Merge pull request #10636 from MicrosoftDocs/main

Cloud-Writer · web-flow · commit 2251065c645c · 2026-01-29T17:27:44.000-08:00
Updates by Sathyana to the self help diags for purview article
diff --git a/Exchange/ExchangeServer/administration/cannot-import-third-party-certificate.md b/Exchange/ExchangeServer/administration/cannot-import-third-party-certificate.md
@@ -10,7 +10,7 @@ ms.custom:
   - sap:OWA  And Exchange Admin Center\Virtual Directories configuration
   - Exchange Server
   - CSSTroubleshoot
-ms.reviewer: batre, skumarg, batre, v-six
+ms.reviewer: batre, skumarg, v-six
 appliesto: 
   - Exchange Server 2010 Enterprise
   - Exchange Server 2010 Standard
diff --git a/Exchange/ExchangeServer/administration/certificate-assignment-fails-invalid-characters.md b/Exchange/ExchangeServer/administration/certificate-assignment-fails-invalid-characters.md
@@ -0,0 +1,78 @@
+---
+title: Certificate assignment fails and returns error 0xe434352
+description: This article provides the resolution for error 0xe434352 that occurs during certificate assignment if unsupported characters are used in the domain name of Receive Connectors.
+#customer intent: As an Exchange Server administrator, I want to resolve SMTP (Simple Mail Transfer Protocol) certificate binding issues that are caused by invalid fully-qualified domain names (FQDNs) so that I can maintain system reliability.
+author: cloud-writer
+ms.author: meerak
+manager: dcscontentpm
+audience: ITPro
+ms.topic: troubleshooting
+ms.custom: 
+  - sap:Administrative Tasks
+  - Exchange Server
+  - CSSTroubleshoot
+ms.reviewer: igserr, batre, arindamt, v-kccross
+appliesto: 
+  - Exchange Server SE
+  - Exchange Server 2019
+  - Exchange Server 2016
+search.appverid: MET150
+ms.date: 01/28/2026
+---
+
+# Error 0xe434352 and SMTP certificate assignment fails
+
+## Summary
+
+When you assign certificates to Exchange services, you might encounter error 0xe0434352 during the certificate binding process. The error indicates that one or more Receive Connectors in Microsoft Exchange Server use FQDNs that contain characters not allowed by DNS standards.
+
+## Symptoms
+
+You run the `Enable-ExchangeCertificate` cmdlet to assign a certificate to the SMTP service. The operation fails and returns the following error message:
+
+> The Exchange Certificate operation has failed with an exception on server <*Server Name*>.
+>
+> The error message is: Unknown error (0xe0434352)
+
+## Cause
+
+This issue occurs if the FQDN of one or more Receive Connectors contains unsupported characters. The connector creation process allows underscores in the domain name. However, underscores violate DNS standards and cause failures during certificate binding.
+
+For more information about domain names, see the following articles:
+
+- [DNS host names](/troubleshoot/windows-server/active-directory/naming-conventions-for-computer-domain-site-ou#dns-host-names)
+- [Unsupported characters for Exchange 2013 object names](/exchange/unsupported-characters-for-exchange-2013-object-names-exchange-2013-help)
+
+## Resolution
+
+To resolve this issue, use the Exchange Management Shell to find connectors that have invalid FQDNs. Run the following PowerShell command:
+
+```powershell
+Get-ReceiveConnector | Select Identity, FQDN  
+```
+
+You can refine your search to look for specific unsupported characters. The following example searches for underscores in FQDNs:
+
+```powershell
+Get-ReceiveConnector | Where-Object { $_.FQDN -like "*_*" } | Select Identity, FQDN
+```
+
+After you identify the connector that contains unsupported characters, rename it by using supported characters:
+
+```powershell
+Set-ReceiveConnector -Identity "ServerName\ConnectorName" -FQDN ValidFQDN.domain.com
+```
+
+After you fix the domain name, retry the certificate assignment to verify that you no longer encounter the error:
+
+```powershell
+Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services SMTP
+```
+
+## References
+
+For more information about domain name formation and supported characters, see:
+
+- DoD Internet host table specification [RFC 952](https://www.rfc-editor.org/rfc/rfc952)
+- Domain names - Implementation and specification [RFC 1035](https://www.rfc-editor.org/rfc/rfc1035)
+- Requirements for Internet hosts - Application and Support [RFC 1123](https://www.rfc-editor.org/rfc/rfc1123)
diff --git a/Exchange/ExchangeServer/servertoc/toc.yml b/Exchange/ExchangeServer/servertoc/toc.yml
@@ -54,6 +54,8 @@ items:
           href: ../administration/cannot-eac-add-remote-shared-mailbox-distribution-group.md
         - name: Certificate status couldn't be determined error
           href: ../administration/cannot-import-third-party-certificate.md
+        - name: Certificate assignment fails with error 0xe434352
+          href: ../administration/certificate-assignment-fails-invalid-characters.md
         - name: Cmdlet/parameter combinations not working
           href: ../administration/cmdlet-parameter-combinations-not-working.md
         - name: Connecting to the remote server failed
diff --git a/Microsoft365/purview/purview/diagnostics/purview-compliance-diagnostics.md b/Microsoft365/purview/purview/diagnostics/purview-compliance-diagnostics.md
@@ -15,23 +15,23 @@ ms.reviewer: shadans, sathyana, meerak, v-shorestris
 appliesto:
   - Microsoft Purview
 search.appverid: MET150
-ms.date: 01/20/2026
+ms.date: 01/29/2026
 ---
 
