Security Updates Exchange 2013, 2016 & 2019

Posted on January 14, 2019 by Michel de Rooij

Update 14jan: Added Exchange 2010 SP3 RU25

A quick heads-up as during my vacation Microsoft released security updates for supported releases of Exchange Server 2013, 2016 as well as Exchange Server 2019. In addition, a new Rollup was released for Exchange 2010 as well, containing one of the security updates.

The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:

CVE-2019-0586: Microsoft Exchange Memory Corruption Vulnerability
CVE-2019-0588: Microsoft Exchange Information Disclosure Vulnerability

You can download the security updates here:

Security Update For Exchange Server 2013 CU21 (v15.0.1395.10, KB4471389)
Security Update For Exchange Server 2016 CU10 (v15.1.1531.10, KB4471389)
Security Update For Exchange Server 2016 CU11 (v15.1.1591.13, KB4471389)
Security Update For Exchange Server 2019 (v15.2.221.14, KB4471389)
Exchange Server 2010 SP3 Rollup 25 (v14.3.435.0, KB4468742)

Notes:

Exchange 2010 SP3 RU25 addresses CVE-2019-0588 only.
KB4471389 supersedes KB4468741 and KB4459266; KB4468742 supersedes KB4458321.

Be advised that the Security Updates for Exchange 2013 and 2016 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CU’s, and you cannot apply the update for Exchange 2016 CU10 to Exchange 2016 CU11. I would suggest tagging the Cumulative Update in the file name when you archive it, e.g. Exchange2016-KB4471389-x64-en-CU10.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

Exchange 2019 Preferred Architecture

Posted on December 14, 2018 by Michel de Rooij

Microsoft has been promoting Docs as the new home of product documentation for a while now. And now a long awaited piece of Exchange 2019 documentation has been published, the Exchange 2019 Preferred Architecture.

The Preferred Architecture – or PA – contains information on how to plan and deploy Exchange 2019 using commodity hardware. It also contains more guidelines on deploying Exchange 2019 using its new Metacache database (MCDB) feature; SSDs to store meta data to speed up storage access, improving overall performance and user experience.

Still missing in the planning instruments is an updated Exchange role requirements calculator for Exchange 2019, incorporating things like the metacache database etc. I’m pretty sure that is being worked on to be released at a future date.

Also quiet convenient is that GitHub being the platform allows the team to provide a feed on Exchange content updates. Really nice to quickly see latest additions and changes in documentation.

Security Updates for Exchange 2016

Posted on December 12, 2018 by Michel de Rooij

A quick heads-up as Microsoft released security update for supported releases of Exchange Server 2016.

The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:

CVE-2018-8604: Microsoft Exchange Server Tampering Vulnerability
A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data. An attacker who successfully exploited this vulnerability could modify a targeted user’s profile data.

You can download the security updates here:

Security Update for Exchange Server 2016 CU10 (v15.1.1531.8, KB4468741)
Security Update for Exchange Server 2016 CU11 (v15.1.1591.11, KB4468741)

Notes:

KB4468741 for Exchange Server 2016 CU10 supersedes KB4459266.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

Multi-Tenant Administration

Posted on November 4, 2018 by Michel de Rooij

Note: When writing this blog, the Azure portal received an update which allows for switching directories. Unfortunately, this feature hasn’t been ported to the other Office 365 admin UI’s at this moment.

Being a consultant, you often find yourself having to switch tenants, or having to keep multiple admin portals open to different Office 365 tenants. This may become a nuisance, as you can use only a single set of credentials per browser instance. In other words, if you connect to the Office 365 admin portal using credentials A, opening up the Azure portal will be in the same context.

A typical workaround for this situation would be to open up a new private browser session. From that private browser session, you need to provide credentials B. Any new tabs in that private window will also be in the same context. The whole private session is hosted in a new window.

A more neat solution for this scenario is leveraging browser containers, such as:

Notes:

This blog is written based on Firefox Multi-Account Containers, so your mileage may vary if you’re using Chrome or a 3rd party add-on.
Firefox also supports a basic version of context switching natively via about:config, setting privacy.userContext.enabled.
I’m not aware of similar features or 3rd party add-ons for other browsers.

Unlike the Chrome extension, FireFox’ Multi-Account Containers allows you to have multiple sessions from within the same browser. For this purpose, tabs are used to arrange sessions in what’s called containers. Each container shares the same set of site preferences, sessions, cookies etc. To identify containers, they can be assigned a (new) name, color and symbol.

