The fastest solution is to update Windows 8.1 to enable TLS 1.2 support and disable outdated SSL/TLS protocols. Run Windows Update, then configure TLS settings through the registry to resolve handshake failures with modern secure servers.
Fix Guide36887Schannel TLS
Fix Schannel TLS Error 36887 – Windows 8.1 2026
Schannel Event ID 36887 indicates a TLS fatal alert code 40 (handshake failure) on Windows 8.1, typically caused by outdated TLS protocols, certificate issues, or cipher suite mismatches.
Emanuel DE ALMEIDA 36887Schannel TLS 5 methods 12 min
Instant Solution
Understanding Schannel Event ID 36887
Schannel Event ID 36887 represents a critical TLS handshake failure that became particularly common on Windows 8.1 systems. This error occurs when the Secure Channel (Schannel) security support provider receives a fatal alert code 40 from a remote server, indicating a handshake failure during TLS negotiation.
The root cause typically stems from Windows 8.1's default configuration, which prioritizes older TLS 1.0 and 1.1 protocols while many modern servers have disabled these protocols in favor of TLS 1.2 and newer versions. When a Windows 8.1 client attempts to establish a secure connection using an outdated protocol, the server responds with a fatal alert, triggering Event ID 36887.
This issue became more prevalent after 2020 when major web services and security standards organizations deprecated TLS 1.0 and 1.1 due to security vulnerabilities. Windows 8.1 users began experiencing widespread connection failures to banking sites, cloud services, and other secure web applications. The problem is compounded by Windows 8.1's limited update support, which ended in January 2023, leaving many systems without automatic TLS protocol updates.
Related: Fix Windows Event Log Error 36887 – Windows 10/11 2026
Related: Fix Windows Update Error 0x80070005 – Windows 10/11 2026
Related: Fix Windows Error 0x8024000C – Windows 10, Windows 11 2026
Related: Fix Windows Error 0x80D03001 – Windows 10, Windows 11 2026
Diagnostic
Symptoms
- Event ID 36887 appears repeatedly in System Event Log
- Error message: "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40"
- Web browsers fail to connect to HTTPS websites
- Applications using secure connections experience intermittent failures
- SSL/TLS handshake timeouts when connecting to secure services
- Certificate validation errors in network applications
Analysis
Root Causes
- Windows 8.1 defaulting to outdated TLS 1.0/1.1 protocols while servers require TLS 1.2+
- Disabled or misconfigured TLS 1.2 support in the registry
- Cipher suite mismatches between client and server
- Outdated or corrupted certificate stores
- Third-party security software interfering with TLS handshakes
- Missing Windows updates that include TLS protocol improvements
- Incorrect system date/time causing certificate validation failures
Resolution Methods
Solutions
01
Enable TLS 1.2 Support via Registry
Windows 8.1 requires manual registry configuration to enable TLS 1.2 by default. This method updates the Schannel configuration to support modern TLS protocols.
Warning: Back up your registry before making changes. Incorrect modifications can cause system instability.
- Press Windows + R, type
regedit, and press Enter - Navigate to
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols - Right-click Protocols → New → Key, name it
TLS 1.2 - Right-click TLS 1.2 → New → Key, name it
Client - Right-click Client → New → DWORD (32-bit) Value, name it
Enabled - Double-click
Enabled, set Value data to1, click OK - Create another DWORD named
DisabledByDefault, set value to0 - Repeat steps 4-7 for a
Serverkey underTLS 1.2 - Restart the computer to apply changes
Verification: Run netsh winhttp show advproxy and check that TLS 1.2 connections work by testing HTTPS sites.
02
Install Windows 8.1 TLS Updates
Microsoft released specific updates for Windows 8.1 to improve TLS support and fix Schannel issues. Install these critical updates to resolve protocol compatibility problems.
- Press Windows + I to open PC Settings
- Click Update and recovery → Windows Update
- Click Check for updates and wait for the scan to complete
- Install all available updates, particularly security updates
- Download and install KB3140245 (Easy Fix for TLS 1.2) from Microsoft Update Catalog if not automatically installed
- Open Control Panel → Programs → View installed updates
- Verify that KB3140245 and other TLS-related updates are installed
- Restart the computer after all updates are installed
Alternative PowerShell method:
Get-WUInstall -AcceptAll -AutoReboot
Get-HotFix | Where-Object {$_.HotFixID -like "*3140245*"}Verification: Check Windows Update history and run systeminfo to confirm installed hotfixes include TLS improvements.
03
Reset Schannel Configuration
Corrupted Schannel settings can cause persistent TLS errors. This method resets the Schannel configuration to default values and rebuilds the certificate store.
- Open Command Prompt as Administrator
- Stop dependent services:
net stop http
net stop cryptsvc
net stop bits- Clear the Schannel event cache:
certlm.msc- In Certificate Manager, expand Personal → Certificates
- Delete any expired or invalid certificates
- Navigate to Trusted Root Certification Authorities → Certificates
- Right-click in the certificate list → All Tasks → Import
- Import the latest root certificates from Windows Update
- Reset Winsock and TCP/IP stack:
netsh winsock reset
netsh int ip reset
ipconfig /flushdns- Restart the services:
net start cryptsvc
net start bits
net start http- Reboot the system
Verification: Check Event Viewer for new Schannel errors and test HTTPS connections to verify TLS handshakes complete successfully.
04
Configure Cipher Suites and Protocols
Fine-tune the available cipher suites and disable insecure protocols to ensure compatibility with modern servers while maintaining security.
- Open Group Policy Editor by pressing Windows + R, typing
gpedit.msc - Navigate to Computer Configuration → Administrative Templates → Network → SSL Configuration Settings
- Double-click SSL Cipher Suite Order
- Select Enabled and configure the cipher suite list:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256- Click OK and close Group Policy Editor
- Open Registry Editor and navigate to:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols- Disable SSL 2.0 and SSL 3.0 by creating keys and setting
Enabledto0 - Ensure TLS 1.0, 1.1, and 1.2 are properly configured
- Apply Group Policy changes:
gpupdate /force- Restart the computer
Verification: Use nmap --script ssl-enum-ciphers -p 443 target.com to verify cipher suite configuration and test connections to various HTTPS endpoints.
05
Advanced Schannel Debugging and Repair
For persistent issues, enable detailed Schannel logging and perform comprehensive system repairs to identify and resolve underlying problems.
- Enable Schannel event logging in the registry:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL- Create DWORD
EventLoggingwith value7for maximum verbosity - Run System File Checker and DISM repairs:
sfc /scannow
Dism /Online /Cleanup-Image /CheckHealth
Dism /Online /Cleanup-Image /ScanHealth
Dism /Online /Cleanup-Image /RestoreHealth- Check for corrupted system files and repair them
- Reset Windows Update components:
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver
ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old
net start wuauserv
net start cryptSvc
net start bits
net start msiserver- Rebuild the certificate store completely:
certlm.msc- Export important certificates, delete all certificates, then re-import from Windows Update
- Test with specific TLS versions using PowerShell:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://www.microsoft.com" -UseBasicParsing- Monitor Event Viewer for detailed Schannel logs to identify specific failure points
- If issues persist, consider upgrading to Windows 10/11 for better TLS support
Verification: Review detailed Schannel logs in Event Viewer and confirm that TLS 1.2 connections work consistently across multiple secure websites and applications.
Validation
Verification
To confirm the fix worked, perform these verification steps:
- Open Event Viewer and check the System log for new Schannel Event ID 36887 errors - they should stop appearing
- Test HTTPS connections using PowerShell:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://www.google.com" -UseBasicParsing- Verify TLS protocol support using the command:
netsh winhttp show advproxy- Check registry settings to confirm TLS 1.2 is enabled at
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client - Test secure connections in web browsers and verify no certificate errors occur
- Monitor system performance to ensure the changes haven't negatively impacted other network operations
If it still fails
Advanced Troubleshooting
If the above methods didn't resolve Event ID 36887, try these advanced troubleshooting steps:
Check for third-party interference: Temporarily disable antivirus software, firewalls, and VPN clients that might intercept TLS traffic. Some security software can interfere with Schannel operations.
