Hello! We installed update Exchange 2019 CU11 on Windows 2019 in our environment. In our environment we have send connectors with required TLS on number of remote domains. After CU11 was installed edge servers cannot make tls connections to some of these required tls remote domains (IronPorts ESA Cisco mail gate). We made investigation ExchangeSetupLog.txt and found out that setup change step in install process
from
ConfigureCryptoDefaults.ps1 -Transition (contains RSA + TLS 1.0, 1.1)
to
ConfigureCryptoDefaults.ps1 -Secure (contains only ellipse curve crypto suite)
May be that info would be helpful for somebody who installed CU10 and CU11.
We would like to disable tls 1.0 and 1.1 but not RSA.
Our message team is very surprised that Microsoft didn't mention about it in release notes for CU10 and CU11.