none
Exchange 2010 - EWS and disabling TLS 1.0 RRS feed

  • Question

  • Hi all,

    Due to the POODLE vulnerability and TLS 1.0 showing as enabled on one of our external scans, we were informed that we would need to disable SSL 3.0 and TLS 1.0 on our Exchange server.

    Apparently, this wouldn't even be possible until Update Rollup 9 was released on 3/16/15:

    Rollup resolves:

    KB 3029667 SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2010 environment

    After installing this update, SSL 3.0 and TLS 1.0 were disabled and the servers rebooted (cross site, same domain, two Exchange servers).  After resolving some issues with certificates that apparently broke as a result of the changes, we found that EWS was not working - the log full of these errors:

    Process 5776: ProxyWebRequest CrossSite from S-1-5-21-3895483984-2032760896-3917300074-1259 to https://mail.exchange.com:443/ews/exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

    ------------------------------------------------------

    The EWS directory in IIS on both servers are set to use Anonymous and Windows Authentication.  The main issues observed outside of the above errors was that free/busy information could not be viewed.

    After rebuilding the EWS virtual directory and a couple reboots later, we tried enabling TLS 1.0 on both servers, rebooted, and there were no more EWS errors to be found - free/busy was also working.

    So it appears that although this rollup allows SMTP to use TLS 1.1 or 1.2, EWS is still attempting to use TLS 1.0, and I don't see that it is possible to change this

    Friday, May 1, 2015 2:43 PM

Answers

  • Just as an update to this, we eventually opened a ticket with Microsoft regarding this, who confirmed that this is now a known issue, and TLS 1.0 cannot be disabled without affecting Exchange Web Services in Exchange 2010.  They did not confirm if/when this would be resolved.
    • Marked as answer by 5801ptbac Wednesday, May 27, 2015 1:11 PM
    Wednesday, May 27, 2015 1:11 PM

All replies

  • Hi,

    Thank you for your post.

    This is a quick note to let you know that we are performing research on this issue.

    Best regards,

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Monday, May 4, 2015 8:23 AM
    Moderator
  • Hi,

    How did you disable TLS 1.0 on exchange server?

    In addition, when you disable TLS 1.0 on the server, please try to disable TLS 1.0 on the client as well, and then check if the issue persist.

    I recommend you disable TLS 1.0 protocol by following these steps:

    • Browse to the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\” key.
    • If there is not a key under there called “TLS 1.0″, create it.
    • Under “TLS 1.0″, create a key called “Client” and a key called “Server”.
    • For both “Client” and “Server”, add a DWORD value to each called “Enabled” and set it to “0” (This will disable TLS 1.0).

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Thursday, May 7, 2015 7:50 AM
    Moderator
  • Just as an update to this, we eventually opened a ticket with Microsoft regarding this, who confirmed that this is now a known issue, and TLS 1.0 cannot be disabled without affecting Exchange Web Services in Exchange 2010.  They did not confirm if/when this would be resolved.
    • Marked as answer by 5801ptbac Wednesday, May 27, 2015 1:11 PM
    Wednesday, May 27, 2015 1:11 PM
  • Do you have a solution for this as yet ?.. Have the same issue and you immediately FAIL PCI compliance if its enabled
    Wednesday, June 3, 2015 9:24 AM
  • Do you have a solution for this as yet ?.. Have the same issue and you immediately FAIL PCI compliance if its enabled

    Hello Cory,

    There is currently no solution to this yet, and apparently the same issue exists in Exchange 2013.  The following thread on Spiceworks was very helpful:

    http://community.spiceworks.com/topic/608560-exchange-2010-poodle-and-security?page=2#entry-4671767

    One poster initiated a dispute with the PCI compliance vendor and it was approved, so that is a good sign.  Our company will be undergoing a scan later this month, so we will likely do the same thing to avoid failing.  I will post an update once that has been done to let you know if they (Trustwave) has also accepted the dispute.  I imagine there are several other customers out there going through the same struggle.

