SCHANNEL event logging

First, my thanks to Bhuvnesh Kumar for his help!


Time to figure out what's going on behind the curtain!



Are you seeing System Event Log, Event ID 36871 events?


Why does this matter?


Depending on OS versions and patches, the TLS Cipher Suites may not match on the various SCOM servers.

  1. If you're setting up TLS1.2, you need the SCOM servers to talk
  2. The bad part, is this isn't logged much on the GW but log more often on MS
  3. Sometimes the 36871 events come with 36874, but in my experience they occur after Event Logging is enabled.


The unanswered question is "why are we seeing the 36871 events?"


In my example, the events only happened once a day, roughly 24 hours


Event Viewer


Are events related to the Cipher Suite, or is it a MP trying to run the old SQLOLEDB method?


This article will focus on verifying Cipher Suite on a server

See this article for MP analysis for SQL methods




SCHANNEL event logging setup


From Holman's blog

Decimal Description
0 Do not log
1 Log Error messages
2 Log Warnings
3 Log Error and Warning messages
4 Log Informational and Success events
5 Log Error, Informational and Success events
6 Log Warnings, Informational and Success events
7 Log Everything (Warnings, Errors, Informational and Success events


I’d recommend setting it to 3 to see errors and warnings, or 7 to see everything.

Remember to set this back to 1 when done resolving any issues.



From Command Prompt or PowerShell (as administrator)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "EventLogging" /t REG_DWORD /d 7 /f


reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "EventLogging"


reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "EventLogging"


PowerShell verification

RegEdit Verification

Time to reboot!



Verify SCHANNEL events

Look at the System Event log, and filter for 36880 and 36874 events for clues


36880 provides Cipher Suite details


Event ID 36874 definitely describes the scenario


The easy answer to solve the cipher suite is to ask - is this server patched with latest security and .NET patches?

After all this, in my example, we confirmed that simple step was assumed, and inaccurate.





36871 event
SChannel error codes
SChannel events
SSL errors
Troubleshooting /en-us/iis/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate