diff --git a/dlls/rsaenh/rsaenh.c b/dlls/rsaenh/rsaenh.c
index 5f67589f870..0acf4c7b143 100644
--- a/dlls/rsaenh/rsaenh.c
+++ b/dlls/rsaenh/rsaenh.c
@@ -3923,6 +3923,12 @@ BOOL WINAPI RSAENH_CPDeriveKey(HCRYPTPROV hProv, ALG_ID Algid, HCRYPTHASH hBaseD
             {
                 /* See RFC 2246, chapter 6.3 Key calculation */
                 case CALG_SCHANNEL_ENC_KEY:
+                    if (!pMasterKey->siSChannelInfo.saEncAlg.Algid ||
+                        !pMasterKey->siSChannelInfo.saEncAlg.cBits)
+                    {
+                        SetLastError(NTE_BAD_FLAGS);
+                        return FALSE;
+                    }
                     *phKey = new_key(hProv, pMasterKey->siSChannelInfo.saEncAlg.Algid, 
                                      MAKELONG(LOWORD(dwFlags),pMasterKey->siSChannelInfo.saEncAlg.cBits),
                                      &pCryptKey);
diff --git a/dlls/rsaenh/tests/rsaenh.c b/dlls/rsaenh/tests/rsaenh.c
index 0476275e4e0..6b0faebec45 100644
--- a/dlls/rsaenh/tests/rsaenh.c
+++ b/dlls/rsaenh/tests/rsaenh.c
@@ -2371,7 +2371,6 @@ static void test_schannel_provider(void)
      * succeed before the encryption key algorithm is set.
      */
     result = CryptDeriveKey(hProv, CALG_SCHANNEL_ENC_KEY, hMasterHash, CRYPT_SERVER, &hServerWriteKey);
-    todo_wine
     ok (!result && GetLastError() == NTE_BAD_FLAGS,
         "expected NTE_BAD_FLAGS, got %08x\n", GetLastError());