Today we are re-releasing the November 2024 SUs for Exchange Server. The original release of these SUs (released on 11/12/2024) introduced an issue with Exchange Server transport rules stopping after...
Updated Jan 28, 2025
Version 11.0
Blog Post
Dear Microsoft Exchange team, LukasSMSFT. I'm a bit confused of your comments regarding possible transport and poison queue issues caused possibly by missing or incomplete AES256-CBC configuration.
You mentioned that all steps in an article https://support.microsoft.com/en-us/topic/enable-support-for-aes256-cbc-encrypted-content-in-exchange-server-august-2023-su-add63652-ee17-4428-8928-ddc45339f99e should be completed, otherwise it might cause problems.
However, step 2 registry key and Network Service accessrights should be already in place after August 2023 SU. At least what I noticed, new installation of 2019 CU14 does it already, so step 2 could therefore be skipped. Although it would not hurt to do it anyway just in case. Step 3 cannot be done if RMS is not in use. Step 4 says that November 2024 SU enables MSIPC by default so manual configuration of SettingOverride for decryption is not needed. Only Encryption Override needs to be set manually.
So my question is, how the CBC configuration can be missing or incomplete in a such way that it could crash transport and stuck messages in poison queue? Can missing override for Encryption be a reason? If yes, why it's not builtin to SU similarly as Decryption? I have understood that enabling the CBC was originally optional, required basically only if RMS was in use.
I'm not confident with existing information that "enabling" CBC (step 2, step 4-6) is a foolproof solution for transport issues.
Btw, in my test the HealthChecker did not notice missing rights of the Network Service.