Windows security dashboard showing TLS certificate management and Schannel event monitoring

Event ID 36887ErrorSchannelWindows

Windows Event ID 36887 – Schannel: TLS Connection Error or Certificate Validation Failure

Event ID 36887 indicates TLS/SSL connection failures or certificate validation errors in the Schannel security provider, commonly affecting HTTPS connections and secure communications.

Emanuel DE ALMEIDA

17 March 202612 min read 0

Event ID 36887Schannel 5 methods 12 min

Event Reference

What This Event Means

Event ID 36887 represents a critical security event generated by the Schannel security support provider when TLS/SSL handshake failures occur. The Schannel provider is Windows' native implementation of the SSL/TLS protocols and handles all secure socket layer communications for the operating system and applications.

When this event fires, it indicates that a secure connection attempt has been terminated due to various certificate or protocol-related issues. The event typically includes detailed information such as the remote server name, certificate thumbprint, error status codes, and the specific stage of the TLS handshake where the failure occurred.

Common scenarios triggering this event include expired SSL certificates on web servers, untrusted certificate authorities in the chain, certificate name mismatches, unsupported cipher suites, or protocol version incompatibilities. In domain environments, this event frequently appears when domain controllers have certificate issues affecting LDAPS connections or when Exchange servers encounter mail flow problems due to certificate validation failures.

The event's impact extends beyond simple web browsing issues, affecting critical enterprise services like Active Directory replication, Exchange mail routing, SQL Server connections, and third-party applications relying on Windows' native SSL/TLS implementation. Understanding and resolving Event ID 36887 is essential for maintaining secure communications in Windows environments.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025

Analysis

Possible Causes

Expired or invalid SSL/TLS certificates on target servers
Certificate chain validation failures due to missing intermediate certificates
Untrusted root certificate authorities not present in Windows certificate store
Certificate subject name or SAN mismatch with the requested hostname
Incompatible TLS protocol versions between client and server
Cipher suite negotiation failures due to security policy restrictions
Revoked certificates detected during OCSP or CRL checking
Self-signed certificates without proper trust configuration
Network connectivity issues preventing certificate validation
Group Policy restrictions blocking specific TLS versions or cipher suites

Resolution Methods

Troubleshooting Steps

Check Event Viewer for Detailed Error Information

Start by examining the complete event details to identify the specific failure reason and target server.

Open Event Viewer → Windows Logs → System
Filter for Event ID 36887 using the filter option
Double-click the most recent event to view full details
Note the Remote Server, Certificate Thumbprint, and Error Code
Use PowerShell to get detailed event information:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=36887} -MaxEvents 5 | Format-List TimeCreated, Id, LevelDisplayName, Message

Record the specific error details for further investigation. The error code will guide you to the appropriate resolution method.

Verify Certificate Validity and Chain

Check the target server's certificate status and validation chain to identify certificate-related issues.

Test the certificate using PowerShell:

# Replace with your target server
$serverName = "your-server.domain.com"
$port = 443

# Test TLS connection
$tcpClient = New-Object System.Net.Sockets.TcpClient
$tcpClient.Connect($serverName, $port)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream())
$sslStream.AuthenticateAsClient($serverName)
$certificate = $sslStream.RemoteCertificate
Write-Output "Certificate Subject: $($certificate.Subject)"
Write-Output "Valid From: $($certificate.GetEffectiveDateString())"
Write-Output "Valid To: $($certificate.GetExpirationDateString())"
$sslStream.Close()
$tcpClient.Close()

Check certificate store for missing intermediate certificates:

Get-ChildItem -Path Cert:\LocalMachine\CA | Where-Object {$_.Subject -like "*intermediate*"}

Verify root certificate authorities:

Get-ChildItem -Path Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter

If certificates are expired or missing, contact your certificate authority or server administrator to resolve the certificate issues.

Configure TLS Protocol and Cipher Suite Settings

Adjust Windows TLS settings to ensure compatibility with the target server's security requirements.

Check current TLS protocol configuration:

# Check TLS registry settings
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" -ErrorAction SilentlyContinue

Enable TLS 1.2 if disabled (requires restart):

# Enable TLS 1.2 Client
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 1 -Type DWORD
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -Type DWORD

Check Group Policy for TLS restrictions:

gpresult /h c:\temp\gpresult.html

Test connection after changes:

Test-NetConnection -ComputerName "your-server.domain.com" -Port 443 -InformationLevel Detailed

Warning: Modifying TLS settings requires a system restart and may affect other applications. Test in a non-production environment first.

Import Missing Certificates and Configure Trust

Manually import required certificates or configure certificate trust to resolve validation failures.

Download the server's certificate chain:

# Download certificate from server
$serverName = "your-server.domain.com"
$port = 443
$webRequest = [Net.WebRequest]::Create("https://$serverName")
try {
    $webRequest.GetResponse()
} catch {
    $cert = $_.Exception.InnerException.Certificate
    $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cert)
    Write-Output "Certificate: $($cert2.Subject)"
    Write-Output "Thumbprint: $($cert2.Thumbprint)"
    Write-Output "Issuer: $($cert2.Issuer)"
}

Import intermediate certificates if missing:

# Import certificate to Intermediate CA store
$certPath = "C:\temp\intermediate-cert.cer"
Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\CA

Add trusted root certificate if needed:

# Import to Trusted Root store (use with caution)
$rootCertPath = "C:\temp\root-cert.cer"
Import-Certificate -FilePath $rootCertPath -CertStoreLocation Cert:\LocalMachine\Root

Verify certificate installation:

Get-ChildItem -Path Cert:\LocalMachine\CA | Where-Object {$_.Thumbprint -eq "YOUR_CERT_THUMBPRINT"}

Pro tip: Use certlm.msc to visually manage certificates and verify the complete certificate chain.

