Merge remote-tracking branch 'upstream/main' into pr/10533

Author: v-tappelgate

Exchange/ExchangeServer/administration/cannot-import-third-party-certificate.md

@@ -10,7 +10,7 @@ ms.custom:
   - sap:OWA  And Exchange Admin Center\Virtual Directories configuration
   - Exchange Server
   - CSSTroubleshoot
-ms.reviewer: batre, skumarg, batre, v-six
+ms.reviewer: batre, skumarg, v-six
 appliesto: 
   - Exchange Server 2010 Enterprise
   - Exchange Server 2010 Standard

Exchange/ExchangeServer/administration/certificate-assignment-fails-invalid-characters.md

@@ -0,0 +1,78 @@
+---
+title: Certificate assignment fails and returns error 0xe434352
+description: This article provides the resolution for error 0xe434352 that occurs during certificate assignment if unsupported characters are used in the domain name of Receive Connectors.
+#customer intent: As an Exchange Server administrator, I want to resolve SMTP (Simple Mail Transfer Protocol) certificate binding issues that are caused by invalid fully-qualified domain names (FQDNs) so that I can maintain system reliability.
+author: cloud-writer
+ms.author: meerak
+manager: dcscontentpm
+audience: ITPro
+ms.topic: troubleshooting
+ms.custom: 
+  - sap:Administrative Tasks
+  - Exchange Server
+  - CSSTroubleshoot
+ms.reviewer: igserr, batre, arindamt, v-kccross
+appliesto: 
+  - Exchange Server SE
+  - Exchange Server 2019
+  - Exchange Server 2016
+search.appverid: MET150
+ms.date: 01/28/2026
+---
+
+# Error 0xe434352 and SMTP certificate assignment fails
+
+## Summary
+
+When you assign certificates to Exchange services, you might encounter error 0xe0434352 during the certificate binding process. The error indicates that one or more Receive Connectors in Microsoft Exchange Server use FQDNs that contain characters not allowed by DNS standards.
+
+## Symptoms
+
+You run the `Enable-ExchangeCertificate` cmdlet to assign a certificate to the SMTP service. The operation fails and returns the following error message:
+
+> The Exchange Certificate operation has failed with an exception on server <*Server Name*>.
+>
+> The error message is: Unknown error (0xe0434352)
+
+## Cause
+
+This issue occurs if the FQDN of one or more Receive Connectors contains unsupported characters. The connector creation process allows underscores in the domain name. However, underscores violate DNS standards and cause failures during certificate binding.
+
+For more information about domain names, see the following articles:
+
+- [DNS host names](/troubleshoot/windows-server/active-directory/naming-conventions-for-computer-domain-site-ou#dns-host-names)
+- [Unsupported characters for Exchange 2013 object names](/exchange/unsupported-characters-for-exchange-2013-object-names-exchange-2013-help)
+
+## Resolution
+
+To resolve this issue, use the Exchange Management Shell to find connectors that have invalid FQDNs. Run the following PowerShell command:
+
+```powershell
+Get-ReceiveConnector | Select Identity, FQDN  
+```
+
+You can refine your search to look for specific unsupported characters. The following example searches for underscores in FQDNs:
+
+```powershell
+Get-ReceiveConnector | Where-Object { $_.FQDN -like "*_*" } | Select Identity, FQDN
+```
+
+After you identify the connector that contains unsupported characters, rename it by using supported characters:
+
+```powershell
+Set-ReceiveConnector -Identity "ServerName\ConnectorName" -FQDN ValidFQDN.domain.com
+```
+
+After you fix the domain name, retry the certificate assignment to verify that you no longer encounter the error:
+
+```powershell
+Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services SMTP
+```
+
+## References
+
+For more information about domain name formation and supported characters, see:
+
+- DoD Internet host table specification [RFC 952](https://www.rfc-editor.org/rfc/rfc952)
+- Domain names - Implementation and specification [RFC 1035](https://www.rfc-editor.org/rfc/rfc1035)
+- Requirements for Internet hosts - Application and Support [RFC 1123](https://www.rfc-editor.org/rfc/rfc1123)

Exchange/ExchangeServer/servertoc/toc.yml

@@ -54,6 +54,8 @@ items:
           href: ../administration/cannot-eac-add-remote-shared-mailbox-distribution-group.md
         - name: Certificate status couldn't be determined error
           href: ../administration/cannot-import-third-party-certificate.md
+        - name: Certificate assignment fails with error 0xe434352
+          href: ../administration/certificate-assignment-fails-invalid-characters.md
         - name: Cmdlet/parameter combinations not working
           href: ../administration/cmdlet-parameter-combinations-not-working.md
         - name: Connecting to the remote server failed

Microsoft365/purview/purview/data-loss-prevention/diagnose-dlp-policy-tip-display-issues.md

