL installed globally, older applications may still be calling their embedded or outdated DLLs.

To verify which version is actually being used, you need to inspect the binaries that the application loads. On Windows, the most reliable way is to use Process Explorer from Sysinternals. Launch the application, open Process Explorer, and check the loaded modules under the process. If you see libssl-1_1.dll or libcrypto-1_1.dll, note the file path. That path tells you whether the program is using the system-installed OpenSSL or its own copy. You can also run openssl version from the command line to confirm the version of the OpenSSL binary you installed via Winget, but that only confirms the global installation, not what each application is consuming.

There is no single command line that forces all applications to use the new OpenSSL. Each application must either be updated by its vendor to link against the newer libraries, or you must replace the older DLLs in the application’s directory with the updated ones though this is risky and not recommended unless the vendor explicitly supports it. The best practice is to update the applications themselves to versions that are compiled against the latest OpenSSL.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Domic Vo.

Answer from Domic Vo on learn.microsoft.com
Top answer
1 of 2
1

Hello Jane,

Your case is not related to Windows for Business or Windows 365 Enterprise. What you are dealing with is an application dependency issue around OpenSSL versions on Windows. Winget installs the latest OpenSSL binaries into a system path, but applications do not automatically switch to using them. Each program either links statically to its own bundled OpenSSL libraries or dynamically loads them from a specific path. That means even if you have the newest OpenSSL installed globally, older applications may still be calling their embedded or outdated DLLs.

To verify which version is actually being used, you need to inspect the binaries that the application loads. On Windows, the most reliable way is to use Process Explorer from Sysinternals. Launch the application, open Process Explorer, and check the loaded modules under the process. If you see libssl-1_1.dll or libcrypto-1_1.dll, note the file path. That path tells you whether the program is using the system-installed OpenSSL or its own copy. You can also run openssl version from the command line to confirm the version of the OpenSSL binary you installed via Winget, but that only confirms the global installation, not what each application is consuming.

There is no single command line that forces all applications to use the new OpenSSL. Each application must either be updated by its vendor to link against the newer libraries, or you must replace the older DLLs in the application’s directory with the updated ones though this is risky and not recommended unless the vendor explicitly supports it. The best practice is to update the applications themselves to versions that are compiled against the latest OpenSSL.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Domic Vo.

2 of 2
0

To ensure that your applications are using the new version of OpenSSL after updating, you can follow these steps:

  1. Check OpenSSL Version: You can verify the installed version of OpenSSL by running the following command in your command line:
       openssl version
    
    This command will display the version of OpenSSL currently in use.
  2. Verify Application Dependencies: For applications that depend on OpenSSL, you may need to check their documentation or use specific commands to see which version of OpenSSL they are linked against. This can vary by application, but many applications will have a command-line option to display version information.
  3. Check for Multiple Versions: If you suspect that multiple versions of OpenSSL are installed, you can check the paths of the OpenSSL binaries in your system. Use the following command to find all instances of OpenSSL:
       where openssl
    
    This will show you the locations of the OpenSSL executables, and you can verify if the correct version is being used.
  4. Update Environment Variables: Ensure that your system's PATH environment variable points to the directory of the new OpenSSL installation. This can help ensure that applications use the correct version.
  5. Testing Applications: After updating, test your applications to ensure they function correctly. If they fail or report issues related to OpenSSL, they may still be referencing an older version.

By following these steps, you can confirm that your applications are using the updated version of OpenSSL and mitigate any vulnerabilities associated with older versions.

🌐
Reddit
reddit.com › r/defenderatp › openssl updates for all of our devices but different versions of openssl/apps
r/DefenderATP on Reddit: OpenSSL Updates for all of our devices but different versions of OpenSSL/Apps
August 19, 2024 -

Hi there,

Is there a way to update OpenSSL for all devices that updates all of the different versions of OpenSSL that specific apps use?

Defender gives me vulnerabilities to file paths and it would be something like:

microsoft.windows.photos_2024.11070.31001.0_x64\libcrypto-3-x64.dll

Then I go to the Microsoft store to update the Windows Photos App but there is no update for it? This is the same issue for multiple applications. A lot points to libssl-3 or libcrypto but from different apps like git or azure CLI or visual studio 2022 even tho git and visual studio 2022 is updated.

