Exchange & .NET Framework 4.7.2

Posted on May 9, 2018 by Michel de Rooij

A quick blog on the recent release of .NET Framework 4.7.2. In the past I blogged about the tight relationship between Exchange versions and the .NET Framework, and the supported combinations of those two to deploy and run Exchange. Shortly after publishing that article, Microsoft revised its support statement:

“When upgrading Exchange from an unsupported CU to the current CU and no intermediate CUs are available, you should upgrade to the latest version of .NET that’s supported by Exchange first and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest, supported, CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services”.

Now while 4.7.2 is a minor release, it is not mentioned in the Exchange supportability matrix at this moment. As such, it is not a validated combination, and you will be in uncharted territory with an unsupported configuration. The revised support statement only mentions upgrading Cumulative Update directly to a recent release as many customers were faced with a two-step upgrade process coming from old Cumulative Updates, basically ignore the supportability matrix. However, it does not mention anything about upgrading to the latest .NET Framework version at this moment. So don’t.

To block (accidental) installation of .NET Framework 4.7.2, you can configure the following registry key on your current Exchange servers to block its installation:

HKLM\Software\Microsoft\NET Framework Setup\NDP\WU\BlockNetFramework472= 1 (REG_DWORD)

or using PowerShell code:

$Version='472'
$RegKey= 'HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU' 
$RegName= ('BlockNetFramework{0}' -f $Key) 
If( -not (Test-Path $RegKey -ErrorAction SilentlyContinue)) { 
    New-Item -Path (Split-Path $RegKey -Parent) -Name (Split-Path $RegKey -Leaf) -ErrorAction SilentlyContinue | out-null 
} 
New-ItemProperty -Path $RegKey -Name $RegName -Value 1 -ErrorAction SilentlyContinue| out-null 
If( ( Get-ItemProperty -Path $RegKey -Name $RegName -ErrorAction SilentlyContinue)) { 
    Write-Output ('Installation blockade for .NET Framework {0} set' -f $Version) 
} 
Else { 
    Write-Error ('Unable to set registry entry {0}\{1}' -f $RegKey, $RegName) 
}

Exchange Updates – March 2018

Posted on March 21, 2018 by Michel de Rooij

The Exchange Team released the March updates for Exchange Server 2013 and 2016, and these Cumulative Updates contain a ton of fixes. Like the earlier Cumulative Updates for Exchange 2013 and Exchange 2016, and in addition to the fixes – see below – these Cumulative Updates contain the following important changes:

Support for .NET Framework 4.7.1. Be advised that .NET Framework 4.7.1 will be required for the next cycle of quarterly updates, which will be released in June 2018.
Full support for TLS 1.2. More information and guidance here.

On a smaller note, Exchange 2010 Service Pack 3 Rollup 20 was also released, which contains two security fixes CVE-2018-0924 and CVE-2018-0940, as well as DST changes.

Version	Build	KB Article	Download	UMLP	Schema Changes
Exchange 2016 CU9	15.1.1466.3	KB4055222	Download	UMLP	No
Exchange 2013 CU20	15.0.1367.3	KB4055221	Download	UMLP	No
Exchange 2010 SP3 RU20	14.3.389.1	KB4073537	Download

Exchange 2016 CU9 fixes:

4054513 Mailbox usage status bar in OWA displays incorrect mailbox usage
4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
4058373 “A parameter cannot be found” error when you run Install-AntiSpamAgents.ps1 in Exchange Server 2016 CU7
4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
4058383 Exchange Control Panel (ECP) redirection fails in Exchange Server 2016
4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
4058399 Disabling a mailbox can’t remove legacyExchangeDN from user’s properties in Exchange Server 2016
4073094 Emails outside a UID range are returned when you request for emails by using IMAP
4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
4073104 PIN can be reset on a Unified Messaging (UM)-enabled mailbox for a user outside a scoped OU
4073103 The Enable-Mailbox cmdlet doesn’t block migrated users from provisioning in Exchange Server 2016
4073107 Language can’t be changed when a user from a child domain tries to change language in OWA
4073111 Can’t access a CAS website such as OWA/ECP/Autodiscover in Exchange Server 2016
4073110 You can’t access OWA or ECP after you install Exchange Server 2016 CU8
4073109 Search-MailboxAuditLog -ShowDetails not showing all messages in Exchange Server 2016
4073114 “ADOperationException” error when OWA text verification fails in Exchange Server 2016
4073214 Can’t enable OWA offline access in Exchange Server 2016
4073531 CultureNotFoundException when selecting a LCID 4096 language in OWA for Exchange Server 2016
4076520 MatchSubdomains isn’t usable for Set-AcceptedDomain in Exchange Server 2016
4076741 Incorrect NDR when an administrator deletes a message from a queue in Exchange Server 2016
4077655 Event ID 258 “Unable to determine the installed file” after you uninstall Windows PowerShell 2.0
4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
4058372 Blank page in Exchange Admin Center Audit Log in Exchange Server 2016
4058382 Can’t retrieve time slot information about private calendar items as a delegate on another user’s account in Exchange Server 2016
4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
4073098 The ETS and EXS groups are incorrectly granted “SeDebugPrivilege” in Exchange Server 2016 on-premises
4073108 “There was a problem loading your options” error when a user accesses OWA Voice Mail options in Exchange Server 2016
4077924 Store Worker process crashes when you move, restore, or repair mailboxes that have issues with the logical index within the database in Exchange Server 2016
4091453 Update improves linguistics features and CJK handling for search in Exchange Server 2016
4073392 Description of the security update for Microsoft Exchange: March 13, 2018

Exchange 2013 CU20 fixes:

4073392 Description of the security update for Microsoft Exchange: March 13, 2018
4073094 Emails outside a UID range are returned when you request for emails by using IMAP
4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
4073093 Save issues occur when you use the plain Text Editor in OWA of Exchange Server 2013
4073096 Emails sent from a shared mailbox aren’t saved in Sent Items when MessageCopyForSentAsEnabled is True

Notes:

Exchange 2016 CU7 and later requires Forest Functionality Level 2008R2 or later.
Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareSchema to manually update the schema, or use /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To see if you need to update the schema compared to your version or verify the update has been performed, consult the Exchange schema overview.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Mailboxes and Signatures

Posted on March 16, 2018 by Michel de Rooij

vote! One of the longest standing requests of the community regarding Exchange features is the request to have the ability to share e-mail signatures between Outlook for desktop, Outlook Web Access (OWA) and mobile clients like Outlook for iOS. Several 3rd party vendors have been filling this gap with solutions with the possibility of adding standardized signatures on the transport layer or through application add-ins for the WYSIWYG approach.

The Outlook products don’t share signatures; Outlook Web Access does store the signature in a so-called Folder Associated Item (FAI) in the mailbox, making the signature persist when moving the mailbox around. But that unfortunately is only for Outlook Web Access; Outlook for desktop signatures are stored in files in one’s user profile, and Outlook for iOS only allows you to configure a single line, which often is used to apologize for any typos in the message, more common when using mobile devices, by setting it to ‘Mail sent using mobile’ or text of similar nature.

However, after a recent discussion with the relevant product groups by Jeff Guillet, the product groups challenged MVPs that there is indeed a significant demand for this feature by getting people to vote on UserVoice. Jeff with the MVPs designed a functional specification for this feature, which will be shared with the product groups at a later date. There is no reason why we can’t expect this feature to work for both Exchange Online as well as Exchange on-premises. Part of the request will also be to be able to manage the signature through PowerShell, similar to how the Outlook Web Access signature can now be managed using Set-MailboxMessageConfiguration.

So, power to the community and get your voice heard if you want this feature. You can vote on UserVoice here. Thank you.

Comparing Sets of Cmdlets

Posted on March 12, 2018 by Michel de Rooij

powershell With the speed of development in Office 365, it is sometimes hard to track which changes have been made to your tenant. Of course, there is the roadmap and message board which you can use to keep up to date, but those are in general high level descriptions. Sometimes you may want to see what are the changes at the cmdlet level in your tenant, between tenants, or Azure Active Directory module. And there is also the occasional gem in the form of a yet undocumented cmdlet or parameter which could hint at upcoming features.

For this purpose I have created a simple script which has two purposes:

Export information on the current cmdlets available through Exchange Online or Azure Active Directory.
Compare two sets of exported information, and display changes in a readable way.

The script is in PowerShell (of course), and is called Compare-Cmdlets.ps1. To export information, you need to be already connected to either Exchange Online or Azure Active Directory (or both).

To export cmdlet information, use:

.\Compare-Cmdlets.ps1 –Export

For Exchange Online and Azure Active Directory, separate export files are created. The files are prefixed with a timestamp and postfixed with the Exchange Online build or Azure Active Directory module version, e.g. 201803121814-ExchangeOnline-15.20.548.21.xml or 201803121815-AzureAD-2.0.0.137.xml.

After a few days/week, or when connected to another tenant or using a new Azure Active Directory PowerShell module, run the export again. You will now have 2 sets of Exchange Online or Azure Active Directory cmdlets, which you can compare using the following sample syntax:

Compare-Cmdlets.ps1 -ReferenceCmds .\201801222108-ExchangeOnline-15.20.428.21.xml -DifferenceCmds .\201803120926-ExchangeOnline-15.20.548.21.xml

A progress bar is shown as comparison might take a minute. When the script has finished checking the two sets, you will see output indicating changes in cmdlets, parameters or switches, e.g.

Download
You can find the script on the TechNet Gallery or GitHub.

MVP’s around the world

Posted on January 11, 2018 by Michel de Rooij

Mid-2017, I had a look at the publicly available statistics on MVP’s around the world after Microsoft changed their MVP award renewal regime. This was to check if there was any impact noticeable. With the regime change, also came a change that MVP’s can be awarded on a monthly basis. This means people can be awarded every month; maybe not in every category, but overall yes.

For the start of 2018, let’s first have a look at the total population of MVP’s. The total number of MVP’s went down from 3410 in July last year, to 3695 now (-15%). The table below contains the number of awards per category, and the change from July 2017 to January 2018:

Competence	Jul2017	Jan2018	Change
Access	37	39	+5%
AI	1	20	+1900%
Business Solutions	193	214	+11%
Cloud and Datacenter Management	392	412	+5%
Data Platform	399	422	+6%
Enterprise Mobility	148	157	+6%
Excel	94	104	+11%
Microsoft Azure	311	350	+13%
Office Development	38	42	+11%
Office Servers and Services	449	480	+7%
OneNote	15	15	0%
Outlook	14	14	0%
PowerPoint	36	37	+3%
Visio	14	14	0%
Visual Studio and Development Technologies	901	1002	+11%
Windows and Devices for IT	148	136	-8%
Windows Development	277	266	-4%
Word	23	23	0%
Total	3490	3747	+7%

Note: The total number of MVP’s doesn’t equal the total number of competences, as people can be awarded in more than one category.

Overall, the numbers are up in most categories. However, as stated before, a big sanitation round is expected for Q3’2018, as this year the former October and January awardees will be up for the new yearly renewal cycle, which takes place mid-2018. The new category introduced last year, Artificial Intelligence, saw a significant number of folks being added.

When zooming in on the Office Servers and Services MVP’s category, the awards per country is shown in the following heath map and table. Note that anonymous MVP’s are not taken into account:

Country	Number	Country	Number	Country	Number
Argentina	2 (0%)	India	12 (0%)	Russia	9 (12%)
Australia	23 (-18%)	Ireland	1 (-50%)	Saudi Arabia	1 (100%)
Austria	2 (100%)	Israel	1 (0%)	Serbia	1 (0%)
Belarus	1 (100%)	Italy	10 (-10%)	Singapore	4 (0%)
Belgium	7 (0%)	Japan	18 (-6%)	Slovakia	1 (0%)
Bosnia-Herzegovina	2 (-34%)	Jordan	1 (100%)	Slovenia	2 (0%)
Brazil	4 (-56%)	Korea	7 (-37%)	South Africa	5 (0%)
Brunei Darussalam	1 (0%)	Kuwait	1 (0%)	Spain	6 (0%)
Bulgaria	1 (-50%)	Latvia	1 (0%)	Sri Lanka	5 (-38%)
Canada	38 (-14%)	Macedonia F.Y.R.O	1 (-50%)	Sweden	8 (-12%)
Chile	1 (-50%)	Malaysia	2 (-34%)	Switzerland	5 (-29%)
China	15 (-22%)	Mexico	4 (0%)	Thailand	1 (0%)
Colombia	2 (-34%)	Nepal	1 (100%)	The Netherlands	15 (25%)
Croatia	6 (20%)	New Caledonia	1 (100%)	Turkey	5 (25%)
Czech Republic	4 (100%)	New Zealand	5 (0%)	Ukraine	2 (0%)
Denmark	4 (0%)	Norway	6 (20%)	United Arab Emirates	3 (-40%)
Egypt	2 (0%)	Pakistan	2 (0%)	United Kingdom	25 (0%)
Finland	2 (0%)	Palestine	1 (0%)	United States	111 (5%)
France	16 (0%)	Peru	2 (100%)	Uruguay	1 (0%)
Germany	19 (26%)	Poland	3 (0%)	Vietnam	2 (-50%)
Greece	1 (0%)	Portugal	4 (-20%)	TOTAL	480 (-5%)
Hungary	4 (33%)	Romania	2 (0%)

When looking at the changes over the last year (January 2017 – January 2018), the total number went down from 505 to 480 (-5%). As the Office Servers and Services category contains quite a few long-standing, former October or January MVP awardees, I’m keeping my fingers crossed for this year’s renewal cycle.

Upgrade Paths for CU’s & .NET

Posted on December 21, 2017 by Michel de Rooij

Update 2/13/2018: Revised Microsoft upgrade guidance added.
Update 2/15/2018: Added missing CU14.

Microsoft keeps track of the current supported combinations of .NET Framework and Exchange Cumulative Updates at the Exchange Server Supportability Matrix. However, as time progresses, support information on older Cumulative Updates might be removed from the information presented, and you may need to resort to cached versions of this page or other sources to find this information.

This might be problematic for organizations that are not current, and need to find out which upgrade path they are required to follow to stay within the boundaries of supported Exchange deployment configurations. For example, you may need to upgrade to a specific Cumulative Update first, that is supported with a newer release of the .NET Framework, in order to be able to upgrade to a later Cumulative Update.

For these situations, the following tables contains the supportability matrix, enhanced with information regarding earlier Cumulative Updates and .NET Framework versions. These will provide you the supported upgrade paths for older versions of Exchange.

Exchange 2016

.NET	RTM-CU1	CU2	CU3-CU4	CU5-CU7	CU8
4.5	–	–	–	–	–
4.5.1	–	–	–	–	–
4.5.2	X	X	X	–	–
4.6.1¹	–	X	X	–	–
4.6.2	–	–	X	X	X
4.7.1²	–	–	–	–	X

Exchange 2013

.NET	RTM-CU3	CU4(SP1)-CU12	CU13-CU14	CU15	CU16-CU18	CU19
4.5	X	X	X	–	–	–
4.5.1	–	X	X	X	–	–
4.5.2	–	X	X	X	–	–
4.6.1¹	–	–	X	X	–	–
4.6.2	–	–	–	X	X	X
4.7.1²	–	–	–	–	–	X

Notes

When possible, bypass .NET Framework 4.6.1, as it not only requires updating the CU level prior to updating the .NET Framework, but also requires an additional hotfix: kb3146715 (ws2012r2), kb3146714 (ws2012) or kb3146716 (ws2008r2).
NET Framework 4.7.1 is recommended but not yet required for the indicated product versions.

Usage
Suppose your organization loves procrastinating, and you are running Exchange 2013 CU6. Luckily, you run it on .NET Framework 4.5.1, which was already a supported configuration back in 2014 – yes, it’s been that long. Looking at the table, to get current with a minimal number of updates in mind, you can derive the following path:

The upgrade path to CU19 would therefor be:

Upgrade to Exchange 2013 Cumulative Update 15
Upgrade .NET Framework to 4.6.2
Upgrade to Exchange 2013 Cumulative Update 19
Optionally, upgrade .NET Framework to 4.7.1

Note that in addition to information being refreshed on Microsoft pages, availability of older Cumulative Updates or .NET Framework updates might also change, so archive those files accordingly, if not for recovery of existing Exchange servers, then for this exact purpose.

Of course, you should stay current as possible from a support and security perspective, making the above a non-issue. Reality is, there are customers who have reasons, legitimate or not, to be trailing with updates in their environment, and at some point may need guidance on how to proceed in order to get current. I hope this information helps in those situations.

Thoughts and feedback is welcomed in the comments.

Update: Per February 13th, Microsoft updated upgrade guidance on the Exchange Supportability Matrix page, stating:

This means you will be supported when upgrading in the revised upgrade path, but the risk is still there. In the example above, when going from Exchange 2013 CU6 with .NET 4.5.1 to CU19, the support statement indicates you can upgrade to .NET Framework 4.7.1, when install CU19. However, things might break and you may need to contact support to get back in a supported, working situation. Therefor, I repeat my recommendation to download and archive CU’s and .NET Framework files, even when you are not planning on installing them (yet).

Exchange Updates – December 2017

Posted on December 19, 2017 by Michel de Rooij

The Exchange Team released the December updates for Exchange Server 2013 and 2016. Apart from the usual set of fixes, these Cumulative Updates also have the following enhancements:

Like announced earlier, these quartely updates introduce support for .NET Framework 4.7.1. Be advised that .NET Framework 4.7.1 will be required for the quarterly updates to be released in June 2018.
Upgrading an existing Exchange deployment with these Cumulative Updates will preserve TLS cryptography settings.
Support for Hybrid Modern Authentication (Info).

Version	Build	KB Article	Download	UMLP	Schema Changes
Exchange 2016 CU8	15.1.1415.2	KB4035145	Download	UMLP	Yes
Exchange 2013 CU19	15.0.1365.1	KB4037224	Download	UMLP	No

Exchange 2016 CU8 fixes:

4056329 Can’t access EWS from Outlook/OWA add-ins via makeEwsRequestAsync in Exchange Server 2016 and Exchange Server 2013
4054516 “Your request can’t” error when accessing an archive mailbox via OWA in Exchange Server 2016
4055953 The recipient scope setting doesn’t work for sibling domains in Exchange Server 2016
4055435 No MAPI network interface is found after you install Exchange Server 2016 CU7
4056609 Event ID 4999 and mailbox transport delivery service does not start after you install Exchange Server 2016 CU7
4045655 Description of the security update for Microsoft Exchange: December 12, 2017
4057248 Many Watson reports for StoragePermanentException in Exchange Server 2016

Exchange 2013 CU19 fixes:

4046316 MAPI over HTTP can’t remove client sessions timely if using OAuth and the resource has a master account in Exchange Server 2013
4046205 W3wp high CPU usage in Exchange Server 2013
4046182 Event ID 4999 or 1007 if diagnostics service crashes repeatedly in Exchange Server 2013
4056329 Can’t access EWS from Outlook/OWA add-ins via makeEwsRequestAsync in Exchange Server 2016 and Exchange Server 2013
4045655 Description of the security update for Microsoft Exchange: December 12, 2017

Exchange 2010
In addition the Cumulative Updates, Exchange Server 2010 SP3 also received an important update, which fixes the issue described in KB4054456. You can download Rollup 19 here, which will raise the version number to 14.3.382.0. The related KB article is KB4035162.

Notes:

Exchange 2016 CU7 and later requires Forest Functionality Level 2008R2 or later.
Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareSchema to manually update the schema, or use /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To see if you need to update the schema compared to your version or verify the update has been performed, consult the Exchange schema overview.
When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates for Exchange 2013 & 2016

Posted on December 13, 2017 by Michel de Rooij

Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.

This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.

You can download the security updates here:

Exchange Server 2016 CU7 (v15.1.1261.37)
Exchange Server 2016 CU6 (v15.1.1034.33)
Exchange Server 2013 CU18 (v15.0.1347.3)
Exchange Server 2013 CU17 (v15.0.1320.7)

Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.

Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.

Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

Exchange Certificate Reporting

Posted on October 19, 2017 by Michel de Rooij

powershell A quick tip on retrieving the expiration of certificates configured on your Exchange servers. While some certificate providers like DigiCert will proactively notify you when certificates are expiring in the near future, you may want to run such a report yourself. Or perhaps you want to verify configured certificates on all your Exchange servers are aligned.

To accomplish this, you could use readily available scripts, such as this one published by fellow MVP Paul Cunningham. But with some PowerShell you could easily construct yourself a one-liner which will perform the same task. We will first show the one-liner, after we will dissect and talk you through it. Note that being a lazy typist, I used several aliases to make the whole command a bit shorter, but not a lot.

Command
A command to retrieve basic certificate reporting for Exchange servers in your environment is as follows (wrapped for readability):

$D=(Get-Date).AddDays(30); Get-ExchangeServer | %{$S=$_.Identity;$R=$_.ServerRole; Get-ExchangeCertificate -Server $S |
Sort NotAfter | Select @{n='Server';e={'{0} ({1})' -f $S,$R}},
@{n='CertSubject';e={($_.Subject -split '( , )*..=')[1]}},
@{n='Expires';e={'{0:MM/dd/yyyy}' -f $_.NotAfter}},
@{n='IssuedBy';e={($_.Issuer -split '(, )*..=')[1]}},
@{n='Domains';e={$_.CertificateDomains -join ','}},
@{n='Alert';e={' !'[(Get-Date $_.NotAfter) -le $D]}},*} |
ft -a Alert, CertSubject, Status, Expires, IsSelfsigned, IssuedBy,
Services, Thumbprint, Domains -GroupBy Server | Out-String -Width 8192

Sample output

Dissection

$D=(Get-Date).AddDays(30) | Get-ExchangeServer

First, we want get a visual indication of certificates expiring in the coming 30 days. The command is followed by a semi-colon, which can be used to separate commands on the same line. The first cmdlet in our pipeline is Get-ExchangeServer, which returns all Exchange server objects.

