[English]Microsoft plans soonto switch off the encryption methods TLS 1.0 and 1.1 still used by default in the Schannel protocol (starts in September 2023 with Windows 11 Insider Builds). Therefore, a quick note for administrators in enterprise environments: It might be helpful to enable Schannel event logging for monitoring. If not known, Microsoft has published a separate support post on this topic.
Advertising
Enable Schannel Event Logging for Monitoring
I became aware of the issue the other day on Twitter via the following post by Thorsten. Microsoft has already documented the whole thing in March 2022 in the support article Enable Schannel event logging in Windows and Windows Server.
It states: If you enable Schannel event logging on a computer that is running one of the Windows versions listed in the "Applies to" section of this article, detailed information from Schannel events can be written to the Event Viewer logs, specifically the System Event Log. This article describes how to enable and configure Schannel event logging.
The whole thing is supposed to apply to Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, but I assume it also covers Windows 11 and Windows Server 2022. To enable logging navigate to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
and add the 32-bit DWORD value EventLogging. Then the following values can be assigned to the new EventLogging entry:
Advertising
der 32-Bit-DWORD-Wert EventLogging einzutragen. Dann lassen sich dem neuen Eintrag EventLogging folgende Werte zuweisen:
- 0x0000: Do not log
- 0x0001: Log error messages
- 0x0002: Log warnings
- 0x0003: Log warnings and error messages
- 0x0004: Log informational and success events
- 0x0005: Log informational, success events and error messages
- 0x0006: Log informational, success events and warnings
- 0x0007: Log informational, success events, warnings, and error messages (all log levels)
Microsoft points out in the article that manipulating the registry is at your own risk – but that should not be a problem for experienced administrators. The question of why you might want to enable event logging for Schannel comes indirectly from the blog post Windows: Microsoft intends to disable TLS 1.0 and 1.1 soon by default in Schannel protocol. Event logging can be used to see if there are issues with applications when TLS 1.0/1.1 is disabled (can also be done via tool or registry).
Advertising