Share via

Server 2022 SChannel and Cipher suites not sticking

Dave K 0 Reputation points
2025-04-17T03:15:39.1366667+00:00

I have two machines that I just upgraded from Server 2012R2 to 2019 and then to 2022. They only run IIS and a handful of web sites, so nothing complicated.

One server is behaving perfectly - after the upgrade, I ran IISCrypto to apply best practices, everything worked fine and we haven't seen any issues with that server.

The other one was upgraded in EXACTLY the same way, no issues seemed to crop up, but then we found out one of the apps wasn't working right. Tracked it down to what seemed to be a cipher issue, where it couldn't agree with another server on a cipher. Came to find out that when we ran IISCrypto on it to apply best practices, on reboot, those changes would revert. After some more digging, it seems that when group policies refresh, it reverts (make change with IISCrypto, then run gpupdate /force and the changes are reverted). After even more research, I found that when the machine can't contact the domain, the changes stick, but as soon as the machine boots up and applies GPOs, the settings are reverted. We also did test the functionality that is broken on the affected server on the one that is behaving and it worked fine there.

The real head scratcher here is both machines are in the same AD container (Computers), so the same exact group policies apply to both. So I can't see how one machine (Well, actually two, as a third web server was upgraded in the same manner but isn't in live use) is behaving as expected, while another, that is in the same container with the same policies applied to it is reverting these changes, apparently with GPO refreshes.

There are no GPOs in place that affect the registry or SChannel/Ciphers, and even if there was one, it would affect all three the same, not just one of them.

At this point, unless I can find an actual answer, we'll probably end up moving the sites over to the server that's not in production use and make it live, retiring the 'problem child', but this one really has me scratching my head.

Does anyone have any thoughts as to why this one machine is misbehaving in this manner?

Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hoang Phan0701 75 Reputation points Independent Advisor
    2025-08-11T07:36:02.8133333+00:00

    Dear Dave K,

    My name is Hoang Phan, and I understand that you are having some query concern related to SChannel and cipher suites.

    From my understanding, you have identified that the issue may be related to Group Policy. Below are my suggestions for investigating further:

    1. Compare GPReport
      • On both a working and a non-working machine, open cmd as administrator
      • Run gpresult /h report.html
      • Review and compare the reports to check for any Group Policy Objects (GPOs) related to cipher suites
    2. Check local group policy settings
      • Open Group Policy Editor (gpedit.msc)
      • Navigate to Computer Configuration\ Administrative Templates\Network\ SSL Configuration Settings
      • Review SSL cipher suite Order setting and confirm if it is configured
    3. Check Registry Key
      • Open Register Editor (regedit)
      • Navigate to this key: HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
      • In some cases, the setting may be configured locally, or the registry key may exist even when no GPO is applied.
      • If this is the case, remove the local GPO and/or delete the registry key, then perform a clean boot of the server.
    4. If the Issue Persists

    I hope this information proves helpful. Please don’t hesitate to reach out if you need further clarification—I’ll be happy to assist 🙂

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Best regards,

    Hoang Phan

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.