I have been banging my head against this for months now. Could someone please share some insight on how to resolve this?

I would appreciate it so much! Thanks in advance.

Top answer
1 of 4
6
There is no resolution that will make it go away from the vulnerability dashboard that someone undoubtedly is pestering you about. What you are looking at is some dynamically linked libraries that contain some cryptographic functions that the applications in question make use of in some way or another. Building upon open source like this makes sense, since the alternative would be for everyone to spend time and resource on doing their own likely error-prone cryptographic implementation. Can you just compile your own OpenSSL dll files and use them to swap the allegedly vulnerable ones? Depends on the app. Sometimes it goes OK, sometimes it breaks the app. Someone is not very likely to stage a man-in-the-middle attack on microsoft windows photos. If the DLL is not in your systems PATH variable, then other applications on the system cannot make use of the DLL unless they address the exact path it is in. A better approach is to open a conversation with whoever is pestering you about the vulnerability scores. Explain that MS Defender will report on components on harddrive with CVE's, but it will NOT be able to determine for you which of these are exploitable. Thus, spending resources chasing a clean sheet in a vulnerability dashboard is a rather large waste of time. In fact, if you have a security team on your throat about CVE's in a dashboard, then ask them to help you prioritize the ones that are exploitable.
2 of 4
2
We are seeing the same thing and I have not yet found a solution, i was hoping the windows updates would take care of things that are Microsoft published but we have not seen the vulnerabilities decrease.
Discussions

How do I update OpenSSL on Windows 10 from 1.1.1h to 1.1.1o - Stack Overflow
I have been researching how to update OpenSSL on windows 10 and can't seem to find a clear answer. I currently have 1.1.1h and am looking to upgrade to 1.1.1o because of CVE-2021-3711. If anyone kn... More on stackoverflow.com
🌐 stackoverflow.com
How to update openssl?
Microsoft 365 and Office | Microsoft ... Other | Windows · An integrated threat protection solution designed to detect, investigate, and respond to cyber threats across Microsoft 365 services. ... Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. ... I’m Adeyemi and I’d be happy to help you with your question. Updating OpenSSL when it's ... More on learn.microsoft.com
🌐 learn.microsoft.com
1
8
November 29, 2023
OpenSSL was not installed separately from the Microsoft Windows 10 OS. Will Microsoft be incorporating an update to OpenSSL in September 2023's Cumulative Update? Patching separately is not the right answer.
My question is to address expectations that Microsoft will provide the update to OpenSSL as well as curl. August 2023 update did not include these updates. Windows for business | Windows Client for IT Pros | User experience | Other More on learn.microsoft.com
🌐 learn.microsoft.com
3
0
OpenSSL upgrade on windows servers
Upgrade to Microsoft Edge to take ... security updates, and technical support. Download Microsoft Edge More info about Internet Explorer and Microsoft Edge ... The version of OpenSSL installed on the remote host is prior to 3.0.14. It is, therefore, affected by a vulnerability as referenced in the 3.0.14 advisory. Windows for business ... More on learn.microsoft.com
🌐 learn.microsoft.com
2
0
People also ask

