ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Configure Extended Protection in Exchange Server 2019/2016

How to Configure Extended Protection in Exchange Server 2019/2016

Enable Extended Protection on Exchange Server to prevent authentication relay and man-in-the-middle attacks using PowerShell scripts and manual configuration methods.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 17, 2026 18 min 4
hardexchange-server 8 steps 18 min

Why Configure Extended Protection in Exchange Server?

Extended Protection is a critical security feature that prevents authentication relay and man-in-the-middle attacks against Exchange Server. It works by binding Windows Authentication (NTLM) to TLS channel information in IIS, making it impossible for attackers to relay captured authentication tokens to other services.

Since August 2022, Microsoft has made Extended Protection a requirement for Exchange Server security hardening. Servers without this protection remain persistently vulnerable to sophisticated authentication attacks. Exchange Server 2019 CU14 and later versions automatically enable Extended Protection during installation, but older supported versions require manual configuration.

What Authentication Attacks Does Extended Protection Prevent?

Extended Protection specifically mitigates NTLM relay attacks where attackers intercept authentication requests and replay them against other Exchange services. Without this protection, an attacker who captures NTLM authentication traffic can potentially access mailboxes, administrative interfaces, or other Exchange services using the captured credentials.

The protection works by creating a cryptographic binding between the TLS channel and the authentication token, ensuring that authentication requests can only be used within the specific TLS session where they were created. This makes credential replay attacks ineffective even if the attacker has network access.

Related: How to Configure Hybrid Modern Authentication in Exchange

Related: How to Fix 550 5.1.10 RESOLVER.ADR.RecipientNotFound Error

Which Exchange Server Versions Support Extended Protection?

Extended Protection is supported on Exchange Server 2013, 2016, and 2019, but requires specific minimum updates. Exchange 2016 and 2019 need at least the August 2022 Security Update, while Exchange 2013 requires the same minimum patch level. Exchange 2019 CU14 and later automatically enable Extended Protection during setup, making manual configuration unnecessary for new installations.

Implementation Guide

Full Procedure

01

Download and Prepare the Extended Protection Management Script

Microsoft provides an official PowerShell script to manage Extended Protection across Exchange servers. Download this script from the official GitHub repository.

# Create scripts directory
New-Item -Path "C:\Scripts" -ItemType Directory -Force

# Download the official script (use browser or PowerShell)
Invoke-WebRequest -Uri "https://github.com/microsoft/CSS-Exchange/raw/main/Security/ExchangeExtendedProtectionManagement/ExchangeExtendedProtectionManagement.ps1" -OutFile "C:\Scripts\ExchangeExtendedProtectionManagement.ps1"

# Set execution policy if needed
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Navigate to the scripts directory and verify the download:

cd C:\Scripts
Get-ChildItem ExchangeExtendedProtectionManagement.ps1 | Select-Object Name, Length, LastWriteTime
Pro tip: Always download scripts from official Microsoft repositories to ensure authenticity and latest security patches.
02

Check Current Extended Protection Status

Before making changes, assess the current Extended Protection configuration across all Exchange servers and virtual directories.

# Open Exchange Management Shell as Administrator
# Run the status check command
.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection

The script will display a comprehensive report showing:

  • Server names and their Extended Protection status
  • Virtual directories (OWA, ECP, EWS, ActiveSync, etc.)
  • TokenChecking values: None, Accept, or Required
  • ExtendedProtectionFlags: None or Proxy

Example output interpretation:

Server: EX01
  OWA: TokenChecking=None, Flags=None (VULNERABLE)
  ECP: TokenChecking=None, Flags=None (VULNERABLE)
  EWS: TokenChecking=Required, Flags=Proxy (PROTECTED)

Verification: Look for "VULNERABLE" or "None" values indicating unprotected directories.

Warning: Servers showing mixed protection states indicate incomplete configuration that could allow authentication bypass.
03

Verify Prerequisites and Server Compatibility

Extended Protection requires specific minimum versions and consistent configuration across your Exchange environment.

# Check Exchange version and cumulative updates
Get-ExchangeServer | Select-Object Name, Edition, AdminDisplayVersion

# Verify TLS configuration consistency
Get-ExchangeServer | ForEach-Object {
    $server = $_.Name
    Write-Host "Checking TLS on $server"
    Invoke-Command -ComputerName $server -ScriptBlock {
        Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -ErrorAction SilentlyContinue
    }
}

Check for Hybrid deployment considerations:

# Identify Hybrid Agent servers (if applicable)
Get-HybridConfiguration | Select-Object SendingTransportServers, ReceivingTransportServers

# Check for Modern Hybrid setup
Get-IntraOrganizationConnector | Select-Object Name, TargetAddressDomains

Requirements verification:

  • Exchange 2019: CU14 or later (auto-enables EP)
  • Exchange 2016: Minimum August 2022 Security Update
  • Exchange 2013: Minimum August 2022 Security Update
  • TLS versions: Must be identical across all servers

Verification: All servers should show compatible versions and consistent TLS settings.

