Exchange Health Checker v25.03.04.1611

Servers Overview

Server Name Generation Time Exchange Version Server Role OS Version Time Zone .NET Framework Hardware Type Number of Logical Cores Physical Memory Vulnerability Detected

exVM.corp.contoso.com 3/11/2025 10:31:37 AM Exchange 2019 CU15 Mailbox Windows Server 2019 Datacenter Coordinated Universal Time 4.8 HyperV 8 32 GB Warning: We recommend for the best performance to have a minimum of 128GB of RAM installed on the machine. True

Server Name	Generation Time	Exchange Version	Server Role	OS Version	Time Zone	.NET Framework	Hardware Type	Number of Logical Cores	Physical Memory	Vulnerability Detected
exVM.corp.contoso.com	3/11/2025 10:31:37 AM	Exchange 2019 CU15	Mailbox	Windows Server 2019 Datacenter	Coordinated Universal Time	4.8	HyperV	8	32 GB Warning: We recommend for the best performance to have a minimum of 128GB of RAM installed on the machine.	True

Server Details

Server Name

exVM.corp.contoso.com

Generation Time

3/11/2025 10:31:37 AM

Exchange Version

Exchange 2019 CU15

Build Number

15.02.1748.010

Latest Install Time (SU/CU)

3/11/2025 8:05:53 AM

Server Role

Mailbox

Edition

Warning - StandardEvaluation

Remaining Trial Period

Error - 00:00:00

DAG Name

Standalone Server

AD Site

Default-First-Site-Name

MRS Proxy Enabled

False

Exchange Server Membership

Passed

Internet Web Proxy

Not Set

Extended Protection Enabled (Any VDir)

True

Feature Flighting

Ring Level

Endpoint Service Status

200 - Reachable

Last Service Run Time

3/11/2025 9:53:56 AM

Features Enabled

PING.1.0

Setting Overrides Detected

False

Monitoring Overrides Detected

False

Exchange Server Maintenance

Server is not in Maintenance Mode

MAPI/HTTP Enabled

True

Enable Download Domains

False

AD Split Permissions

False

Total AD Site Count

OS Version

Windows Server 2019 Datacenter

System Up Time

0 day(s) 0 hour(s) 47 minute(s) 41 second(s)

Time Zone

Coordinated Universal Time

Dynamic Daylight Time Enabled

True

.NET Framework

4.8

PageFile

D:\pagefile.sys Size: 0MB

Error: On Exchange 2019, the recommended PageFile size is 25% (8192MB) of the total system memory (32768MB).

More information: https://aka.ms/HC-PageFile

Power Plan

High performance

Http Proxy Setting

None

Visual C++ 2012 x64

Redistributable (11.0.50727) is outdated

Visual C++ 2013 x64

Redistributable (12.0.21005) is outdated

Note: For more information about the latest C++ Redistributable please visit: https://aka.ms/HC-LatestVC This is not a requirement to upgrade, only a notification to bring to your attention.

Server Pending Reboot

False

Hardware Type

HyperV

Processor

Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz

Current Total Processor Usage

0.64

Number of Processors

Number of Physical Cores

Number of Logical Cores

Hyper-Threading

Enabled --- Not Applicable

All Processor Cores Visible

Passed

Max Processor Speed

2095

Physical Memory

32 GB Warning: We recommend for the best performance to have a minimum of 128GB of RAM installed on the machine.

Dynamic Memory Detected

False

Interface Description

Microsoft Hyper-V Network Adapter [Ethernet]

Driver Date

2006-06-21

Driver Version

10.0.17763.6054

MTU Size

1500

Max Processors

Max Processor Number

Number of Receive Queues

RSS Enabled

True

Link Speed

50000 Mbps --- This may not be accurate due to virtualized hardware

IPv6 Enabled

True

IPv4 Address

Address

10.0.0.5/24 Gateway: 10.0.0.1

IPv6 Address

DNS Server

10.0.0.4

Registered In DNS

True

Packets Received Discarded

TCPKeepAlive

Not Set Error: Without this value the KeepAliveTime defaults to two hours, which can cause connectivity and performance issues between network devices such as firewalls and load balancers depending on their configuration. More details: https://aka.ms/HC-TcpIpSettingsCheck

RPC Minimum Connection Timeout

0 More Information: https://aka.ms/HC-RPCSetting

FipsAlgorithmPolicy-Enabled

EnableEccCertificateSupport Registry Value

CtsProcessorAffinityPercentage

Disable Async Notification

Credential Guard Enabled

False

EdgeTransport.exe.config Present

True

NodeRunner.exe memory limit

0 MB

Open Relay Wild Card Domain

Not Set

DisablePreservation

EXO Connector Present

False

UnifiedContent Auto Cleanup Configured

True

TLS 1.0

Disabled

TLS Settings 1.0

RegistryKey	Location	Value
Enabled	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server	0
DisabledByDefault	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server	1
Enabled	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client	0
DisabledByDefault	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client	1