How is AutoInstall SSL™ different from Let’s Encrypt or Certbot?
The key differences are warranty coverage (up to $500,000), a CA-issued site seal, 24/7 support, and a managed agent that requires no ongoing maintenance. The full side-by-side breakdown is in the comparison section above. SSL Dragon’s ACME SSL Certificates page covers the alternative protocol-based approach.
🌐
ssldragon.com
ssldragon.com › home › tutorials › openssl tutorials › how to check the openssl version on linux, windows, and mac?
How to Check the OpenSSL Version on Linux, Windows, and Mac? - ...
What is AutoInstall SSL™?
A server agent that automates your entire SSL certificate lifecycle. You set it up once, and it takes care of every step from there. At SSL Dragon, it is sold as a bundle with domain validated (DV) certificates from RapidSSL or GeoTrust.
🌐
ssldragon.com
ssldragon.com › home › tutorials › openssl tutorials › how to check the openssl version on linux, windows, and mac?
How to Check the OpenSSL Version on Linux, Windows, and Mac? - ...
Are wildcard certificates supported?
Yes. Both the RapidSSL Wildcard + AutoInstall and GeoTrust QuickSSL Premium Wildcard + AutoInstall bundles cover unlimited subdomains on a single level (for example, shop.example.com, mail.example.com, app.example.com). Wildcard certificates require DNS-based validation, which the agent handles automatically for supported DNS hosts.
🌐
ssldragon.com
ssldragon.com › home › tutorials › openssl tutorials › how to check the openssl version on linux, windows, and mac?
How to Check the OpenSSL Version on Linux, Windows, and Mac? - ...
🌐
Shining Light Productions
slproweb.com › products › Win32OpenSSL.html
Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
Businesses Secure Cloud Load Balancing (See the Donations section on this page to get your business here)
🌐
Serverpronto
serverpronto.com › kb › page.php
Update OpenSSL
Go to openssl-1.0.1g directory # make clean # ./config shared –prefix=/usr –openssldir=/usr/local/openssl # make && make test # make install 4. Done 5. Check the if you you have the latest version. Thus the openssl is updated to the latest one, and if not reboot your machine and check again.
🌐
Openssl-windows
openssl-windows.github.io › update-openssl-windows.html
How to Update OpenSSL on Windows 10 / 11 — Step-by-Step Guide
May 20, 2026 - How to update OpenSSL to the latest version on Windows 10 and 11. Check current version, download new installer, upgrade in place. Settings preserved.
🌐
Stack Overflow
stackoverflow.com › questions › 72266514 › how-do-i-update-openssl-on-windows-10-from-1-1-1h-to-1-1-1o
How do I update OpenSSL on Windows 10 from 1.1.1h to 1.1.1o - Stack Overflow
Since we're talking about Windows, I think each application that uses OpenSSL probably comes with its own copy, which could be in a DLL file or directly linked into an EXE. Which specific applications are you concerned about? How do you know you have 1.1.1h and how did you install that? ... @DavidGrayson: historically native Windows apps did that, but Win10 up has WSL where the library handling and update methods are the same as a selected Unix distro, and all versions of Win (at least NT up) have had other Unix-like schemes such as gnuwin32 and cygwin/mingw/mingw64 each with their own library scheme.
Find elsewhere
🌐
Cloudzy
cloudzy.com › home › blog › security & networking › how to install openssl on windows 10 & 11
How to Install OpenSSL on Windows 10 & 11 · Cloudzy Blog
September 21, 2025 - For users managing multiple OpenSSL ... approach involves uninstalling the current version through Windows Add/Remove Programs, then downloading and installing the latest version from the official sources....
🌐
OpenSSL
openssl.org
OpenSSL
“We believe everyone should have access to security and privacy tools, whoever they are, wherever they are or whatever their personal beliefs are, as a fundamental human right.”
🌐
SSL Dragon
ssldragon.com › home › tutorials › openssl tutorials › how to check the openssl version on linux, windows, and mac?
How to Check the OpenSSL Version on Linux, Windows, and Mac? - SSL Dragon
2 weeks ago - Need to check the OpenSSL version on your system? Discover the command line steps for Linux, Windows, and macOS, plus how to upgrade unsupported versions.
Top answer
1 of 1
4

Hello

I’m Adeyemi and I’d be happy to help you with your question.

Updating OpenSSL when it's integrated within applications can be a bit tricky, but it's not impossible. Here are some general steps you can follow:

  1. Identify the Applications: Determine which applications on your system are using OpenSSL. This might require checking the documentation or contacting the software vendor.
  2. Check for Updates: Many applications bundle OpenSSL and will provide updates that include updated versions of OpenSSL when they become available. Check the software vendor's website or contact them directly to see if they have released an update.
  3. Recompile the Application: If the application's source code is available, and it's feasible, you could recompile the application with the updated OpenSSL library. This is a more technical approach and requires some knowledge of programming and compilation.
  4. Use a Package Manager: If you're using a package manager like vcpkg, you can update just OpenSSL and nothing else. This might not be applicable in all scenarios, especially if the application statically links OpenSSL.

If none of the above options are viable, your best bet would be to contact the vendor of the software and inquire about their plans for addressing the OpenSSL vulnerability.

Remember, it's crucial to test all changes in a safe and reversible manner, ideally in a non-production environment first. Always backup your data before making such updates.

I hope this helps.