04

Enable Extended Protection Using the Official Script

Use the Microsoft script to enable Extended Protection across all Exchange servers. The script handles prerequisites checking and applies consistent configuration.

For standard Exchange deployments:

# Enable Extended Protection on all servers
.\ExchangeExtendedProtectionManagement.ps1

# The script will:
# 1. Check prerequisites (CU/SU versions, TLS consistency)
# 2. Set ExtendedProtectionTokenChecking=Required
# 3. Set ExtendedProtectionFlags=Proxy on virtual directories
# 4. Apply changes to OWA, ECP, EWS, ActiveSync, PowerShell, Autodiscover, OAB, MAPI

For Hybrid deployments (exclude Front-End EWS):

# Modern Hybrid - exclude EWS Front-End to prevent authentication issues
.\ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames "EX01,EX02" -ExcludeVirtualDirectories "EWSFrontEnd"

For specific servers only:

# Target specific servers
.\ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames "EX01,EX02,EX03"

Monitor the script execution for any errors or warnings. The script provides detailed output showing each virtual directory being configured.

Verification: Run the status check again to confirm all directories show "Required" and "Proxy" settings:

.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection
Pro tip: The script automatically creates backups of IIS configurations before making changes, allowing for easy rollback if needed.
05

Configure Extended Protection Manually via PowerShell

For granular control or troubleshooting, configure Extended Protection manually using Exchange Management Shell cmdlets.

Configure Client Access Services:

# Set Extended Protection on Client Access Services
Get-ClientAccessService | Set-ClientAccessService -ExtendedProtectionTokenChecking Required

Configure individual virtual directories:

# Web Services (EWS)
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExtendedProtectionTokenChecking Required -ExtendedProtectionFlags Proxy

# Outlook Web App (OWA)
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExtendedProtectionTokenChecking Required -ExtendedProtectionFlags Proxy

# Exchange Control Panel (ECP)
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExtendedProtectionTokenChecking Required -ExtendedProtectionFlags Proxy

# ActiveSync
Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExtendedProtectionTokenChecking Required -ExtendedProtectionFlags Proxy

# PowerShell
Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExtendedProtectionTokenChecking Required -ExtendedProtectionFlags Proxy

# Autodiscover
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -ExtendedProtectionTokenChecking Required -ExtendedProtectionFlags Proxy

For advanced scenarios, configure directly via IIS web.config:

# Configure multiple virtual directories in bulk
$VirtualDirectories = @("Microsoft-Server-ActiveSync","OWA","ECP","EWS","OAB","PowerShell","Autodiscover","MAPI")
foreach ($VDir in $VirtualDirectories) {
    try {
        Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" -Name "extendedProtection.tokenChecking" -Value "Required" -PSPath "IIS:\" -Location "Default Web Site/$VDir"
        Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" -Name "extendedProtection.flags" -Value "Proxy" -PSPath "IIS:\" -Location "Default Web Site/$VDir"
        Write-Host "Configured Extended Protection for $VDir" -ForegroundColor Green
    }
    catch {
        Write-Warning "Failed to configure $VDir: $($_.Exception.Message)"
    }
}

Verification: Check individual virtual directory settings:

# Verify OWA configuration
Get-OwaVirtualDirectory | Select-Object Server, Name, ExtendedProtectionTokenChecking, ExtendedProtectionFlags

# Verify EWS configuration
Get-WebServicesVirtualDirectory | Select-Object Server, Name, ExtendedProtectionTokenChecking, ExtendedProtectionFlags
06

Configure Extended Protection via IIS Manager

Use IIS Manager for visual configuration and troubleshooting of Extended Protection settings on individual virtual directories.

Open IIS Manager and navigate to virtual directories:

# Open IIS Manager
inetmgr.exe

Manual configuration steps:

  1. Navigate to Sites → Default Web Site (or Exchange Back End)
  2. Select a virtual directory (e.g., OWA, ECP, EWS)
  3. Double-click Authentication in the Features View
  4. Select Windows Authentication → Advanced Settings
  5. Set Extended Protection to "Required"
  6. Set Extended Protection Flags to "Proxy" (if using load balancer) or "None" (direct connection)

Verify the configuration in web.config:

# Check web.config for Extended Protection settings
$webConfigPath = "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config"
[xml]$webConfig = Get-Content $webConfigPath
$windowsAuth = $webConfig.configuration.'system.webServer'.security.authentication.windowsAuthentication
Write-Host "Extended Protection Token Checking: $($windowsAuth.extendedProtection.tokenChecking)"
Write-Host "Extended Protection Flags: $($windowsAuth.extendedProtection.flags)"

For multiple virtual directories, use PowerShell to verify IIS settings:

# Check IIS configuration for all Exchange virtual directories
$VDirs = @("OWA", "ECP", "EWS", "Microsoft-Server-ActiveSync", "PowerShell", "Autodiscover")
foreach ($VDir in $VDirs) {
    try {
        $tokenChecking = Get-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" -Name "extendedProtection.tokenChecking" -PSPath "IIS:\" -Location "Default Web Site/$VDir"
        $flags = Get-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" -Name "extendedProtection.flags" -PSPath "IIS:\" -Location "Default Web Site/$VDir"
        Write-Host "$VDir - TokenChecking: $($tokenChecking.Value), Flags: $($flags.Value)" -ForegroundColor $(if($tokenChecking.Value -eq "Required"){"Green"}else{"Red"})
    }
    catch {
        Write-Warning "Could not check $VDir configuration"
    }
}

Verification: All virtual directories should show "Required" for token checking and appropriate flags based on your infrastructure.

Warning: Manual IIS configuration changes require IIS reset to take effect. Use iisreset /noforce after making changes.
07

Test and Verify Extended Protection Configuration

Comprehensive testing ensures Extended Protection is working correctly and not blocking legitimate authentication.

Create a comprehensive verification script:

# Comprehensive Extended Protection verification
$Report = @()
$VDirTypes = @(
    @{Cmdlet="Get-OwaVirtualDirectory"; Type="OWA"},
    @{Cmdlet="Get-EcpVirtualDirectory"; Type="ECP"},
    @{Cmdlet="Get-WebServicesVirtualDirectory"; Type="EWS"},
    @{Cmdlet="Get-ActiveSyncVirtualDirectory"; Type="ActiveSync"},
    @{Cmdlet="Get-PowerShellVirtualDirectory"; Type="PowerShell"},
    @{Cmdlet="Get-AutodiscoverVirtualDirectory"; Type="Autodiscover"}
)

foreach ($VDirType in $VDirTypes) {
    $VDirs = & $VDirType.Cmdlet
    foreach ($VDir in $VDirs) {
        $Report += [PSCustomObject]@{
            Server = $VDir.Server
            Type = $VDirType.Type
            Name = $VDir.Name
            TokenChecking = $VDir.ExtendedProtectionTokenChecking
            Flags = $VDir.ExtendedProtectionFlags
            Status = if($VDir.ExtendedProtectionTokenChecking -eq "Required"){"PROTECTED"}else{"VULNERABLE"}
        }
    }
}

$Report | Format-Table -AutoSize
$Report | Where-Object {$_.Status -eq "VULNERABLE"} | Format-Table -AutoSize

Test client connectivity after enabling Extended Protection:

# Test OWA connectivity
Test-OwaConnectivity -ClientAccessServer EX01 -MailboxCredential (Get-Credential)

# Test EWS connectivity
Test-WebServicesConnectivity -ClientAccessServer EX01 -MailboxCredential (Get-Credential)

# Test ActiveSync connectivity
Test-ActiveSyncConnectivity -ClientAccessServer EX01 -MailboxCredential (Get-Credential)

Monitor Exchange logs for authentication issues:

# Check recent authentication events
Get-WinEvent -LogName "Microsoft-Exchange-HttpProxy/HttpProxy" -MaxEvents 50 | Where-Object {$_.LevelDisplayName -eq "Error" -or $_.LevelDisplayName -eq "Warning"} | Select-Object TimeCreated, LevelDisplayName, Message

Test from external clients (if applicable):

  • Outlook clients: Verify autodiscover and mailbox access
  • Mobile devices: Test ActiveSync connectivity
  • Web browsers: Access OWA from different networks
  • Third-party applications: Test EWS-based integrations

Verification: All tests should pass without authentication errors. Check that the Status column shows "PROTECTED" for all virtual directories.

Pro tip: Keep the verification script handy for regular security audits and after applying Exchange updates.
08

Handle Rollback and Troubleshooting

If Extended Protection causes connectivity issues, you can rollback the configuration or troubleshoot specific problems.

