14 June 2024

Exchange Server TLS configuration best practices - Enable TLS 1.2 with PowerShell

This documentation describes the required steps to properly configure (enable or disable) specific TLS versions on Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. The article also explains how to optimize the cipher suites and hashing algorithms used by TLS. If TLS isn't configured correctly, you can face various issues when interacting with Microsoft 365 or other systems, which are configured in such a way that they require a certain minimum TLS standard.

Important

Read carefully as some of the steps described here can only be performed on specific operating systems or specific Exchange Server versions.
At the beginning of each section there is a matrix that shows whether a setting is supported or not and if it has already been pre-configured from a certain Exchange Server version.


Things to consider before disabling a TLS version

Tip

You can use the Exchange HealthChecker script to check the current TLS configuration of your Exchange server.

Please make sure that every application supports the TLS versions, which remain enabled. Considerations such as (but not limited to):
Do your Domain Controllers and Global Catalog servers support, for example, a TLS 1.2 only configuration?
Do partner applications (such as, but not limited to, SharePoint, Lync, Skype for Business, etc.) support, for example, a TLS 1.2 only configuration?
Have you updated older Windows 7 desktops using Outlook to support TLS 1.2 over WinHTTP?
Do your load balancers support TLS 1.2 being used?
Do your desktop, mobile, and browser applications support TLS 1.2?
Do devices such as multi-function printers support TLS 1.2?
Do your third-party or custom in-house applications that integrate with Exchange Server or Microsoft 356 support a strong TLS implementation?

As such we strongly recommend any steps you take to transition to TLS 1.2 and away from older security protocols are first performed in labs which simulate your production environments before you slowly start rolling them out in production.

  • The steps used to disable a specific TLS version as outlined below, will apply to the following: Exchange Server functionalities:Simple Mail Transport Protocol (SMTP)
  • Outlook Client Connectivity (Outlook Anywhere / MAPI/HTTP)
  • Exchange Active Sync (EAS)
  • Outlook on the Web (OWA)
  • Exchange Admin Center (EAC) and Exchange Control Panel (ECP)
  • AutoDiscover
  • Exchange Web Services (EWS)
  • REST (Exchange Server 2016/2019)
  • Use of PowerShell by Exchange over HTTPS
  • POP and IMAP

Prerequisites

TLS 1.2 support was added with Exchange Server 2013 CU19 and Exchange Server 2016 CU8. Exchange Server 2019 supports TLS 1.2 by default.

Exchange Server cannot run without Windows Server and therefore it is important to have the latest operating system updates installed to run a stable and secure TLS implementation.

It's also required to have the latest version of .NET Framework and associated patches supported by your CU in place.

Based on your operating system, make sure that the following updates are also in place (they should be installed if your server is current on Windows Updates):

If your operating system is Windows Server 2012 or Windows Server 2012 R2, KB3161949 and KB2973337 must be installed before TLS 1.2 can be enabled.

Make sure to reboot the Exchange Server after the TLS configuration has been applied. It becomes active after the server was restarted.

Preparing .NET Framework to inherit defaults from Schannel

The following table shows the Exchange Server/Windows Server combinations with the default .NET Framework Schannel inheritance configuration:
Expand table

Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019 CU14 or laterAnyYesYes (new installations only)
Exchange Server 2019AnyYesPartially (SchUseStrongCrypto must be configured manually)
Exchange Server 2016AnyYesNo (OS defaults will be used)
Exchange Server 2013AnyYesNo (OS defaults will be used)

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x inherits its defaults from the Windows Secure Channel (Schannel) DisabledByDefault registry values. If the value is undefined, it behaves as if the value is set to 0.

The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in your application. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.

Enable .NET Framework 4.x Schannel inheritance

Run the following commands from an elevated PowerShell window to configure the .NET Framework 4.x Schannel inheritance:
1
2
3
4
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord

Enable .NET Framework 3.5 Schannel inheritance

Note

Exchange Server 2013 and later do not need this setting. However, we recommend configuring it identically to the .NET 4.x settings to ensure a consistent configuration.

Run the following commands from an elevated PowerShell window to configure the .NET Framework 3.5 Schannel inheritance:
1
2
3
4
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value 1 -Type DWord

Steps to configure TLS 1.2

The following table shows the Exchange Server/Windows Server combinations on which TLS 1.2 is supported. The table also shows the default configuration:
Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019AnyYesYes (enabled)
Exchange Server 2016AnyYesNo
Exchange Server 2013AnyYesNo


Enable TLS 1.2

Run the following command from an elevated PowerShell window to enable TLS 1.2 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.2" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -Value 1 -Type DWord

Disable TLS 1.2

Run the following command from an elevated PowerShell window to disable TLS 1.2 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.2" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -Value 0 -Type DWord

Steps to configure TLS 1.1

The following table shows the Exchange Server/Windows Server combinations on which TLS 1.1 is supported. The table also shows the default configuration:
Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019AnyYesYes (disabled)
Exchange Server 2016AnyYesNo
Exchange Server 2013AnyYesNo


Enable TLS 1.1

Note

The Microsoft TLS 1.1 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.1. Failure to plan carefully may cause clients to lose connectivity.

Run the following command from an elevated PowerShell window to enable TLS 1.1 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.1" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 1 -Type DWord

Disable TLS 1.1

Run the following command from an elevated PowerShell window to disable TLS 1.1 for client and server connections:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
<!-- HTML generated using hilite.me --><div style="background: #ffffff; overflow:auto;width:auto;border:solid orange;border-width:.1em .1em .1em .8em;padding:.2em .6em;"><table><tr><td><pre style="margin: 0; line-height: 125%">1
2
3
4
5
6
7</pre></td><td><pre style="margin: 0; line-height: 125%"><span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols&quot;</span> -Name <span style="background-color: #fff0f0">&quot;TLS 1.1&quot;</span> -ErrorAction SilentlyContinue
<span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Client&quot;</span> -ErrorAction SilentlyContinue
<span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Server&quot;</span> -ErrorAction SilentlyContinue
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client&quot;</span> -Name <span style="background-color: #fff0f0">&quot;DisabledByDefault&quot;</span> -Value 0 -Type DWord
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Enabled&quot;</span> -Value 1 -Type DWord
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server&quot;</span> -Name <span style="background-color: #fff0f0">&quot;DisabledByDefault&quot;</span> -Value 0 -Type DWord
<span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">&quot;HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server&quot;</span> -Name <span style="background-color: #fff0f0">&quot;Enabled&quot;</span> -Value 1 -Type DWord
</pre></td></tr></table></div>

Steps to configure TLS 1.0

The following table shows the Exchange Server/Windows Server combinations on which TLS 1.0 is supported. The table also shows the default configuration:
Exchange ServerWindows ServerSupportedConfigured by default
Exchange Server 2019AnyYesYes (disabled)
Exchange Server 2016AnyYesNo
Exchange Server 2013AnyYesNo


Enable TLS 1.0


Note

The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.0. Failure to plan carefully may cause clients to lose connectivity.

Run the following command from an elevated PowerShell window to enable TLS 1.0 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.0" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "DisabledByDefault" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 1 -Type DWord

Disable TLS 1.0

Run the following command from an elevated PowerShell window to disable TLS 1.0 for client and server connections:
1
2
3
4
5
6
7
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.1" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Client" -ErrorAction SilentlyContinue
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Server" -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "DisabledByDefault" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 0 -Type DWord


No comments:

Post a Comment