    Wednesday, June 3, 2015 1:08 PM
  • Add me to the list on this; many customers failing PCI tests, and now I'm sitting on my hands waiting for Microsoft to fix this issue, as Out Of Office, my customer's main concern, is not available in Outlook, and they consider it quite a hassle to use OWA to set it. At least email is working! Sheesh. It is interesting to know that you can dispute TLS 1.0 and get approved; might have to do that.

    One question: I have disabled TLS 1.0 and SSL 3.0 on the servers in question, and i am wondering about running the Update Rollup 9. Do I need to do anything after applying this update to tell Exchange to use TLS 1.1 or 1.2, or will it automatically begin using one of these protocols? I can't seem to find anything about it when I search. Thanks for considering!


    Thursday, June 4, 2015 4:42 PM
  • Add me to the list on this; many customers failing PCI tests, and now I'm sitting on my hands waiting for Microsoft to fix this issue, as Out Of Office, my customer's main concern, is not available in Outlook, and they consider it quite a hassle to use OWA to set it. At least email is working! Sheesh. It is interesting to know that you can dispute TLS 1.0 and get approved; might have to do that.

    One question: I have disabled TLS 1.0 and SSL 3.0 on the servers in question, and i am wondering about running the Update Rollup 9. Do I need to do anything after applying this update to tell Exchange to use TLS 1.1 or 1.2, or will it automatically begin using one of these protocols? I can't seem to find anything about it when I search. Thanks for considering!


    Hi Kuptime,

    After installing Rollup 9 and ensuring 1.0 and SSL 3 are disabled, SMTP should begin using 1.1 or 1.2 without further changes.  As you mentioned, Exchange Web Services (Out of Office, Free/Busy) will not function correctly with this current implementation.

    Thursday, June 4, 2015 9:45 PM
  • Microsoft Exchange 2010 SP3 rollup 11

    Microsoft Server 2008 R2

    I see that the last time this was updated is June 2015. Can anyone tell me if the issue with Exchange Web Services(Out of Office and Free/Busy) has be resolved yet? 

    Or is there anyway to disable TLS1.0 without this occurring ie migrating to Windows 2012 R2 with Microsoft Exchange 2013 etc.?

    Monday, December 21, 2015 9:14 PM
  • Microsoft Exchange 2010 SP3 rollup 11

    Microsoft Server 2008 R2

    I see that the last time this was updated is June 2015. Can anyone tell me if the issue with Exchange Web Services(Out of Office and Free/Busy) has be resolved yet? 

    Or is there anyway to disable TLS1.0 without this occurring ie migrating to Windows 2012 R2 with Microsoft Exchange 2013 etc.?

    Hi AmerAcad,

    We were told that Microsoft would contact us when this has been fixed.  Unfortunately, we have never heard back on this.  And due to the havoc that disabling this caused in our environment originally, we are not exactly eager to test this until we have some feedback.

    Monday, December 21, 2015 9:24 PM
  • No need to test.  For Exchange 2010/Rollup 10, this is still an issue.
    Friday, February 12, 2016 6:58 PM
  • Just so I am clear.  Is it all EWS that fails when disabling TLS 1.0.

    Or is it just Out Of Office and Freebusy

    Thanks

    Mike

    Wednesday, February 24, 2016 9:38 PM
  • Just so I am clear.  Is it all EWS that fails when disabling TLS 1.0.

    Or is it just Out Of Office and Freebusy

    Thanks

    Mike

    Hi Mike,

    It has been a while since we went down this rocky road, but EWS failed altogether when we disabled TLS 1.0.  This not only affected Out of Office and Free Busy, but all of our Apple users that connect to our Exchange server were out of commission via EWS.

    Wednesday, February 24, 2016 10:40 PM
  • Since TLS 1.1 was defined in 2006 and TLS 1.2 in 2008, I would love to hear Microsoft's excuse for still not fully supporting them in Exchange and IIS products that were released well afterwards. What's worse is the empty void of information about what they are going to do about this. The last meaningful update that I've been able to find on the Exchange Team Blog is the 'best practices' entry last July that contains a surfeit of disingenuous disambiguation.