%{$S=$_.Identity;$R=$_.ServerRole; Get-ExchangeCertificate -Server $S | Sort NotAfter | Select @{n='Server';e={'{0} ({1})' -f $S,$R}}, @{n='CertSubject';e={($_.Subject -split '( , )*..=')[1]}}, @{n='Expires';e={'{0:MM/dd/yyyy}' -f $_.NotAfter}}, @{n='IssuedBy';e={($_.Issuer -split '(, )*..=')[1]}}, @{n='Domains';e={$_.CertificateDomains -join ','}},@{n='Alert';e={' !'[(Get-Date $_.NotAfter) -le $D]}},*}

We are passing every Exchange server object to ForEach (%). For each of these objects, we will perform the following tasks:

First, we store its current Identity ($S) and Serverrole ($R) property in variables for later usage. This, because if we create a calculated properties later on, we have no reference anymore to the Exchange object in the calculated field expression, as $_ will then contain the current object passed to Select (Select-Object).
Next, we retrieve all certificates from the Exchange server we are looking at using Get-ExchangeCertificate, and we pipe those certificate objects to sort to order them by expiration date.
We then create several calculated properties in the pipeline stream:
- A property named Server will contain a formatted string consisting of the server Identity ($S) and its server roles ($R).
- A property named CertSubject, containing the name of the subject, without the ‘CN=’ prefix.
- A property expires with a formatted expiration string (NotAfter).
- A property named Issues, containing the name of the issuer of the certificate, without the ‘CN=’ prefix.
- A property Domains containing the SAN names of the certificate, separated by commas.
- A property Alert, showing an exclamation mark when certificate expires (NotAfter) before the date determined earlier ($D).
- All other certificate properties are also retained by finally selecting all properties (*).

ft -a Alert, CertSubject, Status, Expires, IsSelfsigned, IssuedBy, Services, Thumbprint, Domains -GroupBy Server | Out-String -Width 8192

Finally, we format the output by selecting and ordering properties using Format-Table (ft), auto-sizing (-a) columns. In addition to the previously added calculated properties, we also return the SelfSigned, Services and Thumbprint properties. Using the GroupBy parameter, we make Format-Table group the objects on a specific property, in this case Server. Because the output can be very wide we use Out-String, specifying a large width to generate output larger than the host session without wrapping or truncating output.

Exchange Updates – September 2017

Posted on October 5, 2017 by Michel de Rooij

Honeymoon caused some backlog, and one of the things to post was that the Exchange Team released the September updates for Exchange Server 2013 and 2016. Like the previous Cumulative Updates for these Exchange versions, Exchange 2013 CU18 and Exchange 2016 CU7 require .NET Framework 4.6.2; NET Framework 4.7.1 is currently being tested (4.7 will be skipped), and support for 4.7.1 is expected for the December updates.

Version	Build	KB Article	Download	UMLP	Schema Changes
Exchange 2016 CU7	15.1.1261.35	KB4018115	Download	UMLP	Yes
Exchange 2013 CU18	15.0.1347.2	KB4022631	Download	UMLP	No

Exchange 2016 CU7 fixes:

KB 4040754 “Update UseDatabaseQuotaDefaults to false” error occurs when you change settings of user mailbox in Exchange Server 2016
KB 4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
KB4036108 Security update for Microsoft Exchange: September 12, 2017

Exchange 2013 CU18 fixes:

KB4040755 New health monitoring mailbox for databases is created when Health Manager Service is restarted in Exchange Server 2013
KB4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
KB4040120 Synchronization may fail when you use the OAuth protocol for authorization through EAS in Exchange Server 2013
KB4036108 Security update for Microsoft Exchange: September 12, 2017

Notes:

Exchange 2016 CU7 requires Forest Functionality Level 2008R2 or later.
Exchange 2016 CU7 includes schema changes, but Exchange 2013 CU18 does not. However, Exchange 2013 CU17 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
NET Framework 4.7.1 is being tested by the Exchange Team, but .NET Framework 4.7.1 nor .NET Framework 4.7 are supported.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order in which you upgrade servers with Cumulative Updates is irrelevant.