SchUseStrongCrypto must be enabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-259577	SRG-APP-000014	EX19-ED-000006	SV-259577r960759_rule	2024-12-06	2

Description
Exchange Server 2019 is configured by default with TLS 1.2. However, SchUseStrongCrypto is not set by default and must be configured to meet the TLS requirement. The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in the application.

Description

Exchange Server 2019 is configured by default with TLS 1.2. However, SchUseStrongCrypto is not set by default and must be configured to meet the TLS requirement. The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in the application.

ℹ️ Check
In a PowerShell window, run the following commands: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319 If the value "SchUseStrongCrypto" is not present and set to 1, this is a finding.

✔️ Fix
In a PowerShell window with elevated privileges, run the following commands: reg add HKLM\SOFTWARE\Microsoft\.NetFramework\v4.0.30319 /v "SchUseStrongCrypto" /t REG_DWORD /d 1 reg add HKLM\SOFTWARE\WoW6432Node\Microsoft\.NetFramework\v4.0.30319 /v "SchUseStrongCrypto" /t REG_DWORD /d 1 This will create the value within the necessary key and set the data to 1.