    Has anybody heard anything concrete from Redmond on when we'll be able to disable TLS 1.0 on Exchange 2010 or 2013 servers and IIS without loosing EWS? Fortunately, it looks like the PCI SCC has extended the migration completion date for TLS 1.0 to June 2018. Looks like we'll all have to be on Exchange 2016 by then!

    Thursday, March 3, 2016 2:54 PM
  • >Fortunately, it looks like the PCI SCC has extended the migration completion date for TLS 1.0 to June 2018. Looks like we'll all have to be on Exchange 2016 by then!

    However we still have to provide extensive documentation and mitigation efforts in order to comply.

    Its a pain.

    Come on Microsoft.  Given the number of security patches I have to install monthly one would think this would be a higher priority.  TLS 1.0 has know vulnerabilities and Exchnage 2010 is still very much in use.

    Its not always possible to de-scope exchange as it is a highly connected piece of software.

    Thursday, March 3, 2016 3:12 PM
  • I've had a LOT of trouble getting my PCI Compliance company to accept the TLS 1.0 Mitigation. In fact, I finally gave up. The fact that Microsoft still hasn't fixed this is completely inexcusable.

    It would cost me thousands of dollars to upgrade to Exchange 2016 right now. And about a thousand a year to move to Office 365. Thanks for nothing, Microsoft!

    Thursday, March 3, 2016 3:20 PM
  • Microsoft - What's the status of this? Many of us have paid a lot of money for the Exch 2010 product, and would expect that this be resolved in short order? Would someone from Microsoft please respond and advise?
    Monday, March 21, 2016 3:47 PM
  • As the author of the blog, I can explain a little about what is going on. First of all, you must understand that supporting TLS 1.2 (we generally DO support TLS 1.2 across the board) is not the same thing as being able to disable TLS 1.0. The PCI and other entities have also reached this conclusion, and thus the delay in their mandates -- which by the way don't typically apply to the average Exchange deployment anyway. While TLS 1.0 is certainly less secure than TLS 1.2, it is not inherently insecure like SSL 3.0.  It is easy to mitigate POODLE and other known issues without disabling TLS 1.0.  This isn't a permanent thing, it's just the current state of affairs.

    The reasons why TLS 1.0 can't be completely disabled center around "client" implementations -- NOT server implementations.  That is, any application which is initiating a new secure socket connection.  In the Exchange case, this includes all clients, as well as any session between the "front end" and the "back end" roles, or even sessions between servers.  Most clients running on Windows rely on 3 or 4 underlying APIs -- all of which now implement TLS 1.2, but on older versions required recompiling in order to utilize TLS 1.2.  However, in newer versions of Windows, that is no longer the case.  So this entire story has really been about tracking down the underlying APIs and deciding which combinations would be backported to older versions of Windows and Exchange.  The story would be similar for any client running on any legacy Operating System, including Linux -- clients don't simply automatically start using TLS 1.2 just because the server does.  Code updates and backports are required.  On a side note, if one rewinds the clock to the earliest days of TLS 1.1 and 1.2, this choice was made because some early server implementations wouldn't negotiate the version properly (I won't point fingers) -- so if clients were updated before the servers were, it would have resulted in no connectivity whatsoever.  So early implementations required overrides so as to not introduce connectivity issues.

    At this time, we have made significant progress -- and there are certain configurations where we know disabling TLS 1.0 will work, in newer versions and/or with the right patches. But, as long as there is just one part of Exchange used by most of our customers which won't support disabling TLS 1.0 (or as long as significant client bases remain incompatible), it simply doesn't make sense to introduce confusion and change our support stance at this time -- as long as we believe TLS 1.0 remains secure.  Instead, we have focused on helping customers make sure their TLS implementations are as secure as possible.  Rest assured that if a client AND the server both support TLS 1.2 by default, then your connections are already happening using TLS 1.2.  By the way, this fix for Windows 7 and Server 2008 R2 shipped this week:

    https://support.microsoft.com/kb/3140245

    We will post updates on the blog at such time as we feel all of the pieces are in place.  This may also be coordinated with other Microsoft products.  That said, it is highly unlikely that it would be supported to disable TLS 1.0 on any product which is out of mainstream support.  If a customer has an extended support agreement in place, then certainly that would change matters.  I am simply setting expectations based on how the support lifecycle works.

    In the meantime, keep your machines patched, and follow best practice recommendations.

    Wednesday, April 20, 2016 2:37 PM
    Moderator
  • Hi.  Any updates on this?  Is it safe to disable TLS 1.0 on Exch 2010 yet without breaking anything?
    Wednesday, January 4, 2017 7:14 PM
  • Hi.  Any updates on this?  Is it safe to disable TLS 1.0 on Exch 2010 yet without breaking anything?

    Dear All,

    Anyone disabled TLS 1.0 on Ex2010 / 2013 with no issues? 

    Cheers!

    Vicky

    Friday, January 6, 2017 2:09 PM
  • We disable TLS1.0 last week for compliance purposes. Exchange 2010 Win2008R2. Outlook failed afterwards.
    Monday, January 9, 2017 2:11 PM
  • After upgrading Exchange 2010 to SP3 rollup 16, we were able to disable TLS 1.0 but ActiveSync users will have to use the outlook app for email especially on older mobile devices. Outlook 2010 is working but we are getting a popup on the users desktop about autodiscover.mydomain,com is attempting to make changes to you account. Otherwise the server, OWA, and clients are fully functional. If anyone has suggestions to resolve this last hiccup please let me know otherwise when we have a solution I will be happy to share.


    • Edited by dwolf17 Monday, February 6, 2017 5:46 PM
    Monday, February 6, 2017 5:45 PM
  • This is because some Outlook functionality uses winhttp which by default only supports upto TLS 10 on windows 7 sp1.

    Its likely your clients already support TLS 1.2 but you need the registry change in the article to activate the support.

    If the clients are windows 7 you will probably need to add TLS 1.1 and TLS 1.2 to the default secure protocols.

    https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows

    If you do windows update (likely) you already have the support and just need the reg key

    I did this and my Outlook 2910 clients on Windows 7 and it switched to TLS 1.2 from 1.0 after restarting outlook.

    (no reboot required).

    I used GPO to deliver this Regkey.

    It is possible to disable TLS 1.0 1.1 on exchange 2010 sp3 ru 16.

    Not recommended by Microsoft BTW.  It seems they would prefer you to but a new licence of 2016.

    You will need to do it carefully.  One problem we had was old android phones that had to be replaced but they were very old.


    • Edited by Mike Surcouf Saturday, February 11, 2017 2:38 PM
    Saturday, February 11, 2017 2:33 PM
  • As of 2010 SP3 Rollup 16, I can confirm, TLS 1.0 cannot be disabled...

    When disabled, before and after UR16, the issue (invalid server configuration) manifests itself immediately if you try to delete an email from OWA.  Most, if not, all other OWA functionality seems to work without incident...

    Friday, March 10, 2017 2:12 PM
  • As of 2010 SP3 Rollup 18, I can confirm, TLS 1.0 cannot be disabled...

    We still experience the invalid server configuration error message in multiple browsers: Chrome, Firefox and IE.

    The only way we were able to avoid this error was to connect in the following way, which disables most features of OWA.

    Selecting the option to "Use the light version of the Outlook Web App"

    I caution this as it severely restricts what you can do in OWA.

    

    Thursday, July 20, 2017 8:02 PM
  • Hi all,

    Anyone have update on this?? Does Exchange 2010 sp3 rollup fixes TLS 1.0 disable issues ?

    Regards,

    Sarfraz Aslam


    Regards, Sarfraz Aslam

    Monday, September 25, 2017 7:33 AM
  • I know this thread dates back some time but its still a problem that needs to be addressed.

    I have a customer that is running Exchange 2010 (we don't want to upgrade just yet) that cannot send email to a remote vendor. Fiserv in all their wisdom has started refusing any SMTP with TLS 1.0 enabled. The Exchange 2010 has just had Roll-up 17 (https://www.microsoft.com/en-us/download/details.aspx?id=54934) installed and we just disabled TLS 1.0 completely and found that everything works, inducing email to Fiserv, with the exception of EWS services. It is my understanding that after update roll-up 9 that it "should" use TLS 1.2 over TLS 1.0 but that's not we're seeing.

    Does anyone know of any way to leave TLS 1.0 enabled for inbound connections (to get EWS back working) but prioritize TS 1.2 for SMTP outbound? This should not be this difficult to nail down.

    Friday, January 12, 2018 8:04 PM
  • I wish I could help!  It's my understanding that PCI requires all TLS to be disabled by June of 2018.  Will this issue with EWS still exist?  Or will there be a fix for it?  Does anyone know?
    Tuesday, February 6, 2018 3:50 PM
  • Hi,

    I think Microsoft fix is near on this, as last week i was google for the solution to disable on our exchange 2010 and found below article.

    I have not implemented it yet but hope it helps.

    https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/


    Regards, Sarfraz Aslam

    Wednesday, February 7, 2018 4:42 AM
  • SP3 UR 20 has just been released for Exchange 2010, does that mean we can disable TLS1.0?
    Friday, March 23, 2018 10:17 AM
  • Please wait for part three of the above post

    https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, March 23, 2018 2:22 PM
  • I installed CU 20, on Exchange 2010 and disabled TLS 1.0.

    Issues:

    Autodiscovery not working over internet.

    If mailbox already configured, you must disable TLS 1.0  on Win7 workstation  in order outlook could connect to exchange server.

    Users from Win7 workstations, cannot set o Out Of Office replies.

    Sending SMS from Outlook not working anymore.

    Thursday, March 29, 2018 5:39 AM
  • Update: Out Of Office replies issue workaround,  after TLS 1.0 was disabled on exchange server :

    https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

    Thursday, March 29, 2018 8:32 AM
  • Update2: Setting DefaultSecureProtocols to 0x00000A80 in registry, also resolves autodiscovery issue on Windows 7 workstations.
    Thursday, March 29, 2018 1:14 PM
  • I deployed DefaultSecureProtocols  to windows 7 via GPO preferences.

    Also needed for Free/busy and OAB which now use https

    Works fine on outlook 2010 and all latest updates.

    Thursday, March 29, 2018 1:27 PM
  • Hi,

    What are the issues reported till now in RU20 exchange 2010 sp3? I am planning to go on RU20 so that TLS 1.0 can be disabled on my CAS servers.

    Anyone can please share, who have already updated.


    Regards, Sarfraz Aslam


    Thursday, April 19, 2018 11:21 AM
  • Hi.

    Issue in my system after install RU 20.

    SYStem: Windows 2008 R2 SP1 (with all update) + Exchange 2010 SP3 R20.

    TLS 1.0 automatically was disable. I'm not approve any change for system or register.

    Depend.

    Stop working old certificate for assign services. Not available in list EMS/EMC.

    Stop working EWS/IIS and Test-WebServicesConnectivity.

    Stop working PF for RPC/HTTPS from Office 365. User receive request for password or can't read PF.  

    Open two ticket in MS. 


    MCITP, MCSE. Regards, Oleg

    Monday, April 30, 2018 1:38 PM
  • I have observed the following with Exchange 2010 SP3 RU20 & TLS 1.0 DISABLED:

    OWA: Unable to DELETE items
    OWA: Unable to MOVE items
    OWA: Unable to toggle Out Of Office On or Off

    I haven't found any caveats outside of OWA thus far and have had TLS 1.0 disabled for several days now.  Mobile clients seem fine (IOS and Android) as well as Outlook (All versions from 2007 to 2016) and we're also using eM Client on a few workstations with no issues.