 # Self-help diagnostics for Microsoft Purview
 
-You can run diagnostics to identify and resolve issues in Microsoft Purview. The diagnostics offer insights into known issues and provide instructions to fix them. Although the diagnostics can fix some configuration issues, they don't make changes to your tenant without your consent.
+You can run diagnostics to identify and resolve issues in Microsoft Purview. The diagnostics offer insights into known issues, and provide instructions to fix the issues. Although the diagnostics can fix some configuration issues, they don't make changes to your tenant without your consent.
 
 Self-help diagnostics that relate to Microsoft Purview are available in the following locations:
 
 - [Microsoft Purview portal](https://purview.microsoft.com/)
 
    - On **Solutions** pages
-   - On the **Help** pane
+   - In the **Help** pane
 
 - [Microsoft 365 admin center](https://admin.microsoft.com/)
 
-   - On the **Help** pane
+   - In the **Help** pane
 
 ## Diagnostics on Solutions pages
 
@@ -53,22 +53,28 @@ You can find these diagnostics on the following portal pages:
 
 The following table lists the available diagnostics on **Solutions** pages. You can access the diagnostics by selecting the associated link in the fourth column. When you're prompted, sign in to the Microsoft Purview portal.
 
-**Note**: To run these diagnostics, the minimum requirement is that you're an administrator with the Organization Configuration role assigned to you.
+> [!NOTE]
+> To run these diagnostics, you must meet the minimum requirements:
+> - Be an administrator
+> - Have the Organization Configuration role assigned to you
 
-When you select a diagnostic on a Solutions page, it begins by running the [Check-PurviewConfig](/powershell/module/exchangepowershell/check-purviewconfig) cmdlet to check your organization's configuration settings in Microsoft Purview. Then the diagnostic calls the appropriate cmdlet listed in the following table to perform checks that are specific to your issue. 
+When you select a diagnostic on a Solutions page, the diagnostic runs the [Check-PurviewConfig](/powershell/module/exchangepowershell/check-purviewconfig) cmdlet to check your organization's configuration settings in Microsoft Purview. Then, the diagnostic calls the appropriate cmdlet that's listed in the following table to perform checks that are specific to your issue. 
 
