I’ve created restrictions on our client devices so that they are only allowed to use TLS 1.2. Now in the event viewer i see tons of error messages: “A fatal error occurred while creating a TLS client credential. The internal error state is 10013.”
✅ Recommended Fixes
1. Enable TLS Protocols in Internet Properties
Temporarily re-enabling TLS 1.0 and 1.1 can help isolate the issue:
Run
inetcpl.cplOpen the Advanced tab
Under the Security section, enable:
TLS 1.0
TLS 1.1
TLS 1.2 and optionally TLS 1.3
Apply changes and reboot.
2. Enable TLS 1.2 / 1.3 via Registry
Ensure the OS supports modern protocols correctly and disables obsolete ones:
Open
regeditand navigate to:Make sure both TLS 1.2 (and TLS 1.3, on supported systems) have the following subkeys:
If not present, create the keys manually. Reboot afterwards.
3. Enable .NET to Use System Default TLS Versions
Many applications built on .NET still default to older protocols unless configured:
Add or update these registry keys:
Also apply to .NET 2.0/3.5 if required. Reboot to apply.
4. Use IIS Crypto Tool (GUI Alternative)
If you’re uncomfortable editing the registry:
Download and run IIS Crypto from Nartac Software.
Click Best Practices to configure TLS protocols and cipher suites automatically.
Reboot afterward.
5. Reset NTFS Permissions for MachineKeys (Advanced Issue)
On some Windows 11/10 systems, improper permissions or ghost profiles in:
can cause TLS credentials to fail. Resetting permissions may resolve persistent errors:
6. Identify the Faulty Process (If Errors Persist)
Open Event Viewer → Filter Schannel / Event ID 36871 to find the PID.
Match the PID in Task Manager → Details to see which app triggered the error.
Some users resolved it by logging out of Mail & Calendar app, which triggered the issue in their case.
Enable TLS 1.2 for Schannel
All Windows Server versions
TLS protocols are enabled or disabled in Windows Schannel by editing the Windows Registry. Each protocol version can be enabled or disabled independently. You don’t need to enable or disable one protocol version to enable or disable another protocol version.
he Enabled DWORD registry value defines whether the protocol version can be used. If the value is set to 0, the protocol version cannot be used, even if it is enabled by default or if the application explicitly requests that protocol version. If the value is set to 1, the protocol version can be used if enabled by default or if the application explicitly requests that protocol version. If the value is not defined, the operating system’s default value will be used. We recommend configuring the value to have a consistent state across your servers.
The DisabledByDefault DWORD registry value defines whether the protocol version is used by default. This setting only applies when the application doesn’t explicitly request the protocol versions to be used. If the value is set to 0, the protocol version will be available for use by default. If the value is set to 1, the protocol version will not be available for use by default. If the value is not defined, the operating system’s default value will be used.
Also Read : Activate Games now in Vestavia
We recommend configuring the value to have a consistent state across your servers. For example; consider what would happen if TLS 1.2’s values were set to a combination of Enabled and DisabledByDefault both set to a value of 1. In this example an application could only use TLS 1.2 if the application specifically called for TLS 1.2. If the application did not specifically call for TLS 1.2, then it would not be able to use TLS 1.2 as even though the protocol is enabled, it is not in the default list of available protocols. To enable TLS 1.2 for both server (inbound) and client (outbound) connections on an Exchange Server please perform the following.
- From Notepad.exe, create a text file named TLS12-Enable.reg.
- Copy and paste the following text into the file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
- Save TLS12-Enable.reg.
- Double-click the TLS12-Enable.reg file.
- Click Yes to update your Windows Registry with these changes.
- Restart the machine for the changes to take effect.
Enable TLS 1.2 for .NET 4.x
This step is only required for Exchange Server 2013 or later installations where .NET 4.x is relied upon. The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, it will behave as if the value is set to 0. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.
- From Notepad.exe, create a text file named NET4X-UseSchannelDefaults.reg.
- Copy, and then paste the following text.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
- Save the NET4X-UseSchannelDefaults.reg file.
- Double-click the NET4X-UseSchannelDefaults.reg file.
- Click Yes to update your Windows Registry with these changes.
- Restart your computer for the change to take effect.
Be the first to comment