Hardware-related issues: Update network adapter drivers and check for firmware updates. Some older network hardware may have compatibility issues with modern TLS implementations.
Time synchronization: Ensure system time is accurate by running w32tm /resync. Certificate validation failures often occur when system time is incorrect.
Application-specific problems: If only certain applications trigger the error, check their TLS configuration settings. Some legacy applications may need specific compatibility settings.
Network infrastructure: Work with network administrators to verify that firewalls, proxies, and load balancers support TLS 1.2 and aren't blocking specific cipher suites.
Consider upgrading: Windows 8.1 reached end of support in January 2023. For the best TLS support and security, consider upgrading to Windows 10 or Windows 11, which have native TLS 1.3 support and better Schannel implementations.
Frequently Asked Questions
What does TLS fatal alert code 40 mean in Event ID 36887?+
TLS fatal alert code 40 indicates a handshake failure during the TLS negotiation process. This occurs when the client and server cannot agree on a mutually supported TLS version, cipher suite, or certificate validation fails. In Windows 8.1, this typically happens when the system attempts to use TLS 1.0 or 1.1 to connect to servers that only accept TLS 1.2 or higher. The server sends alert code 40 to terminate the connection, which Schannel logs as Event ID 36887.
Why does this error only appear on Windows 8.1 and not newer Windows versions?+
Windows 8.1 was released in 2013 when TLS 1.0 and 1.1 were still widely accepted. By default, Windows 8.1 prioritizes these older protocols and requires manual configuration to enable TLS 1.2. Windows 10 and later versions have TLS 1.2 enabled by default and include automatic updates for TLS protocol improvements. Additionally, Windows 8.1 reached end of support in January 2023, meaning it no longer receives security updates that would automatically resolve TLS compatibility issues.
Can I safely disable SSL 2.0 and SSL 3.0 to fix this error?+
Yes, disabling SSL 2.0 and SSL 3.0 is not only safe but recommended for security reasons. These protocols have known vulnerabilities and are no longer used by modern web services. Disabling them forces Windows 8.1 to use TLS protocols, which can help resolve Event ID 36887. However, you must also ensure TLS 1.2 is properly enabled, or you may experience connection failures to sites that have disabled TLS 1.0 and 1.1. The registry modifications in Method 4 show how to safely disable these obsolete protocols.
Will enabling TLS 1.2 affect the performance of my Windows 8.1 system?+
Enabling TLS 1.2 on Windows 8.1 may have a minimal impact on system performance due to the additional cryptographic processing required for stronger encryption algorithms. However, this impact is negligible on modern hardware and is outweighed by the security benefits and compatibility improvements. TLS 1.2 uses more efficient cipher suites than older protocols, which can actually improve performance in some scenarios. The main consideration is ensuring your system has sufficient processing power for the encryption overhead, which is rarely an issue on systems capable of running Windows 8.1.
What should I do if Event ID 36887 persists after trying all the solutions?+
If Event ID 36887 continues after implementing all solutions, the issue may be related to network infrastructure, third-party software interference, or hardware limitations. First, test connections from a different network to rule out firewall or proxy issues. Check if specific applications trigger the error and contact their vendors for Windows 8.1 compatibility updates. Consider using network monitoring tools like Wireshark to analyze the TLS handshake process and identify where it fails. Ultimately, upgrading to Windows 10 or 11 provides the most comprehensive solution, as these systems have native support for modern TLS protocols and ongoing security updates.
Written by
Emanuel DE ALMEIDA
Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.
Further Intelligence
Deepen your knowledge with related resources
Discussion
Share your thoughts and insights
You must be logged in to comment.
Loading comments...