After installing the add-in, you will get a button that will open the container selection window. In this example, I have set up 4 containers besides the default ones: one for every customer and one for my lab. Selecting Contoso will open a new blank tab. The right side of the address bar contains a visual reference to the active container, showing label and symbol in the configured color.

Keep Me Signed In Now, when you go to portal.office365.com, the Office 365 account picker may show up when connected before using this container. Pick one, or enter a new set of credentials. This account will be stored in this container. The question of wanting to stay signed in makes more sense now, as the token will be stored within the container, happily coexisting with other Keep-Me-Signed-In settings and sessions from other containers.

Now, when you open a different admin app in that tab, it will be in the same container and thus user context. You can also select to open a blank tab in that container, and navigate to portal.azure.com. You will notice it picks up the Contoso credentials provided earlier. This is because the session information is stored within the Contoso container.

Now click the container icon again, and select a different container, e.g. Fabrikam. Navigate to portal.office365.com, and you will notice you can provide new (or re-use) credentials which have a different context than Contoso. Also, opening the Azure portal after that in this container will be in the Fabrikam context.

Having set this up properly, you can easily switch between all admin portals from different tenants by selecting the different container tabs: no need to switch accounts or firing up separate private browser windows. This is a more elegant solution compared to private browsing sessions.

A final note that the above not only can be used to access the Office 365 admin portals of multiple tenants, but web-based applications such as Teams, Outlook Web Access or SharePoint as well.

Exchange 2019 released

Posted on October 22, 2018 by Michel de Rooij

Today will be a day long remembered, as it has seen the release of Exchange Server 2019. After the Ignite event in September, release of Exchange 2019 was more or less imminent. Well now it’s out there – on Volume License Center to be exact – and while most details were announced at Ignite as well, there have been some features which didn’t make it in part or entirely to RTM.

To start with formalities: The version number of Exchange 2019 RTM is 15.2.221.12. After preparing your Active Directory forest, the schema version is 17000, while the forest and domain versions will become 16751 and 13236 respectively.

Looking at the VL requirement as well as the dimensioning, it’s clear Exchange server 2019 is positioned as a product for enterprises; small to medium-sized business should aim for Office 365.

Highlights
A detailed summary of Ignite announcements on Exchange 2019 was published earlier here. To recap, some major highlights:

Volume Licensing only, and no “Hybrid Server key”.
FFL 2012R2 and later.
Exchange Server 2019 on-premises is permanently branched from Exchange Online.
MetaCache Database (MCDB) storage tiering with SSD’s for improved UX and mailbox density (+20%). Recommended ratio SSD:HDD is 1:3.
Dynamic Database Cache to dynamically balance memory over active and passive copies cache.
Big Funnel search technology leveraging mailbox database for availability.
Supports up to 48 cores, recommended memory 128GB Mailbox/64GB Edge server roles to benefit scaling improvements. Maximum supported memory is 256GB.
Requires Windows Server 2019, desktop or core.
Requires .NET Framework 4.7.2, VC++ redistributable and UCMA (Mailbox only).
Co-existence support with Exchange 2013 and 2016.
UM role is gone.

Documentation
The official documentation can be found online on Docs here. For an overview of the sessions presented at Ignite on Exchange and related topics like calendaring, see here.

Notes
If you get a message when trying to install saying (desktop and core):

Setup can’t continue with the upgrade because the taskhostw (<PID>) has open files. Close the process, and then restart Setup. For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.ProcessNeedsToBeClosedOnUpgrade.aspx”

You can close the process with taskkill /f /pid <PID>.

Other articles
Other articles on the release of Exchange Server 2019:

Exchange Server 2019 now available (Official announcement)
Exchange 2019 released & available on Volume License Center (Jaap Wesselius)
Exchange 2019 Server On-Premises Debuts (Tony Redmond)

Do make sure you read the release notes, which contains important information on potential issues.

In other news
The following products were also released today:

Exchange Updates – October 2018

Posted on October 16, 2018 by Michel de Rooij

The Exchange Team released the October update for Exchange Server 2016. You may notice the absence of Exchange 2013, which is now in extended support phase and thus won’t receive regular updates. This heads-up was also given together with the updates of June.

Version	Build	KB	Download	UMLP	Schema?
Exchange 2016 CU11	15.1.1591.10	KB4134118	Download	UMLP	No

This update contain the following important changes and notes:

Exchange 2016 CU11 – as well as Exchange 2013 CU21 – are supported with .NET Framework 4.7.2; at least .NET Framework 4.7.1 is required for both.
Exchange 2016 CU13 (the June 2019 release, December will be skipped) will start requiring .NET Framework 4.7.2, similar to the release of Exchange 2019; Windows Server 2019 will contain .NET Framework 4.7.2.
Exchange 2016 requires installation of VC++ 2012 runtime prior to installation. Additionally, when installing the Mailbox role, VC++ 2013 runtime needs to be installed as well.

Exchange 2016 CU11 fixes:

4076516 Email message body is garbled when the Russian version of Outlook is used in Exchange Server 2016
4095967 CultureNotFoundException when you select an LCID 4096 language in Exchange Server 2016
4456225 The image in a signature that’s created in Outlook on the web isn’t visible to external users in Exchange Server 2016
4456226 Require SSL setting of MAPI virtual directory is reset after you install a cumulative update of Exchange Server 2016
4456227 ActiveSync clients cannot connect or synchronizing is delayed in an Exchange Server environment
4456228 Add an option to control UseAscReqNoToken through app configuration for Exchange Server 2016
4456229 Irrelevant management role entries without parameters are displayed in Exchange Server 2016
4456230 Component/protocol level bypass option for InternetWebProxy to avoid unnecessary proxy traffic within internal networks
4456231 AdvancedDataGovernanceLogs is created on the D drive after deploying Exchange Server 2016
4456232 Outlook on the web enters an authentication loop when you use device registration in Exchange Server 2016
4456234 Email can’t be delivered when the subject has an unknown character set in Exchange Server 2016
4456240 “CrimsonProbe has been poisoned repeatedly” error when migrating mailboxes to Exchange Server 2016
4456243 Hashed lines shown in scheduling assistant when Exchange Server 2016 tries to retrieve free/busy information across untrusted forests
4456244 Public folder forwards the new item that you create in Exchange Server 2016
4456245 Event ID 4999 and NullReferenceException when the New-MailboxRestoreRequest and New-MailboxExportRequest cmdlets fail in Exchange Server 2016
4456247 StoreDriver.config validation fails then meeting reminder can’t be set to “None” in Exchange Server 2016
4456249 Message tracking logs can’t be fully indexed in Exchange Server 2016
4456250 Users can download and view attachments that exceed the maximum attachment size setting in mobile device mailbox policy in Exchange Server 2016
4456259 Exchange Server 2016 user can’t access a shared calendar from Exchange Server 2013
4456233 UAPStatisticsLog and RecordReview are created on the D drive after you deploy Exchange Server 2016
4459847 Can’t send S/MIME encrypted mail or update the S/MIME control from Outlook on the web in Exchange Server 2016

Notes:

Exchange 2016 CU11 does not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Hybrid Configuration Wizard & F12

Posted on September 27, 2018 by Michel de Rooij

A small tip for those running the Exchange Hybrid Configuration Wizard. As announced at Ignite yesterday, a convenient feature was added to the HCW and is available now. Pressing F12 in the HCW will now open up a panel with shortcuts to the following tools and locations:

Exchange Management Shell
Exchange Online PowerShell
(current) Hybrid Configuration Wizard Log File
Create Support Package (to zip HCW logs for support)
Open Logging folder (of HCW)
Open Process Folder (of the HCW app)

Here is how it looks:

This might save you an occasional click or two.

Exchange Announcements @ Ignite

Posted on September 25, 2018 by Michel de Rooij

Update Sep27th: Added Outlook 2013 to list of supported clients.

During Ignite 2018, details are announced to the public on Exchange Server 2019, Exchange Online, as well as Office 365 and related technologies. In this article I’ll try to summarize all the details in a readable format for your reference. The list is probably inconclusive; if you think anything is missing, let me know to I can update the article.

