Today we are announcing the availability of the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU14). CU14 includes fixes for customer reported issues, a security change, and all previo...
Updated Feb 22, 2024
Version 11.0
Blog Post
LukasSMSFT
Microsoft
MicrosoftPankaj_Messaging_Specialist it's not necessary to disable cipher suites. The only thing you should care about is that the exact same TLS configuration (TLS versions, cipher suites etc.) is configured on all of your Exchange servers. SchUseStrongCypto affects outgoing connections from your Exchange server (e.g, Exchange server A connects to Exchange Server B to query data). The key ensures that we use strong cryptography (TLS 1.1 or 1.2, no weak ciphers) in this scenario. It should not affect clients that are connecting to your server.
SystemDefaultTlsVersions must be set to ensure that .Net framework inherits its defaults from the Windows Secure Channel (Schannel). So if you want to keep TLS 1.0 and 1.1 enabled, that's totally fine as long as you keep it enabled on all other Exchange servers as well.
Just follow the steps to explicitly enable TLS 1.1 and 1.0 and you're good: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-tls-configuration?view=exchserver-2019#enable-tls-11