Released: August 2022 Exchange Server Security Updates

turigor sorry for the delay. Even if Windows Authentication is not enabled, setting Extended Protection to prescribed value is highly recommended. Although when Windows authentication is disabled, Extended Protection will not be used (setting will be ignored). Configuring the Extended Protection setting in the vDir as described in the table ensures Extended Protection will be used just in case Windows Authentication is ever enabled in future.
Another important point to note is that, even for the vDirs where Windows Authentication is disabled by default, enabling Extended Protection is critical as there may be some sub vDirs that have Windows Authentication enabled which should requisite Extended Protection setting. OWA for example makes use of Basic Authentication for its default vDir and most of its sub vDirs. However, there is one OWA sub vDir called "Integrated" which has Windows Authentication enabled by default. Therefore, not enabling Extended Protection can make OWA vDir susceptible to MitM attacks.