Update: The issue mentioned in this article has been resolved in October 2022 SU (or later). Please see this document for known issues with Extended Protection.
We’ve released an update to the scri...
Updated Feb 15, 2024
Version 3.0
Blog Post
1 MIN READ
An update to the Exchange Server Extended Protection script is now available
3. You can find additional documentation here regarding the registry values:
https://aka.ms/ExchangeEPDoc (as Nino_Bilic mentioned)
"If you experience password prompts on your clients once Extended Protection is enabled, you should check the following registry key and value on client and Exchange server side"
One could use this PowerShell command to see if the DWORD is set/exists on computers/servers with 2019 in their name. (red result = does not exist)
You can also use this to look at clients by adjusting the filter.
(Get-ADComputer -Filter 'Name -like "*2019*"').name | %{$_;Invoke-Command -ComputerName $_ {Get-ItemProperty -Path "HKLM:System\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" | FL }}
Your question of a registry template for the keys: It is recommended to use Group Policy (see link in my comment). But, if one would want to look into updating using the registry it would look like this (Example sets value to 3. Remove -WhatIf after testing). Keep in mind that Group Policy, if set, will change it back to the Group Policy value.
(Get-ADComputer -Filter 'Name -like "*2019*"').name | %{$_;Invoke-Command -ComputerName $_ {Set-ItemProperty -Path "HKLM:System\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value "3" -Type "DWORD" -WhatIf}}