Error: "SCHANNEL 1203, EventID 36888" Errors Flooding System Event Logs

Version 5

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x


    SCHANNEL 1203 errors are filling the system event logs. AMT/vPro is not configured and there are no cert issues on your IEM core server.


    The following fatal alert was generated: 10. The internal error state is 1203.


    Some of The Details are:

    - System

      - Provider

       [ Name]  Schannel
        [ Guid]  {1F678132-5938-4686-9FDC-C8FF68F15C85}
        EventID 36888


    There are additional details that are not relevant to this article.




    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging value is set to "1" or 0x0001 which is "Log Error Messages".


    The problem with this is that any non-SSL request coming into the IIS HTTPS site will cause SCHANNEL to log an error. You can replicate this by attempting to telnet port 443 on the core server and then typing some characters.




    Change the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging value to "0"  (Zero) or 0x000 which is "Do Not Log"


    Logging Registry Values

    0x0000 Do not log
    0x0001 Log error messages
    0x0002 Log warnings
    0x0004 Log informational and success events


    This value is good for troubleshooting when there are issues with certs and 403 failures in your IIS logs, but having it on continuously creates unnecessary noise in the System Event Logs.


    How to enable SCHANNEL event logging:


    Windows System Event Log flooded with SCHANNEL 1203 events:

    Windows Server Logs Flooded with SChannel events | Tritone Consultants