TLS 1.1

Disabled

TLS Settings 1.1

RegistryKey	Location	Value
Enabled	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server	0
DisabledByDefault	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server	1
Enabled	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client	0
DisabledByDefault	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client	1

TLS 1.2

Enabled

TLS Settings 1.2

RegistryKey	Location	Value
Enabled	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server	1
DisabledByDefault	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server	0
Enabled	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client	1
DisabledByDefault	SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client	0

TLS NET Settings

RegistryKey	Location	Value
SystemDefaultTlsVersions	SOFTWARE\Microsoft\.NETFramework\v4.0.30319	1
SchUseStrongCrypto	SOFTWARE\Microsoft\.NETFramework\v4.0.30319	NULL
SystemDefaultTlsVersions	SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319	1
SchUseStrongCrypto	SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319	NULL
SystemDefaultTlsVersions	SOFTWARE\Microsoft\.NETFramework\v2.0.50727	NULL
SchUseStrongCrypto	SOFTWARE\Microsoft\.NETFramework\v2.0.50727	NULL
SystemDefaultTlsVersions	SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727	NULL
SchUseStrongCrypto	SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727	NULL

v4.0.30319 SchUseStrongCryptoValue

NULL --- Error: Value should be defined in registry for consistent results.

v4.0.30319 WowSchUseStrongCryptoValue

NULL --- Error: Value should be defined in registry for consistent results.

Error: SystemDefaultTlsVersions or SchUseStrongCrypto is not set to the recommended value. Please visit on how to properly enable TLS 1.2 https://aka.ms/HC-TLSGuide

More Information: https://aka.ms/HC-TLSConfigDocs

SecurityProtocol

Tls, Tls11, Tls12

TLS Cipher Suite

TlsCipherSuiteName	CipherSuite	Cipher	Certificate	Protocols
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	49196	AES	ECDSA	TLS_1_2 & DTLS_1_1
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	49195	AES	ECDSA	TLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	49200	AES	RSA	TLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	49199	AES	RSA	TLS_1_2 & DTLS_1_1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	49188	AES	ECDSA	TLS_1_2 & DTLS_1_1
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	49187	AES	ECDSA	TLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	49192	AES	RSA	TLS_1_2 & DTLS_1_1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	49191	AES	RSA	TLS_1_2 & DTLS_1_1

