Forum Discussion
Problem with EMS console, Exchange Toolbox console and permission to serialize tokens
Seiun That article does not say you need to install Exchange Server 2019 first and then move to Exchange Server SE. If you were already running Exchange Server 2019 then an in-place upgrade would make sense. But for a fresh install, no that is the wrong path.
You cannot use multiple AV solutions at the same time. So, if you are using PAC, you need to disable Defender. And if you're happy with Defender, there's no reason to run PAC.
As Health Checkers runs in the EMS and you're not able to access the EMS, how did you run it?
Did you check to make sure the proper services and app pools are running on your server?
What's in your IIS logs and event logs? Any errors?
Have you enabled Certificate Signing in PowerShell - https://aka.ms/HC-SerializedDataSigning
Have you verified your environment can use Extended Protection, which is enabled by default?
- Defender disabled. Only one AV.
- Run PowerShell as Administrator. Launch Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn and you have access to all Exchange Powershell commands. A workaround that still works.
- I don't see IIS errors.
- Certificate Signing in PowerShell. Run script: MonitorExchangeAuthCertificate.ps1 - no errors. It is working.
[07/02/2026 08:01:42] : Current Auth Certificate thumbprint: 4A76D985BE7EC62B5917EAA65E2DB471DSDSD
[07/02/2026 08:01:42] : Current Auth Certificate is valid for 881 day(s)
[07/02/2026 08:01:42] : Test result: No renewal action is required
[07/02/2026 08:01:42] : Log file written to: C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuthCertificateMonitoring\AuthCertificateMonitoringLog_20260702080136.txt
[07/02/2026 08:01:42] : Do you have feedback regarding the script? Please email email address removed for privacy reasons.
[07/02/2026 08:01:42] : No errors occurred within the scripts
- Extended Protection: No errors.
.\ExchangeExtendedProtectionManagement.ps1 -PrerequisitesCheckOnly
RegistryName Location Value
SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v2.0.50727 1
SystemDefaultTlsVersions SOFTWARE\Microsoft\.NETFramework\v2.0.50727 1
SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v4.0.30319 1
SystemDefaultTlsVersions SOFTWARE\Microsoft\.NETFramework\v4.0.30319 1
SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727 1
SystemDefaultTlsVersions SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727 1
SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 1
SystemDefaultTlsVersions SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 1
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client 1
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client 0
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 1
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 0
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 1
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 0
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 1
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 0
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 0
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 1
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 0
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 1
TLS prerequisites check successfully passed!
All servers that we are trying to currently configure for Extended Protection have RPC (Default Web Site) set to false for SSLOffloading.
Successfully passed the Prerequisites Check for the server: EX...