Preparing for Extended Protection

Exchange Server 15.0 = 2013, 15.1 = 2016, and 15.2 = 2019

Confirm if any of the registry values are present:

(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" | FL }}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" | FL }}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" | FL }}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" | FL }}

Check the Registry DWORDs (WhatIf):

(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "DWORD" -WhatIf}}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "DWORD" -WhatIf}}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "DWORD" -WhatIf}}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "DWORD" -WhatIf}}

Add the Registry DWORDs:

(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "DWORD"}}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "DWORD" }}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "DWORD"}}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {New-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "DWORD"}}

Confirm that the registry values are there:

(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" | FL }}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" | FL }}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" | FL }}
(Get-ExchangeServer | sort name | ?{$_.Admindisplayversion -like "*15.2*"}).name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" | FL }}

LINKS:

https://docs.microsoft.com/en-us/Exchange/exchange-tls-configuration?view=exchserver-2016#enable-tls-12-for-net-4x

https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862

Action required if you have Public Folders in your environment:
https://support.microsoft.com/en-us/topic/extended-protection-doesn-t-support-public-folder-client-permissions-management-through-outlook-bd2037b5-40e0-413a-b368-746b3f5439ee

Share this: