Exchange Health Checker v24.03.12.1700


Servers Overview

Server Name Generation Time Exchange Version Server Role OS Version Time Zone .NET Framework Hardware Type Number of Logical Cores Physical Memory Vulnerability Detected
exVM.corp.contoso.com 4/4/2024 12:42:15 PM Exchange 2019 CU14 Mailbox Windows Server 2019 Datacenter Coordinated Universal Time 4.8 HyperV 8 32 GB Warning: We recommend for the best performance to have a minimum of 128GB of RAM installed on the machine. True

Server Details

Server Name exVM.corp.contoso.com
Generation Time4/4/2024 12:42:15 PM
Exchange VersionExchange 2019 CU14
Build Number15.02.1544.004
Not on the latest SU. More Information: https://aka.ms/HC-ExBuilds
Server RoleMailbox
DAG NameStandalone Server
AD SiteDefault-First-Site-Name
MRS Proxy EnabledFalse
Internet Web ProxyNot Set
Common Services Not Running
MSComplianceAudit - Status: Stopped - StartType: Automatic
Extended Protection Enabled (Any VDir)True
Setting Overrides DetectedFalse
Exchange Server MaintenanceServer is not in Maintenance Mode
MAPI/HTTP EnabledTrue
Enable Download DomainsFalse
AD Split PermissionsFalse
Total AD Site Count1
OS VersionWindows Server 2019 Datacenter
System Up Time0 day(s) 2 hour(s) 38 minute(s) 15 second(s)
Time ZoneCoordinated Universal Time
Dynamic Daylight Time EnabledTrue
.NET Framework4.8
PageFileD:\pagefile.sys Size: 0MB
Error: On Exchange 2019, the recommended PageFile size is 25% (8192MB) of the total system memory (32768MB).
More information: https://aka.ms/HC-PageFile
Power PlanHigh performance
Http Proxy SettingNone
Visual C++ 2012 x64Redistributable (11.0.50727) is outdated
Visual C++ 2013 x64Redistributable (12.0.21005) is outdated
Note: For more information about the latest C++ Redistributable please visit: https://aka.ms/HC-LatestVC This is not a requirement to upgrade, only a notification to bring to your attention.
Server Pending RebootTrue --- Warning a reboot is pending and can cause issues on the server.
HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
More Information: https://aka.ms/HC-RebootPending
Hardware TypeHyperV
ProcessorIntel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz
Number of Processors1
Number of Physical Cores4
Number of Logical Cores8
Hyper-ThreadingEnabled --- Not Applicable
All Processor Cores VisiblePassed
Max Processor Speed2095
Physical Memory32 GB Warning: We recommend for the best performance to have a minimum of 128GB of RAM installed on the machine.
Interface DescriptionMicrosoft Hyper-V Network Adapter [Ethernet]
Driver Date2006-06-21
Driver Version10.0.17763.5122
MTU Size1500
Max Processors4
Max Processor Number6
Number of Receive Queues4
RSS EnabledTrue
Link Speed50000 Mbps --- This may not be accurate due to virtualized hardware
IPv6 EnabledTrue
IPv4 Address
Address10.0.0.5/24 Gateway: 10.0.0.1
IPv6 Address
DNS Server10.0.0.4
Registered In DNSTrue
Packets Received Discarded0
TCPKeepAliveNot Set Error: Without this value the KeepAliveTime defaults to two hours, which can cause connectivity and performance issues between network devices such as firewalls and load balancers depending on their configuration. More details: https://aka.ms/HC-TcpIpSettingsCheck
RPC Minimum Connection Timeout0 More Information: https://aka.ms/HC-RPCSetting
FipsAlgorithmPolicy-Enabled0
CtsProcessorAffinityPercentage0
Disable Async Notification0
Credential Guard EnabledFalse
EdgeTransport.exe.config PresentTrue
NodeRunner.exe memory limit0 MB
Open Relay Wild Card DomainNot Set
DisablePreservation
EXO Connector PresentFalse
TLS 1.0Disabled
TLS Settings 1.0
RegistryKeyLocationValue
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server0
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server1
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client0
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client1
TLS 1.1Disabled
TLS Settings 1.1
RegistryKeyLocationValue
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server0
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server1
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client0
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client1
TLS 1.2Enabled
TLS Settings 1.2
RegistryKeyLocationValue
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server1
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server0
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client1
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client0
TLS 1.3Disabled
TLS Settings 1.3
RegistryKeyLocationValue
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\ServerNULL
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\ServerNULL
EnabledSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\ClientNULL
DisabledByDefaultSYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\ClientNULL
TLS NET Settings
RegistryKeyLocationValue
SystemDefaultTlsVersionsSOFTWARE\Microsoft\.NETFramework\v4.0.303191
SchUseStrongCryptoSOFTWARE\Microsoft\.NETFramework\v4.0.30319NULL
SystemDefaultTlsVersionsSOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.303191
SchUseStrongCryptoSOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319NULL
SystemDefaultTlsVersionsSOFTWARE\Microsoft\.NETFramework\v2.0.50727NULL
SchUseStrongCryptoSOFTWARE\Microsoft\.NETFramework\v2.0.50727NULL
SystemDefaultTlsVersionsSOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727NULL
SchUseStrongCryptoSOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727NULL
v4.0.30319 SchUseStrongCryptoValueNULL --- Error: Value should be defined in registry for consistent results.
v4.0.30319 WowSchUseStrongCryptoValueNULL --- Error: Value should be defined in registry for consistent results.
Error: SystemDefaultTlsVersions or SchUseStrongCrypto is not set to the recommended value. Please visit on how to properly enable TLS 1.2 https://aka.ms/HC-TLSGuide
More Information: https://aka.ms/HC-TLSConfigDocs
SecurityProtocolTls, Tls11, Tls12
TLS Cipher Suite
TlsCipherSuiteNameCipherSuiteCipherCertificateProtocols
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38449196AESECDSATLS_1_2 & DTLS_1_1
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA25649195AESECDSATLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA38449200AESRSATLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25649199AESRSATLS_1_2 & DTLS_1_1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA38449188AESECDSATLS_1_2 & DTLS_1_1
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA25649187AESECDSATLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA38449192AESRSATLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA25649191AESRSATLS_1_2 & DTLS_1_1
AllowInsecureRenegoClients Value0
AllowInsecureRenegoServers Value0
LmCompatibilityLevel Settings3
AES256-CBC Protected Content SupportTrue
SMB1 InstalledFalse
SMB1 BlockedTrue
Certificate
FriendlyNameLE_CERT_2024-03-22-0913
ThumbprintF7F97090DCB6A9E0E230963027D295ADCD8A3568
Lifetime in days76
Certificate has expiredFalse
Certificate statusValid
Key size2048
Signature Algorithmsha256RSA
Signature Hash Algorithmsha256
Bound to servicesIMAP, POP, IIS, SMTP
Internal Transport CertificateTrue
Current Auth CertificateFalse
Next Auth CertificateFalse
SAN CertificateFalse
Namespaces
exchserverdns.westus.cloudapp.azure.com
Certificate
FriendlyNameMicrosoft Exchange Server Auth Certificate
ThumbprintCA6D0BA854DD0B6926BFEE7A55836AC3C1C99C15
Lifetime in days1785
Certificate has expiredFalse
Certificate statusValid
Key size2048
Signature Algorithmsha256RSA
Signature Hash Algorithmsha256
Bound to servicesSMTP
Internal Transport CertificateFalse
Current Auth CertificateTrue
Next Auth CertificateFalse
SAN CertificateFalse
Namespaces
Microsoft Exchange Server Auth Certificate
Certificate
FriendlyNameMicrosoft Exchange
ThumbprintCCC5AB763449C5EC220F381F32CAC1305C1DA39C
Lifetime in days1811
Certificate has expiredFalse
Certificate statusValid
Key size2048
Signature Algorithmsha256RSA
Signature Hash Algorithmsha256
Bound to servicesIIS, SMTP
Internal Transport CertificateFalse
Current Auth CertificateFalse
Next Auth CertificateFalse
SAN CertificateTrue
Namespaces
exVM
exVM.corp.contoso.com
Certificate
FriendlyNameWMSVC-SHA2
Thumbprint8F76E8704755075187107ECAA226511BE99A884D
Lifetime in days3635
Certificate has expiredFalse
Certificate statusValid
Key size2048
Signature Algorithmsha256RSA
Signature Hash Algorithmsha256
Bound to servicesNone
Internal Transport CertificateFalse
Current Auth CertificateFalse
Next Auth CertificateFalse
SAN CertificateFalse
Namespaces
WMSvc-SHA2-exVM
Valid Internal Transport Certificate Found On ServerTrue
Valid Auth Certificate Found On ServerTrue
AMSI EnabledTrue
SerializedDataSigning EnabledTrue
Strict Mode disabledFalse
BaseTypeCheckForDeserialization disabledFalse
Exchange Emergency Mitigation ServiceEnabled
Windows serviceRunning
Pattern service200 - Reachable
Mitigation appliedPING1
Run: 'Get-Mitigations.ps1' from: 'C:\Program Files\Microsoft\Exchange Server\V15\scripts\' to learn more.