Exchange Server 2019

Distributed through Volume licensing only
- Implication is that there will be no “Hybrid Server Key”
Release planned for later this year
Windows Server 2019 required
- Windows Server Core recommended (security, smaller attack surface and disk footprint)
- Exchange supports in-place upgrading of underlying operating system per Windows Server 2019.
Support for co-existence with n-2
- Exchange Server 2016 and Exchange Server 2013.
- Outlook 2013-Outlook 2019, Outlook 2016/Max and Outlook for Mac for Office 365.
Forest Functionality Level 2012R2 or later
Support for up to 48 CPU cores (Exchange 2016: 24)
Recommended minimum memory for Mailbox server 128GB, and 64GB for Edge Transport. Maximum memory is 256GB (Exchange 2016: 192GB). The reason for 128GB recommendation is that the .NET scaling benefits (see below) only work from around 100GB and up.
Page file 25% of installed memory (Exchange 2016: Maximized at 32GB).
.NET Framework 4.7.2, Visual C++ Redistributable and UCMA (Mailbox only)
Uses Server GC instead of Workstation GC for some IIS application pools. Better .NET memory management and improves CPU/memory scaling.
Will only use TLS 1.2 (there’s a transition mode supporting lower TLS versions, but for that all existing Exchange versions need to support 1.2 as well)
No more UM, options:
- Move all users and mailboxes to Office 365
- Migrate to Skype for Business Server 2019
- Remain on Exchange 2016 (EOL 2026)
- 3rd party VoiceMail solution
MetaCache Database uses storage tiering
- Leverages SSD’s
- Use SSD to spinning disk ratio 1:3
- Caches indexes, mailbox folder structures and small items
- Improves UX: faster logons, searches and small items retrieval
- Allows for higher mailbox density per server (+20%
- Utilize larger disks
Client Access Rules
- Restrict external access to EAC and PowerShell
- Evaluated at server level, so external connections need to hit Exchange 2019.
Additional perks for administration and end users
- Remove-CalendarEvents to remove meetings from a person (e.g. leaver)
- Recurring meetings will receive a default end date
- Meetings can be restricted to prevent forwarding
- Setting Out of Office in OWA allows for blocking calendar for that period, as well as decline current meetings and future meeting invites during that period.
Calculator and additional guidance on its way
On the Roadmap
- On-premises Modern Authentication
- Extending Client Access Rules to other protocols
- Mailbox Encryption using Customer Keys
- Monitoring and Analytics tools
- Blocking legacy authentication methods
- Removal of RPC/HTTP support (Outlook Anywhere)
- Simplified Calendar Sharing

The Exchange Server 2019 documentation went live here. Some additional details were included in this list.

On another note: Greg Taylor gave an interview to Phoummala Schmitt (aka @ExchangeGodess) for Channel 9 on Exchange 2019. That replay can be watched here. Also, Scott Schnoll and JeffMealiffe as well as Greg Taylor and Ross Smith were interviewed by TheCube; those recordings can be watched here and here respectively.

Exchange Hybrid

Organization Configuration Transfer (OCT) version 2
- Planned for October 2018
- Adds the following to OCT v1 (current)
  - ActiveSync Device Access Rules
  - ActiveSync Organization Settings
  - Address Lists
  - DLP Policies
  - Malware Filter Policies
  - Policy Tips
  - Organization Config
- Introduces conflict handling with review mode
- Generates a script to undo changes
Exchange Hybrid deployment
- Microsoft Hybrid Agent
- Installed using HCW (‘Modern Hybrid’); ‘Classic Hybrid’ still an option
- Hybrid Agent leverages Azure Application Proxy technology
  - Hybrid Proxy Service in the service will proxy requests between Exchange Online and Exchange on-premises.
  - No changes required to URLs or certificates
  - Hybrid Agent uses outbound connection only (port 80/443) to obfuscated unique URL (https://{GUID}.resource.{flow}.his.msappproxy.net. This URL is configured as TargetSharingEpr on the OrganizationalRelationship in Office 365
  - Running multiple agents is supported for availability and scaling
  - Outbound connections means less arrangements to make on (inbound) firewall rules (but another agent, like PTA, ADConnect Health Agent, regular Azure Application Proxy, to bypass security blockades may introduce other concerns)
- Version 1 will support Free/Busy and MRSProxy and is in Private Preview now

The Exchange team published a quick blog on OCT and Hybrid Agent here.

Exchange Sessions @ Ignite 2018

Posted on September 20, 2018 by Michel de Rooij

ignite2018 Among all the announcements of upcoming products and changes in the service, more details will also be revealed of Exchange Server 2019 and related products at Ignite next week. To those who are not able to attend, like yours truly: do not despair as Microsoft will be live streaming all keynote, breakout and community theater sessions.

The place to view those streams is through the Tech Community portal, and likely the session info pages will be used to embed the streams or provide links as they become available.

