This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 76%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Is there a way to scan the domain forest to find servers that are still using TLS 1.0?
This is mostly tied to this email.
You are receiving this message because our reporting indicates that your organization is still connecting using SMTP Auth client submission via smtp.office365.com with TLS1.0 or TLS1.1 to connect to Exchange Online.
We don't have many servers, but it doesn't look like from what I have been reading of an easy way, without 3rd party software, to find out if a server is still using TLS 1.0.
Why isn't there a tag for TLS?
Hi @Jon Mercer ,
You could for example create a PowerShell script that checks the TLS registry entry mentioned in the following documentation:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
The run the script against all of your servers.
You'll also find the default TLS & SSL settings on different Windows operating systems over here:
https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
Another easy way to check these settings is by using the free tool from Nartac:
https://www.nartac.com/Products/IISCrypto/
Here's more information regarding the email you've received:
There is also a document from Microsoft which presents guidance on rapidly identifying and removing TLS 1.0 dependencies in software built on top of Microsoft operating systems, you'll find the guidance over here: Solving the TLS 1.0 Problem
----------
If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!
Best regards,
Leon
Thank you, I did find in EAC under reports/mail flow/SMTP Auth mail reports, that one of our shared mailboxes 8% of its mails are TLS 1.0 and the rest are TLS 1.2. Trying to track down which computer has is setup to send emails to that email account, that would send emails as 1.0.
Hello JonMercer,
Should not be difficult to achieve.
You start with the powershell cmdlet Get-TLSCipherSuite | ft name,certificate,cipherlenght to prompt for the ciphers enabled on a machine, you will just need a csv with a server hostname list in your forest and run a FOREACH script against the list.
--If the reply is helpful, please Upvote and Accept as answer--