    Monday, April 30, 2018 10:12 PM
  • Hello Oleg, really appreciate for sharing your experience over here. Is there any fix provided by MS or still you are having issues with RU20?

    Thanks and regards,


    Regards, Sarfraz Aslam

    Tuesday, May 1, 2018 9:30 AM
  • After RU20, do you manually disable TLS1.0 from registry or RU20 do it by itself? a little confusion is there as per Oleg comments. Did you find any fixes for OWA issues?

    Regards, Sarfraz Aslam

    Tuesday, May 1, 2018 9:32 AM
  • I have exchange 2010 sp3 RU20 and dont see any of those issues.

    I only have TLS 1.2 enabled has been like this for at least 6 months.

    I would look elsewhere for issues.

    Tuesday, May 1, 2018 10:52 AM
  • Use IISCrypto
    Tuesday, May 1, 2018 10:53 AM
  • I have observed the following with Exchange 2010 SP3 RU20 & TLS 1.0 DISABLED:

    OWA: Unable to DELETE items
    OWA: Unable to MOVE items
    OWA: Unable to toggle Out Of Office On or Off

    I haven't found any caveats outside of OWA thus far and have had TLS 1.0 disabled for several days now.  Mobile clients seem fine (IOS and Android) as well as Outlook (All versions from 2007 to 2016) and we're also using eM Client on a few workstations with no issues.

    I see the same problems with same patches applied.   Really need to find an alternative as it also stopped my users from being able to use SSL through outlook remotely.
    • Edited by MBA Admin Wednesday, May 2, 2018 8:42 PM
    Wednesday, May 2, 2018 8:41 PM
  • The post that never dies! lol

    As of 6/6/2018 owa is still broken (opens ok but deleting emails breaks it) and dag transfers work but sometimes give system.net.webexception warnings when switching over...that is fun..

    does rollup 21 fix anything?


    Wednesday, June 6, 2018 9:31 PM
  • ok it works now.  I missed the part about setting .net for exchange 2010...follow this article and you should be good.  Use IISCrypto to set your schannel settings.

    I can't insert the hyperlink so just search for this: Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It


    Thursday, June 7, 2018 3:28 PM
  • were you able to find away to get OWA to function correctly?  I have TLS 1.0 disabled also and users cannot delete or move emails in OWA.  
    Monday, July 23, 2018 6:45 PM
  • I'm still looking for a solution to fix the OWA email delete issue.

    Trying the Part2 .Net 3.5 fix tonight.

    https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

    Wednesday, November 28, 2018 10:09 PM
  • One more thing. When TLS 1.0 disabled in Exchange 2010 sp3 RU 24, in Exchnage hybrid environment, onprem users cannot see free busy information of cloud users. I also could not run Exchange hybrid setup on this server, got error about certificates, but found workarroud for this.

    Added these registry keys:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    "DefaultSecureProtocols"=dword:00000a80

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    "DefaultSecureProtocols"=dword:00000a80

    I registered ticket for free busy issue on Premier Support

    Thursday, December 13, 2018 5:57 AM
  • To keep this thread still alive...

    @Sallas you're a life saver!

    Since I updated Exchange with RollUp 26 last week and restarted our server, all Outlook clients (Windows 7) suddenly keep saying: "Mailtips could not be retrieved", as well as Autodiscover could not be found, Out of Office replies could not be managed, Free/Busy time unavailable while scheduling a meeting, etc.

    All of this, since we changed the default protocol on Exchange from SSL / TLS 1.0 to TLS 1.1 and TLS 1.2 some weeks ago (with instant effect on SMTP without restarting the server) and by not disabling TLS 1.0, but changing its DefaultProtocol value to 0.

    However, adding this entry

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    "DefaultSecureProtocols"=dword:00000a80

    to the registry of our clients solved our Outlook problems.
    Thanx for the info by finding this thread.


    Thursday, March 14, 2019 4:41 PM