Telemetry enabledTrue
IIS module anomalies detectedFalse
Security VulnerabilityADV24199947 See: https://portal.msrc.microsoft.com/security-guidance/advisory/ADV24199947 for more information.
Security VulnerabilitiesCVE-2024-26198 See: https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2024-26198 for more information.
Download Domains are not configured. You should configure them to be protected against CVE-2021-1730. Configuration instructions: https://aka.ms/HC-DownloadDomains
ADV24199947 See: https://portal.msrc.microsoft.com/security-guidance/advisory/ADV24199947 for more information.
IIS Sites Information
NameStateHSTS EnabledProtocol - Bindings - Certificate
Default Web SiteStartedFalsehttp - *:80: - NULL https - :443: - F7F97090DCB6A9E0E230963027D295ADCD8A3568 http - 127.0.0.1:80: - NULL https - 127.0.0.1:443: - F7F97090DCB6A9E0E230963027D295ADCD8A3568
Exchange Back EndStartedFalsehttp - *:81: - NULL https - *:444: - CCC5AB763449C5EC220F381F32CAC1305C1DA39C
Application Pool Information
AppPoolNameStateGCServerEnabledRestartConditionSet
MSExchangeMapiFrontEndAppPoolStartedTrueFalse
MSExchangeOWAAppPoolStartedFalseFalse
MSExchangeECPAppPoolStartedFalseFalse
MSExchangeRestAppPoolStartedFalseFalse
MSExchangeMapiAddressBookAppPoolStartedFalseFalse
MSExchangeRpcProxyFrontEndAppPoolStartedFalseFalse
MSExchangePowerShellAppPoolStartedFalseFalse
MSExchangePowerShellFrontEndAppPoolStartedFalseFalse
MSExchangeRestFrontEndAppPoolStartedFalseFalse
MSExchangeMapiMailboxAppPoolStartedFalseFalse
MSExchangeOABAppPoolStartedFalseFalse
MSExchangePushNotificationsAppPoolStartedFalseFalse
MSExchangeOWACalendarAppPoolStartedFalseFalse
MSExchangeAutodiscoverAppPoolStartedFalseFalse
MSExchangeServicesAppPoolStartedFalseFalse
MSExchangeSyncAppPoolStartedTrueFalse
MSExchangeRpcProxyAppPoolStartedFalseFalse
Virtual Directory Locations
NameExtendedProtectionSslFlagsIPFilteringEnabledURLRewriteAuthentication
Default Web SiteNoneFalseFalseanonymous (default setting)
Default Web Site/APIRequireTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting)
Default Web Site/AutodiscoverNoneTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting) basic
Default Web Site/ecpRequireTrue (128-bit)Falseanonymous (default setting) basic
Default Web Site/EWSAllowTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting)
Default Web Site/mapiRequireTrue (128-bit)FalseWindows (Negotiate,NTLM)
Default Web Site/Microsoft-Server-ActiveSyncAllowTrue (128-bit)Falsebasic
Default Web Site/Microsoft-Server-ActiveSync/ProxyAllowTrue (128-bit)FalseWindows (Negotiate,NTLM)
Default Web Site/OABAllowTrue (128-bit)FalseWindows (Negotiate,NTLM)
Default Web Site/owaRequireTrue (128-bit)Falsebasic
Default Web Site/PowerShellNoneFalse Cert(Accept)False
Default Web Site/RpcRequireTrue (128-bit)FalseWindows (Negotiate,NTLM) basic
Exchange Back EndNoneFalseFalseanonymous (default setting)
Exchange Back End/APIRequireTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/AutodiscoverNoneTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/ecpRequireTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/EWSRequireTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/mapi/emsmdbRequireTrueFalseWindows (Negotiate,NTLM)
Exchange Back End/mapi/nspiRequireTrueFalseWindows (Negotiate,NTLM)
Exchange Back End/Microsoft-Server-ActiveSyncRequireTrue (128-bit)Falsebasic
Exchange Back End/Microsoft-Server-ActiveSync/ProxyRequireTrue (128-bit)FalseWindows (Negotiate,NTLM)
Exchange Back End/OABRequireTrue (128-bit)FalseWindows (Negotiate,NTLM)
Exchange Back End/owaRequireTrue (128-bit)FalseWindows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/PowerShellRequireTrue (128-bit)FalseWindows (Negotiate,NTLM)
Exchange Back End/RpcRequireTrue (128-bit)FalseWindows (Negotiate,NTLM)
Exchange Back End/RpcWithCertRequireTrue (128-bit)FalseWindows (Negotiate,NTLM)