For this purpose, I made a short list of Exchange Server related sessions scheduled at Ignite 2018 for reference and easy access next week:

Session	When	Title	Speakers
THR3024	9/24 3:00PM	How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less	Jeff Guillet
BRK2176	9/24 16:00 PM	Welcome to Exchange Server 2019!	Greg Taylor, Brent Alinger
BRK3148	9/25 10:45 AM	Securing Exchange Online from modern threats	Brandon Koeller
BRK3375	9/25 2:15 PM	Notes from the field: How a large global bank moved to Office 365	Erik Knoppert, Michael Van Horenbeeck
BRK2165	9/25 3:15 PM	What’s new in Groups in Outlook	Ravin Sachdeva, Sri Ramya Mallipudi
THR3123	9/25 4:00 PM	Getting stuff done: Solving Office 365 problems with PowerShell	Tony Redmond
BRK3128	9/25 4:00 PM	Outlook on the web: What’s new and why you should care	Joey Masterson, Charlie Chung, Gabriel Valdez Malpartida, Cindy Kwan
THR3076	9/25 11:05 PM	Azure Information Protection and Exchange Online – better together	Michael Van Horenbeeck
BRK3129	9/26 9:00 AM	Turbo charge your Exchange on-premises and hybrid environment: Notes from the field	Steve Goodman
BRK3143	9/26 10:00 AM	Hybrid Exchange: Making it easier and faster to move to the cloud	Jeff Kizner
THR2129	9/26 11:20 AM	Office 365: Five important lessons learned during a one million mailbox migration	J. Peter Bruzzese
BRK2177	9/26 12:00 PM	Outlook mobile for the enterprise	Tali Roth, Michael Palermiti, David Pearson
THR3025	9/26 15:00 PM	Preparing to move (or remove) those public folders to the cloud	Michael Van Horenbeeck
BRK3130	9/26 16:00 PM	Email search in a flash! Accelerating Exchange 2019 with SSDs	Tobias Klima, Damon Gilkerson
BRK3146	9/27 9:00 AM	What’s amazing and new in calendaring in Outlook!	Julia Foran, Jennifer Lu, Will Holmes
BRK3145	9/27 10:00 AM	Deploying Outlook mobile securely in the enterprise	Ross Smith IV
THR2044	9/27 10:45 AM	The top six PowerShell commands you need to know to manage Office 365	Steve Goodman
THR2392	9/27 11:00 AM	Executive impersonators & fraudsters be gone! Using active defense & predictive artificial intelligence to secure your Office 365 email environment	Vidur Apparao
BRK3131	9/27 12:45 PM	Office 365: Marriages, divorces, and adoptions	Steve Goodman
BRK3258	9/27 2:00 PM	Panel discussion: Microsoft Exchange/Calendar/OWA	Damon Gilkerson, Brent Alinger, Julia Foran, Jeff Kizner, Brandon Koeller, Joey Masterson, Brian Day, Robin Thomas
THR3024R	9/27 15:00 PM	How to add MFA to your Exchange on-premises or Exchange Online mailboxes in 20 minutes or less (REPEAT)	Jeff Guillet
THR2145	9/27 16:00 PM	Why do we need to keep an Exchange Server on-premises when we move to the cloud?	Brian Reid
BRK3279	9/28 9:00AM	So long and thanks for all the (email) phish	Brian Reid
BRK3147	9/28 12:00 PM	Scott Schnoll’s Exchange and Office 365 tips and tricks	Scott Schnoll

Note that the table above was constructed using the Get-EventSession script. That script has been updated recently so it can also download on-demand sessions when downloadable video contents aren’t available (e.g. Inspire). I’ll be closely monitoring next week to check if the script can cope with the way Ignite contents will be published.

Support Lifecycle changes for Office ProPlus & 2016 (a.o.)

Posted on September 7, 2018 by Michel de Rooij

Outlook 2013 Icon In a surprise – but welcomed – move, Microsoft announced yesterday that the office support lifecycle for Office 365 ProPlus on Windows 8.1 and Windows Server 2016 are extended to January 2023 (EOL of Windows 8.1) and October 2025 respectively. In addition, Office 2016 connectivity support for Office 365 services will be extended to October 2023 (was 2020).

Other announced changes in product support lifecycles were extending Windows 10 Enterprise & Education support from 18 to 30 months. Also, for Windows 7 Professional & Enterprise, paid security updates (Extended Security Updates) will be offered, and those Windows 7 ESU devices will be supported through January 2023 – parallel to Windows 8.1 – with Office 365 ProPlus.

The intention of these changes is to provide customers more flexibility in adopting modern desktops on the client end (i.e. Windows 10) and upgrade their Office suite, preferably to the susbscription-based ProPlus. The release cadence of the cloud has significant impact on organizations, which were told in February to keep in line with product releases as a lot of product support lifecycles were going to end in 2020.

Extending those dates not only gives them more flexibility to plan and upgrade, but also might prevent organizations to do only to the minimum, which is likely the reason many organizations are still on Windows 7 and why it took many organizations a long time to get rid of Windows XP.