Microsoft has announcedthat the next Exchange CU will enable Extended Protection (EP) for Exchange Server 2019 as the default setting. Extended Protection was introduced for Exchange 2016 and Exchange 2019 in August 2022 and previously had to be activated manually. However, anyone who has not yet activated Extended Protection may need to take care when installing CU14 for Exchange 2019.
For Exchange 2019, the CU14 will activate Extended Protection. If there are multiple Exchange servers and load balancers or web application firewalls, all of these components must be accessed. the same certificate must be used. It is not enough for the certificate to contain the same names; the identical certificate must be used on all Exchange servers, load balancers and WAFs, otherwise Outlook will not be able to establish a connection with Exchange.
If Extended Protection is not to be used, it must be deactivated manually after installation for Exchange 2019. The script for activating and deactivating Extended Protection can be found here:
There are other cases in which Extended Protection cannot be used:
- There are still Exchange 2013 servers with public folders in the Exchange organization
- Extended Protection does not work on servers used for Modern Hybrid configuration
- SSL Offloading is not supported (SSL Briding only with identical certificate)
It is best to test and activate Extended Protection before installing CU14 for Exchange 2019, otherwise troubleshooting may be time-consuming. Microsoft also provides a few tips on implementation in the article linked above:
Exchange 2016 is not affected by this change, as there will no longer be a new CU for Exchange 2016. However, HSTS is now officially supported for Exchange 2016 (and Exchange 2019), but I will write about this in a separate article.