AllowInsecureRenegoClients Value

AllowInsecureRenegoServers Value

LmCompatibilityLevel Settings

AES256-CBC Protected Content Support

True

SMB1 Installed

False

SMB1 Blocked

True

Certificate

FriendlyName

LE_CERT_2025-01-15-1241

Thumbprint

66A0C4AFE308B7DAEF75FEC4A08A60168171FF4F

Lifetime in days

Certificate has expired

False

Certificate status

Valid

Key size

2048

ECC Certificate

False

Signature Algorithm

sha256RSA

Signature Hash Algorithm

sha256

Bound to services

IMAP, POP, IIS, SMTP

Internal Transport Certificate

True

Current Auth Certificate

False

Next Auth Certificate

False

SAN Certificate

False

Namespaces

exchserverdns.westus.cloudapp.azure.com

Certificate

FriendlyName

Microsoft Exchange Server Auth Certificate

Thumbprint

CA6D0BA854DD0B6926BFEE7A55836AC3C1C99C15

Lifetime in days

1444

Certificate has expired

False

Certificate status

Valid

Key size

2048

ECC Certificate

False

Signature Algorithm

sha256RSA

Signature Hash Algorithm

sha256

Bound to services

SMTP

Internal Transport Certificate

False

Current Auth Certificate

True

Next Auth Certificate

False

SAN Certificate

False

Namespaces

Microsoft Exchange Server Auth Certificate

Certificate

FriendlyName

Microsoft Exchange

Thumbprint

CCC5AB763449C5EC220F381F32CAC1305C1DA39C

Lifetime in days

1470

Certificate has expired

False

Certificate status

Valid

Key size

2048

ECC Certificate

False

Signature Algorithm

sha256RSA

Signature Hash Algorithm

sha256

Bound to services

IIS, SMTP

Internal Transport Certificate

False

Current Auth Certificate

False

Next Auth Certificate

False

SAN Certificate

True

Namespaces

exVM

exVM.corp.contoso.com

Certificate

FriendlyName

WMSVC-SHA2

Thumbprint

8F76E8704755075187107ECAA226511BE99A884D

Lifetime in days

3294

Certificate has expired

False

Certificate status

Valid

Key size

2048

ECC Certificate

False

Signature Algorithm

sha256RSA

Signature Hash Algorithm

sha256

Bound to services

None

Internal Transport Certificate

False

Current Auth Certificate

False

Next Auth Certificate

False

SAN Certificate

False

Namespaces

WMSvc-SHA2-exVM

Valid Internal Transport Certificate Found On Server

True

Valid Auth Certificate Found On Server

True

AMSI Enabled

True

AMSI Request Body Scanning

False

AMSI Request Body Size Block

False

SerializedDataSigning Enabled

True

Strict Mode disabled

False

BaseTypeCheckForDeserialization disabled

False

Exchange Emergency Mitigation Service

Enabled

Windows service

Running

Pattern service

200 - Reachable

Mitigation applied

PING1

Run: 'Get-Mitigations.ps1' from: 'C:\Program Files\Microsoft\Exchange Server\V15\scripts\' to learn more.

Telemetry enabled

False

IIS module anomalies detected

False

Security Vulnerabilities

Download Domains are not configured. You should configure them to be protected against CVE-2021-1730. Configuration instructions: https://aka.ms/HC-DownloadDomains

IIS Sites Information

Name	State	HSTS Enabled	Protocol - Bindings - Certificate
Default Web Site	Started	False	https - :443: - 66A0C4AFE308B7DAEF75FEC4A08A60168171FF4F https - 127.0.0.1:443: - 66A0C4AFE308B7DAEF75FEC4A08A60168171FF4F http - :80: - NULL
Exchange Back End	Started	False	http - :81: - NULL https - :444: - CCC5AB763449C5EC220F381F32CAC1305C1DA39C

Application Pool Information

AppPoolName	State	GCServerEnabled	RestartConditionSet
MSExchangeMapiFrontEndAppPool	Started	True	False
MSExchangeOWAAppPool	Started	False	False
MSExchangeECPAppPool	Started	False	False
MSExchangeRestAppPool	Started	False	False
MSExchangeMapiAddressBookAppPool	Started	False	False
MSExchangeRpcProxyFrontEndAppPool	Started	False	False
MSExchangePowerShellAppPool	Started	False	False
MSExchangePowerShellFrontEndAppPool	Started	False	False
MSExchangeRestFrontEndAppPool	Started	False	False
MSExchangeMapiMailboxAppPool	Started	False	False
MSExchangeOABAppPool	Started	False	False
MSExchangePushNotificationsAppPool	Started	False	False
MSExchangeOWACalendarAppPool	Started	False	False
MSExchangeAutodiscoverAppPool	Started	False	False
MSExchangeServicesAppPool	Started	False	False
MSExchangeSyncAppPool	Started	True	False
MSExchangeRpcProxyAppPool	Started	False	False

Virtual Directory Locations

Name	ExtendedProtection	SslFlags	IPFilteringEnabled	Authentication
Default Web Site	None	False	False	anonymous (default setting)
Default Web Site/API	Require	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting)
Default Web Site/Autodiscover	None	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting) basic
Default Web Site/ecp	Require	True (128-bit)	False	anonymous (default setting) basic
Default Web Site/EWS	Allow	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting)
Default Web Site/mapi	Require	True (128-bit)	False	Windows (Negotiate,NTLM)
Default Web Site/Microsoft-Server-ActiveSync	Allow	True (128-bit)	False	basic
Default Web Site/Microsoft-Server-ActiveSync/Proxy	Allow	True (128-bit)	False	Windows (Negotiate,NTLM)
Default Web Site/OAB	Allow	True (128-bit)	False	Windows (Negotiate,NTLM)
Default Web Site/owa	Require	True (128-bit)	False	basic
Default Web Site/PowerShell	None	False Cert(Accept)	False
Default Web Site/Rpc	Require	True (128-bit)	False	Windows (Negotiate,NTLM) basic
Exchange Back End	None	False	False	anonymous (default setting)
Exchange Back End/API	Require	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/Autodiscover	None	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/ecp	Require	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/EWS	Require	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/mapi/emsmdb	Require	True	False	Windows (Negotiate,NTLM)
Exchange Back End/mapi/nspi	Require	True	False	Windows (Negotiate,NTLM)
Exchange Back End/Microsoft-Server-ActiveSync	Require	True (128-bit)	False	basic
Exchange Back End/Microsoft-Server-ActiveSync/Proxy	Require	True (128-bit)	False	Windows (Negotiate,NTLM)
Exchange Back End/OAB	Require	True (128-bit)	False	Windows (Negotiate,NTLM)
Exchange Back End/owa	Require	True (128-bit)	False	Windows (Negotiate,NTLM) anonymous (default setting)
Exchange Back End/PowerShell	Require	True (128-bit)	False	Windows (Negotiate,NTLM)
Exchange Back End/Rpc	Require	True (128-bit)	False	Windows (Negotiate,NTLM)
Exchange Back End/RpcWithCert	Require	True (128-bit)	False	Windows (Negotiate,NTLM)