Enable Detailed Schannel Logging and Advanced Troubleshooting

Enable comprehensive Schannel logging to capture detailed TLS handshake information for complex issues.

Enable Schannel event logging:

# Enable Schannel logging (requires restart)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -Name "EventLogging" -Value 7 -Type DWORD

Configure advanced TLS logging:

# Enable TLS operational log
wevtutil set-log "Microsoft-Windows-Schannel/Operational" /enabled:true /retention:false /maxsize:102400000

Restart the system to apply logging changes
Reproduce the connection issue
Analyze detailed Schannel logs:

# Get detailed Schannel events
Get-WinEvent -LogName "Microsoft-Windows-Schannel/Operational" -MaxEvents 50 | Where-Object {$_.Id -in @(36874, 36875, 36887, 36888)} | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Use network capture for protocol analysis:

# Start network trace (Windows 10/11/Server 2019+)
netsh trace start capture=yes provider=Microsoft-Windows-Schannel tracefile=c:\temp\schannel.etl
# Reproduce issue, then stop trace
netsh trace stop

Disable logging after troubleshooting:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -Name "EventLogging" -Value 1 -Type DWORD
wevtutil set-log "Microsoft-Windows-Schannel/Operational" /enabled:false

Warning: Detailed Schannel logging generates significant log volume. Disable after troubleshooting to prevent disk space issues.

Overview

Event ID 36887 fires when the Schannel security provider encounters TLS/SSL connection failures or certificate validation errors. This event typically appears in the System log when Windows applications or services attempt to establish secure connections but encounter issues with certificate chains, protocol mismatches, or cipher suite negotiations.

The Schannel provider handles all TLS/SSL operations for Windows, including HTTPS connections, secure LDAP, SQL Server encrypted connections, and Exchange mail flow. When Event ID 36887 occurs, it indicates that a secure connection attempt has failed at the protocol level, often due to certificate trust issues, expired certificates, or incompatible security protocols between client and server.

This event is particularly common in enterprise environments where certificate authorities, domain controllers, or web services experience certificate-related problems. The event provides crucial diagnostic information including the target server, certificate details, and specific error codes that help identify the root cause of the connection failure.

Frequently Asked Questions

What does Event ID 36887 mean and when does it occur?+

Event ID 36887 indicates that the Schannel security provider encountered a TLS/SSL connection failure or certificate validation error. It occurs when Windows applications or services attempt to establish secure connections but fail due to certificate issues, protocol mismatches, or cipher suite problems. The event provides detailed information about the failure, including the target server, certificate details, and specific error codes to help diagnose the root cause.

How can I identify which application or service is causing Event ID 36887?+

To identify the source application, examine the event details in Event Viewer for process information, check the Application log for related errors around the same time, and use Process Monitor (ProcMon) to track network activity. You can also use PowerShell to correlate events: Get-WinEvent -FilterHashtable @{LogName='System'; Id=36887} | Select-Object TimeCreated, Message and look for application-specific details in the message field. Network monitoring tools can also help identify which processes are attempting the failed connections.

Can Event ID 36887 affect Active Directory and domain operations?+

Yes, Event ID 36887 can significantly impact Active Directory operations, particularly LDAPS connections between domain controllers, certificate-based authentication, and secure replication. When domain controllers have certificate issues, you may experience authentication failures, replication problems, and Group Policy application issues. Exchange Server mail flow can also be affected if certificate validation fails. Monitor the Directory Service log alongside System logs and ensure domain controller certificates are valid and properly configured.

What's the difference between Event ID 36887 and other Schannel events like 36888?+

Event ID 36887 specifically indicates TLS connection failures or certificate validation errors, while Event ID 36888 typically represents successful TLS connections or different types of Schannel operations. Event ID 36874 and 36875 relate to TLS handshake stages and cipher suite negotiations. Each event provides different diagnostic information: 36887 focuses on failures with detailed error codes, while others may indicate successful operations or different failure types. Always examine the complete event message to understand the specific scenario.

How do I prevent Event ID 36887 from recurring in my environment?+

Prevent recurring Event ID 36887 by implementing proactive certificate management: monitor certificate expiration dates using PowerShell scripts or certificate management tools, ensure proper certificate chain installation including intermediate certificates, configure automatic certificate renewal where possible, and maintain updated root certificate stores. Establish TLS protocol standards across your environment, regularly audit certificate stores, and implement monitoring alerts for certificate-related events. Consider using enterprise certificate management solutions for large environments to automate certificate lifecycle management.

Documentation

References (2)

Microsoft Learn - Schannel Security Support ProviderOfficial technical reference for the Schannel security support provider, covering TLS/SSL implementation and troubleshooting.https://learn.microsoft.com/en-us/windows-server/security/tls/schannel-security-support-provider-technical-reference

Microsoft Docs - TLS Registry SettingsComprehensive guide to TLS registry settings and configuration options for Windows systems.https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Loading comments...