Give back to the community. Help the next person who has this issue by indicating if this reply solved your problem. Click Yes or No below.

Kind regards, Adeyemi

🌐
Hostnoc
hostnoc.com › home › guide › how to install openssl on windows? [complete 64-bit and 32-bit guide]
How To Install OpenSSL On Windows? 64-bit And 32-bit Guide
June 24, 2024 - OpenSSL Windows download guide: how to install openssl on Windows 11, 10, or server. Step-by-step tutorial with 64-bit & 32-bit support.
🌐
Microsoft Learn
learn.microsoft.com › en-us › answers › questions › 1345660 › openssl-was-not-installed-separately-from-the-micr
OpenSSL was not installed separately from the Microsoft Windows 10 OS. Will Microsoft be incorporating an update to OpenSSL in September 2023's Cumulative Update? Patching separately is not the right answer. - Microsoft Q&A
It appears that OpenSSL comes bundled (a run time version?) with other software products. The only reference to Windows\System32 has iclsclient in the name. An internet search says that that is related to the Intel Trusted Connect Service Client. I would expect these dll's to get updated as part of an update to the individual software products, like VMWare Player, not via Windows itself.
🌐
CloudInsidr
cloudinsidr.com › content › how-to-install-the-most-recent-version-of-openssl-on-windows-10-in-64-bit
How to install the most recent version of OpenSSL on Windows 10 in 64 Bit - CloudInsidr
October 24, 2024 - Never mind.) If you want to run it, you need a Windows binary, and unless you are willing to compile it yourself, you have to to rely on someone else. Here is how you can set up OpenSSL on Windows without having to deal with the code.
🌐
Microsoft Learn
learn.microsoft.com › en-us › answers › questions › 1656766 › openssl-upgrade-on-windows-servers
OpenSSL upgrade on windows servers - Microsoft Q&A
Windows for business | Windows Server | User experience | PowerShell ... Still not a PowerShell question . . . I'd expect the way to update the version of OpenSSL is to download the version of the software from the same place you got the version you're currently running and then distribute the update to your servers using whatever software distribution method you use for any other 3rd-party applications.
🌐
Anaplan
support.anaplan.com › openssl-installation-steps-windows-os-6280772c-b8e3-4aa8-a49c-0d9d88640388
OpenSSL installation steps (Windows OS) | Anaplan Support
April 3, 2025 - It's best to install this program outside the Windows Directory. Install to "C:\" folder. 3. Once install is complete, navigate to "C: \OpenSSL-Win64\bin" and right-click on "openssl.exe" and select "Run as Administrator". 4. This will initiate a Command Prompt instance with OpenSSL. ... We ...
🌐
Stack Overflow
stackoverflow.com › questions › 76333019 › how-to-update-openssl-from-1-0-0-to-1-0-1-in-windows-10
updating - How to update OpenSSL from 1.0.0 to 1.0.1 in Windows 10? - Stack Overflow
You need a newer Python build that was compiled with OpenSSL 1.1.1, thus necessarily after Sept. 2018 unlike yours in March 2018 -- or alternatively a lower urllib3 and maybe requests. 'cryptography' and 'pyOpenSSL' -- only -- use a separate OpenSSL that may be in site-packages or equivalent, and you probably broke them by replacing 3.1 with 1.1.1.
🌐
Stack Overflow
stackoverflow.com › questions › 79268054 › updating-an-old-version-of-the-openssl-library-for-windows
ssl - Updating an old version of the OpenSSL library for Windows - Stack Overflow
On a Windows 32-bit program written in Delphi 7 and not updated since 2015 by its author, an error is returned after enabling an option to establish an SSL encrypted connection. In the root folder of the program there are the files libeay32.dll, libssl32.dll and ssleay32.dll dating back to 2007 and 2008, belonging to the “OpenSSL Shared Library” version 0.9.8.5, product name “The OpenSSL Toolkit” version 0.9.8e.
🌐
Atlassian Community
community.atlassian.com › q&a › confluence › questions › how to upgrade openssl to 3.1.4
How to upgrade OpenSSL to 3.1.4
January 4, 2024 - Download the new version as a zip (instead of .exe) from https://kb.firedaemon.com/support/solutions/articles/4000121705-openssl-3-1-3-0-and-1-1-1-binary-distributions-for-microsoft-windows