Released: August 2022 Exchange Server Security Updates

Hi LukasSMSFT Nino_Bilic 

We installed the Exchange 2019 CU12 SU update without issues this morning; however, I have a few questions:

1) healthchecker.ps1 flagged 4 Microsoft Exchange certificates that are expiring soon. If I try editing any of those certificates, the pen icon is greyed out. All 4 show 'Assigned to Services = NONE' Should I delete those 4 certificates before running EP script? I recall a few months ago, a SU will cause the host service not to start if there was any expired certificates. The Microsoft Exchange certificate that expires in 2025 has IIS and SMTP assigned. Also, our certificate (blank under name for security reasons) has IMAP, POP, IIS and SMPT services assigned to it.

2) healthchecker.ps1 produced the following results:

TLSVersion ServerEnabled ServerDbD ClientEnabled ClientDbD Configuration
---------- ------------- --------- ------------- --------- -------------
1.0 False True False True Disabled
1.1 False True False True Disabled
1.2 True False True False Enabled

FrameworkVersion SystemDefaultTlsVersionsWow6432NodeSystemDefaultTlsVersionsSchUseStrongCrypto Wow6432NodeSchUseStrongCrypto
---------------- ----------------------------------------------------------------------------- -----------------------------
NETv4 True True False False
NETv2 False False False False

v4.0.30319 SchUseStrongCryptoValue: NULL --- Error: Value should be defined in registry for consistent results.
v4.0.30319 WowSchUseStrongCryptoValue: NULL --- Error: Value should be defined in registry for consistent results.
SecurityProtocol: Tls12

is that mean I have to modify the registry by creating the file below as explained on https://docs.microsoft.com/en-us/Exchange/exchange-tls-configuration?view=exchserver-2019 ?

NET4X-UseSchannelDefaults.reg

is there anything else from that article that I must do before enabling EP?

Your help and guidance is greatly appreciated!