 | **Issue** | **Checks performed** | **Commandlet Used** | **Solutions page** |
 |-|-|-|-|
-| Email encryption isn't working as expected. Are there any issues with my licenses or settings? | Checks license availability for sensitivity labels. Also checks information protection settings for your tenant, including Information Rights Management (IRM) and transport rule settings. Validates encryption settings. | [Test-IrmConfiguration](/powershell/module/exchangepowershell/test-irmconfiguration)| [Information Protection diagnostics](https://purview.microsoft.com/informationprotection/diagnostics) |
+| Email encryption isn't working as expected. Are there any issues that affect my licenses or settings? | Checks license availability for sensitivity labels. Also checks information protection settings for your tenant, including Information Rights Management (IRM) and transport rule settings. Verifies encryption settings. | [Test-IrmConfiguration](/powershell/module/exchangepowershell/test-irmconfiguration)| [Information Protection diagnostics](https://purview.microsoft.com/informationprotection/diagnostics) |
 | A user can't find the sensitivity label they need. Does the label policy apply to them? | Checks which sensitivity labels are available to the user. Diagnostic results include information such as the label names, settings, and where the labels are available. | [Get-label](/powershell/module/exchangepowershell/get-label) <br> [Get-LabelPolicy](/powershell/module/exchangepowershell/get-labelpolicy) | [Information Protection diagnostics](https://purview.microsoft.com/informationprotection/diagnostics) |
+| Autolabeling isn’t applied to a SharePoint or OneDrive file. Was the file evaluated correctly, and did it meet the autolabeling conditions? | Checks a file’s properties and classification to determine whether autolabeling was applied. When entering the file path, make sure that you provide the full file path, not a sharing link. <br> <br> Tips for finding the correct path: <br> - In SharePoint or OneDrive, select the file, open **Details**, and copy the **Path** (if available). <br> - If **Path** isn’t shown, open the file, go to **File** > **Info**, then select **Copy path**. | [Test-DlpPolices](/purview/dlp-test-dlp-policies) | [Information Protection diagnostics](https://purview.microsoft.com/informationprotection/diagnostics) |
 | A DLP rule isn't enforced for a particular user. Is this user included in the DLP policy? | Checks which DLP policies apply to a user. Diagnostic results include the policy names and where the policies apply.| [Get-DlpCompliancePolicy](/powershell/module/exchangepowershell/get-dlpcompliancepolicy) <br> [Get-DlpComplianceRule](/powershell/module/exchangepowershell/get-dlpcompliancerule) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
-| Endpoint DLP isn’t working as expected. Are there any issues with policy sync on the device? | Check for policy sync issues and provide recommendations on how to resolve them. |[Get-DlpCompliancePolicy](/powershell/module/exchangepowershell/get-dlpcompliancepolicy) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
-| Alerts not working for a DLP rule. Are there any issues with the DLP rule configuration? | Check for alerts and identify whether there are issues with the DLP rule configuration.| [Get-DlpCompliancePolicy](/powershell/module/exchangepowershell/get-dlpcompliancepolicy) <br> [Get-DlpComplianceRule](/powershell/module/exchangepowershell/get-dlpcompliancerule) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) | 
-| Can't find an alert for an activity or an audit event ? | Check for the alert related to an activity or audit event and investigate why the alert could be missing | [Get-DlpCompliancePolicy](/powershell/module/exchangepowershell/get-dlpcompliancepolicy) <br> [Get-DlpComplianceRule](/powershell/module/exchangepowershell/get-dlpcompliancerule) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
+| Endpoint DLP isn’t working as expected. Are there any issues that affect policy sync on the device? | Check for policy sync issues, and provide recommendations for how to resolve them. |[Get-DlpCompliancePolicy](/powershell/module/exchangepowershell/get-dlpcompliancepolicy) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
+| Alerts aren't working for a DLP rule. Are there any issues that affect the DLP rule configuration? | Check for alerts, and determine whether any issues affect the DLP rule configuration.| [Get-DlpCompliancePolicy](/powershell/module/exchangepowershell/get-dlpcompliancepolicy) <br> [Get-DlpComplianceRule](/powershell/module/exchangepowershell/get-dlpcompliancerule) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
+| Can't find an alert for an activity or an audit event. | Check for the alert related to an activity or audit event, and investigate why the alert could be missing. | [Get-DlpCompliancePolicy](/powershell/module/exchangepowershell/get-dlpcompliancepolicy) <br> [Get-DlpComplianceRule](/powershell/module/exchangepowershell/get-dlpcompliancerule) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
+| A DLP rule isn’t triggering for a file stored in SharePoint or OneDrive. Is the file evaluated by DLP, and is it in scope for the policy? | Check a file's properties and classification to review whether a DLP rule matched or didn't match. When entering the file path, make sure that you provide the full file path, not a sharing link. <br> <br> Tips for finding the correct path: <br> - In SharePoint or OneDrive, select the file, open Details, and copy the Path (if available). <br> - If **Path** isn’t shown, open the file, go to File > Info, then select **Copy path**. | [Test-DlpPolices](/purview/dlp-test-dlp-policies) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
+| Policy tips don't appear in Outlook on the web. Are there issues that affect the DLP policy tips configuration? | [Analyzes the HTTP Archive (HAR) file](../data-loss-prevention/diagnose-dlp-policy-tip-display-issues.md) to investigate why policy tips don't appear in Outlook on the web. <br> <br> Steps for finding and exporting the HAR file: <br> - Open Outlook on the web, and press F12 to open Developer Tools. <br> - Select the **Network** tab, select **Preserve log**, reproduce the issue, and export the HAR file. | [Test-DlpPolices](/purview/dlp-test-dlp-policies) | [DLP diagnostics](https://purview.microsoft.com/datalossprevention/diagnostics) |
 
 ## Diagnostics on the Help pane
 
-The diagnostics on the **Help** pane cover the following areas in Microsoft Purview:
+The diagnostics in the **Help** pane cover the following areas in Microsoft Purview:
 
 - Archive mailboxes
 - Mailbox retention
@@ -79,7 +85,7 @@ The diagnostics on the **Help** pane cover the following areas in Microsoft Purv
 - DLP policies
 
 > [!NOTE]
-> Diagnostics on the **Help** pane aren't available in the following environments: GCC High, DoD, and Microsoft 365 operated by 21Vianet.
+> Diagnostics in the **Help** pane aren't available in the following environments: GCC High, DoD, and Microsoft 365 operated by 21Vianet.
 
 ### Find diagnostics through the Help menu
 
@@ -101,9 +107,9 @@ You can search for diagnostics by using the **Help** menu in the Microsoft Purvi
 
 1. Sign in to the [Microsoft Purview portal](https://purview.microsoft.com/) as an administrator.
 
-2. Select the **Help** icon in the upper-right corner of the portal to open the **Help and support** pane.
+2. Open the **Help and support** pane: Select the **Help** icon in the upper-right corner of the portal.
 
-3. In the **Help and support** pane, select **Ask a question** to open the **Help** pane.
+3. Open the **Help** pane: In the **Help and support** pane, select **Ask a question**.
 
 4. In the search box, enter a brief description of the issue that you want to resolve.
 