@@ -0,0 +1,150 @@
+---
+title: Diagnose DLP policy tip issues by using the HAR diagnostic
+description: Describes the process to troubleshoot the issue when the confiured DLP policy tips don't appear.
+author: cloud-writer
+ms.author: meerak
+manager: dcscontentpm
+search.appverid: 
+  - MET150
+audience: ITPro
+ms.topic: troubleshooting
+ms.reviewer: pramkum, meerak
+ms.custom: 
+  - sap:Data loss prevention (DLP)
+  - CSSTroubleshoot
+  - CI 8652
+appliesto: 
+  - Microsoft Purview Data Loss Prevention
+ms.date: 01/29/2026
+---
+
+# Diagnose DLP policy tip issues by using the HAR diagnostic
+
+## Summary
+
+This article describes how to diagnose an issue that occurs if the DLP policy tips that you configure either appear sporadically or never appear, or if incorrect tips appear in Outlook on the web. The article discusses how you can use the HTTP Archive (HAR) diagnostic to extract relevant information from a HAR trace and identify further checks that can help resolve the issue.
+
+## The HAR diagnostic
+
+When you compose or edit an email message, Outlook on the web calls the GetDlpPolicyTips service. This service checks the following information, and returns the results to Outlook on the web to display the appropriate policy tips:
+
+- The text that you typed
+- The recipients of the email message
+- The DLP policies that apply to the email message
+
+If the expected policy tips don’t appear, run the [HAR diagnostic](https://purview.microsoft.com/datalossprevention/diagnostics) that’s available in the Microsoft Purview portal.
+
+The diagnostic helps you identify and resolve the issue by determining whether the issue occurs because:
+
+- Policy tips aren’t enabled in DLP policy settings.
+- The content in the email message in Outlook on the web doesn’t have any of the Sensitive Information Types (SITs) that are configured in DLP policies.
+- Outlook on the web didn’t send a request to the GetDlpPolicyTips service to evaluate the content of the email message against the configured DLP policies.
+
+### Collect a HAR trace
+
+To run the HAR diagnostic, use your browser’s developer tools to collect an HAR trace. Run the trace while the issue that affects the policy tip display is occurring in Outlook on the web. For information about how to collect the trace, see [How to collect a network trace](/azure/azure-web-pubsub/howto-troubleshoot-network-trace?utm_source=chatgpt.com#microsoft-edge-chromium).
+
+> [!IMPORTANT]
+>
+>- Before you try to trigger the policy tip, start recording the HAR trace.
+>- The size of the HAR trace must be less than 100 MB. This is the maximum file size that the HAR diagnostic accepts.
+
+## Output of the HAR diagnostic
+
+After you upload the HAR trace, the diagnostic checks for calls to the GetDlpPolicyTips service to extract the following information:
+
+- **Sender and Recipient Info**<br/>
+  Confirms whether the email participants are within the policy’s scope.
+
+- **Policy Evaluation Result**<br/>
+  Indicates whether the policy check succeeded or failed.
+
+- **Detected Sensitive Information Types (SITs)**<br/>
+  Lists the SITs in the email message, the number of their occurrences, and the confidence level of the SITs that matched DLP policy rules.
+
+- **Evaluated Policies and Rules**<br/>
+  Lists the DLP rules that were checked, and whether they matched.
+
+The diagnostic provides an explanation of the results, and guidance for what to check next.
+
+Here’s an example of the HAR diagnostic results.
+
+Policy tip evaluation for the OWA client completed successfully
+
+**There were 2 GetDlpPolicyTips calls found in the HAR trace. Please find the details of each call below.**
+
+**Sender:** `[email protected]`
+
+**Recipients:** `[email protected]`
+
+**Evaluation Result:** Success*
+
+**Detected SIT:**
+
+**Summary:**<br/> None of the rules defined in the policy matched.
+
+| Policy Name/Rule Name  | Is Rule Matched  |
+|----|----|
+| External sharing-Sensitive Information DLP policy|False |
+| Default Endpoint DLP Policy Rule-Low Volume-Default policy for devices | False  |
+
+**Sender:** `[email protected]`
+
+**Recipients:** `[email protected]`, `[email protected]`
+
+**Evaluation Result:** Success*
+
+**Detected SIT:** Credit Card Number (Unique Count: 1 Total Count: 1 Confidence: 65)
+
+**Summary:** Expected Policy Tip to be shown: 'Your email message conflicts with a policy in your organization.' from the rule 'External sharing-Sensitive Information DLP policy'.
+
+|Policy Name/Rule Name| Is Rule Matched |
+|----|----|
+| External sharing-Sensitive Information DLP policy  | True  |
+| Adaptive Protection audit rule for Teams and Exchange DLP-Adaptive Protection policy for Teams and Exchange DLP | True  |
+
+## Interpret the HAR diagnostic results
+
+The following examples explain the summary information that’s provided by the HAR diagnostic, and the steps that you can take to continue diagnosing the issue.
+
+### Scenario 1: No DLP evaluation request found
+
+**Summary:** The input file does not contain any GetDlpPolicyTips API calls.
+
+**Explanation**:
+Outlook on the web didn’t send a request to evaluate the content of the email message against the configured DLP policies.
+
+**Next steps**:
+Recapture the HAR trace, and contact Microsoft Support for help to resolve the issue.
+
+### Scenario 2: Service error during evaluation
+
+**Summary**: The GetDlpPolicyTips API returned evaluation result 8.
+
+**Explanation**:
+The back-end service encountered an error when it processed the DLP request.
+
+**Next steps**:
+
+Contact Microsoft Support for help to resolve the issue.
+
+### Scenario 3: No DLP rules were triggered or a policy tip was expected but not shown
+
+**Summary**: No matching rules found.
+
+**Explanation:**
+The content doesn’t meet the conditions of any active DLP policy. It might be close to matching, but it doesn’t meet one or more rule requirements.
+
+**Check the settings for all applicable DLP policies:**
+
+- To check the settings, go to [Microsoft Purview portal](https://purview.microsoft.com/) > **Data Loss Prevention** > **Policies** > **Edit Policy**.
+
+    - Check whether the SITs that are used in the policy match any that are used in the draft email message.
+    - Check whether the confidence levels that are set for the rules in the policy are strict. If yes, then update them, as appropriate.
+    - Check whether the threshold for a match is set to a high value. If yes, then lower it, as appropriate.
+
+- Verify that the policy is correctly published and assigned.
+
+**Next steps**:
+
+Check whether the issue still occurs. If it does, contact Microsoft Support for help to resolve the issue.