Recently I did a reinstallation of my laptop, and chose to get the latest and greatest Windows 11. While trying to install a Sitecore 9.1 environment using SIF, I ran into an issue where the Marketing Automation Service wouldn’t start, and where I couldn’t open XConnect using my browsers. This issue apparently also occurs on later Sitecore versions, however I advise you to run Sitecore in containers when that is supported for your Sitecore version.
The errors
You might see one or more of the following errors when opening XConnect or IdentityServer in your browser:
- SEC_ERROR_INADEQUATE_KEY_USAGE
- SEC_ERROR_BAD_SIGNATURE
In your Sitecore logs you might see the following error:
- Sitecore.XConnect.XdbCollectionUnavailableException: An error occurred while sending the request.
The solution
Windows 11 with IIS introduces TLS 1.3, which apparently breaks functionality with XConnect, causing installations to fail and XConnect to be unreachable. To solve this, you can disable TLS 1.3 on the binding of your XConnect website in IIS as follows:
- Open IIS Manager
- Go to your XConnect website
- Click on Bindings
- Open the SSL (https) binding
- Check the checkbox that states “Disable TLS 1.3 over TCP”

Make sure when your installation through SIF is running, that you refresh IIS, and as soon as you see XConnect and the HTTPS binding that you disable the TLS 1.3 option. This has to be done at least before SIF tries to start the Marketing Automation Service.
Execute the same change for your IdentityServer and other apps, as otherwise you may get issues when opening them in your browser.
Disable TLS 1.3 for IIS system wide
If you want to disable TLS 1.3 for your entire system, execute the following powershell. The steps as shown above are no longer needed.
New-Item ` 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' ` -Force | Out-Null New-ItemProperty ` -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' ` -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty ` -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' ` -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
My man! I was running into this issue for a while but now I’m able to do a clean install. Thanks mate!
Faced this issue too and this fixed it. Thanks for the clear diagnosis and explanation.
I’m new to the world of Sitecore and lost about a day with this issue. Thank you for publishing the solution, Maarten! I didn’t consider that Windows 11 might be the problem!