0X80090321

SEC_E_BUFFER_TOO_SMALL (0x80090321) Fix for Windows

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 28, 2026

Quick fix: reset SSL/TLS registry keys. This error means Windows can't read security certificates—common after a failed Windows update or antivirus block.

Quick answer for advanced users: Delete HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel and HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0 keys, then reboot. If that's too risky for you, follow the numbered steps below.

This error shows up when Windows can't read certificate buffers—usually after a recent Windows update that partially corrupted the Schannel (Secure Channel) registry keys. I've seen this most often on Windows 10 version 1809 and Server 2019 right after the KB4489886 update. The system still boots, but apps like IIS, SQL Server, or even Windows Update itself throw this error when trying to use SSL/TLS. The error code 0x80090321 translates to "the buffers supplied to a function was too small," but that's misleading. The real problem is that Windows can't even read the certificate store to know how big the buffer should be. You're not going to fix this by increasing buffer sizes—that's a dead end.

Step 1: Backup your registry (just in case)

  1. Press Windows Key + R, type regedit, hit Enter.
  2. In the Registry Editor, click File > Export.
  3. Choose a safe spot like your Desktop, name it RegistryBackup, and under Export range select All. Click Save.
  4. After saving, you should see the file appear on your Desktop. Don't skip this step—I've seen people delete the wrong keys and cause a boot loop. The backup gives you a rollback point.

Step 2: Delete the corrupted Schannel key

  1. In regedit, go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel
  2. Right-click the Schannel folder on the left pane, select Delete. Confirm with Yes.
  3. After you delete it, that key should vanish from the tree. If it doesn't delete or gives an error, you're not running as Administrator—close regedit, right-click it, and choose Run as administrator.

Step 3: Delete the corrupted OID Encoding Type key

  1. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
  2. Right-click the EncodingType 0 folder and choose Delete. Confirm with Yes.
  3. After this, that key should be gone too. If you see multiple EncodingType keys (like EncodingType 1), leave those alone—just delete the one with the 0.

Step 4: Reboot your computer

  1. Close Registry Editor.
  2. Click the Start menu, then the power icon, and choose Restart. Don't use Shut Down and turn it back on manually—Restart fully clears the system state.
  3. After the reboot, you should be able to use SSL/TLS without the error. Try accessing a secure website or running your affected app to confirm.

Alternative fixes if the above doesn't work

Fix 1: Run System File Checker (SFC) and DISM

  1. Open Command Prompt as Administrator: press Windows Key + X, choose Command Prompt (Admin) or Windows PowerShell (Admin).
  2. Type: sfc /scannow and press Enter. This checks system files. It can take 15–30 minutes. When it finishes, you'll see a message saying either no issues found, or that it repaired files.
  3. After SFC completes, type: DISM /Online /Cleanup-Image /RestoreHealth and press Enter. DISM can take longer—sometimes up to an hour. Let it finish completely.
  4. Once both finish, reboot. I've had cases where the registry keys were fine but the underlying system files were busted, and this fixed it.

Fix 2: Uninstall the problematic Windows update

  1. Go to Settings > Update & Security > Windows Update > View update history > Uninstall updates.
  2. Look for KB4489886 (or any update installed right before the error started appearing). Select it and click Uninstall.
  3. Reboot after uninstalling. This isn't a permanent fix—Windows might reinstall the update later—but it gets you running again. You can then hide the update using the Show or hide updates troubleshooter from Microsoft if needed.

Fix 3: Check for antivirus interference

  1. Temporarily disable your antivirus (not just pause it). The exact steps depend on your software: for example, in Norton you right-click the icon and select Disable Auto-Protect; in McAfee you open the console and turn off real-time scanning.
  2. Once disabled, try your SSL connection again. If it works, you've found the culprit. Add an exception for your Windows system folders or consider switching to a different AV.
  3. Re-enable your antivirus after testing.

Prevention tips

  • Before installing Windows updates, create a system restore point. Go to Control Panel > System > System Protection > Create. This gives you a quick rollback if an update breaks things.
  • Don't use registry cleaners. They often strip out valid certificate entries and cause this exact error. Windows manages its own registry fine.
  • If you are using self-signed certificates for internal apps, make sure they are in the Trusted Root Certification Authorities store, not just the Intermediate store. Double-click the .cer file, select Install Certificate, choose Place all certificates in the following store, browse to Trusted Root Certification Authorities, and finish the wizard.

Real-world trigger: This error hits hardest after a failed Windows cumulative update, especially on domain-joined servers where Group Policy tries to push certificate settings. I've also seen it when users ran a registry cleaner after installing antivirus software.

Was this solution helpful?

SEC_E_BUFFER_TOO_SMALL 0x80090321 Windows security error SSL TLS registry fix Schannel error certificate buffer too small Windows cannot read certificate fix 0x80090321 security buffer too small error self-signed certificate error IIS SSL error Windows authentication failure KB4489886 fix registry edit for SSL disable antivirus for SSL