Rollback using the official script:

# Rollback Extended Protection to previous state
.\ExchangeExtendedProtectionManagement.ps1 -Rollback

# The script will:
# 1. Restore previous ExtendedProtectionTokenChecking values
# 2. Reset ExtendedProtectionFlags to None
# 3. Restore IIS configuration from backup

Manual rollback via PowerShell:

# Disable Extended Protection on all virtual directories
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExtendedProtectionTokenChecking None -ExtendedProtectionFlags None
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExtendedProtectionTokenChecking None -ExtendedProtectionFlags None
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExtendedProtectionTokenChecking None -ExtendedProtectionFlags None
Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExtendedProtectionTokenChecking None -ExtendedProtectionFlags None
Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExtendedProtectionTokenChecking None -ExtendedProtectionFlags None
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -ExtendedProtectionTokenChecking None -ExtendedProtectionFlags None

Common troubleshooting scenarios:

# Check for TLS version mismatches
Get-ExchangeServer | ForEach-Object {
    $server = $_.Name
    Write-Host "Checking $server TLS configuration..."
    Invoke-Command -ComputerName $server -ScriptBlock {
        $tls12 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -ErrorAction SilentlyContinue
        $tls13 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" -ErrorAction SilentlyContinue
        [PSCustomObject]@{
            Server = $env:COMPUTERNAME
            TLS12Enabled = $tls12.Enabled
            TLS13Enabled = $tls13.Enabled
        }
    }
}

# Check for certificate issues
Get-ExchangeCertificate | Where-Object {$_.Status -ne "Valid"} | Select-Object Thumbprint, Subject, Status, NotAfter

Hybrid-specific troubleshooting:

# For Hybrid deployments, ensure EWS Front-End is excluded
Get-WebServicesVirtualDirectory | Where-Object {$_.Name -like "*FrontEnd*"} | Select-Object Server, Name, ExtendedProtectionTokenChecking

# If Front-End EWS shows "Required", disable it:
Get-WebServicesVirtualDirectory | Where-Object {$_.Name -like "*FrontEnd*"} | Set-WebServicesVirtualDirectory -ExtendedProtectionTokenChecking None

Load balancer troubleshooting:

  • SSL bridging: Ensure same certificate on all servers
  • Proxy flags: Verify "Proxy" flags are set correctly
  • Health checks: Update load balancer health check URLs if needed

Verification: After troubleshooting, re-run connectivity tests and verify client access is restored.

Warning: Rolling back Extended Protection removes important security protections. Only rollback temporarily while resolving issues, then re-enable as soon as possible.

Frequently Asked Questions

Does Exchange Server 2019 CU14 automatically enable Extended Protection?+
Yes, Exchange Server 2019 CU14 and later versions automatically enable Extended Protection during installation by default. However, you can opt-out during setup using the /DoNotEnableEP parameter if needed. For Hybrid deployments, use /DoNotEnableEP_FEEWS to exclude only the Front-End EWS virtual directory while protecting other services.
What happens if I enable Extended Protection on Hybrid Exchange deployments?+
In Hybrid deployments, you must exclude the Front-End EWS virtual directory from Extended Protection to prevent authentication failures with Office 365. Use the -ExcludeVirtualDirectories "EWSFrontEnd" parameter with the management script, or the /DoNotEnableEP_FEEWS setup parameter. All other virtual directories should have Extended Protection enabled for security.
Can I rollback Extended Protection if it causes connectivity issues?+
Yes, you can rollback Extended Protection using the official ExchangeExtendedProtectionManagement.ps1 script with the -Rollback parameter. This restores the previous configuration from automatic backups. You can also manually disable it using PowerShell cmdlets, but rollback should only be temporary while resolving issues since it removes important security protections.
What are the minimum Exchange Server versions that support Extended Protection?+
Extended Protection requires Exchange Server 2013, 2016, or 2019 with at least the August 2022 Security Update installed. Exchange 2016 and 2019 also need minimum September 2021 CU or 2022 H1 CU versions. Servers without these minimum updates cannot enable Extended Protection and remain vulnerable to authentication relay attacks.
How do I verify that Extended Protection is working correctly across all Exchange servers?+
Use the ExchangeExtendedProtectionManagement.ps1 script with the -ShowExtendedProtection parameter to check status across all servers and virtual directories. All protected directories should show ExtendedProtectionTokenChecking=Required and ExtendedProtectionFlags=Proxy. Additionally, run Exchange connectivity tests like Test-OwaConnectivity and Test-WebServicesConnectivity to ensure client access still works properly.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#exchange-server#extended-protection#authentication-security

Further Intelligence

Deepen your knowledge with related resources

How to Use Robocopy in Windows for File Copying and Backup
tutorial
Windows

How to Use Robocopy in Windows for File Copying and Backup

Deep Dive
Remove Weather Icon from Windows 11 Taskbar using Microsoft Intune
tutorial
Cloud Computing

Remove Weather Icon from Windows 11 Taskbar using Microsoft Intune

Deep Dive
How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge
tutorial
Web Development

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...