Exchange 2010-2016 Security Fixes

Ex2013 LogoMicrosoft released security updates to fix a remote code execution vulnerability in Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

MVP’s around the World

imageIn July 2017 the new annual award cycle regime was put into effect for Microsoft MVP’s around the world. Earlier this year, to simplify the process and introduce new talent in the program more quickly, Microsoft switched to a monthly cycle for recognizing MVP’s, and changed the award review from a quarterly to an annual cycle. This meant MVP’s from April and July were going to be the first ones the be reviewed for June 2017; the January and October awardees got their review shifted to July 2018. That might look like dispensation, but it isn’t as their contributions will be evaluated over a longer period of time.

Looking at the publicly available statistics on MVP’s around the world could provide some insight in what the program – and thus Microsoft – has set their sights on. So with the introduction of the new cycle, I did a quick comparison of this and last month’s numbers. But first a small disclaimer: below numbers are taken from a public source, the Microsoft Valuable Professional portal. Also, there are a small number of anonymous MVP’s, which always puzzles me as being an MVP usually means that this person is visible online. And finally, note that MVP’s can be awarded in more than one category, which is the reason some numbers won’t add up.

To start with the total number of MVP’s, that went down from 4017 in June to 3410 (-15%). It also saw a new category being added to the program: Artificial Intelligence, or AI. The table below contains the number of awards per category, and the change from June to July:

Competence June-2017 July-2017 Change
Access 41 37 -10%
AI 0 1 100%
Business Solutions 236 193 -18%
Cloud and Datacenter Management 455 392 -14%
Data Platform 445 399 -10%
Enterprise Mobility 170 148 -13%
Excel 116 94 -19%
Microsoft Azure 342 311 -9%
Office Development 39 38 -3%
Office Servers and Services 532 449 -16%
OneNote 16 15 -6%
Outlook 14 14 0%
PowerPoint 36 36 0%
Visio 15 14 -7%
Visual Studio and Development Technologies 1100 901 -18%
Windows and Devices for IT 201 148 -26%
Windows Development 351 277 -21%
Word 25 23 -8%
Total 4134 3490 -16%

Overall, the numbers are down except for the new AI category and the number of Outlook and PowerPoint MVP’s.

Regarding the Office Servers and Services MVP’s, the number of awards per country is depicted in the following heath map and table. Note that anonymous MVP’s are not taken into account:

image

Country Number Country Count Country Count
Argentina 2 (0%) Hungary 4 (0%) Russia 8 (-12%)
Australia 21 (-25%) India 12 (-8%) Serbia 1 (0%)
Austria 1 (0%) Ireland 1 (-50%) Singapore 4 (0%)
Belarus 1 (0%) Israel 1 (-50%) Slovakia 1 (0%)
Belgium 7 (-13%) Italy 10 (-10%) Slovenia 2 (0%)
Bosnia-Herzegovina 3 (0%) Japan 18 (-10%) South Africa 4 (-20%)
Brazil 4 (-50%) Korea 9 (-25%) Spain 6 (-15%)
Brunei Darussalam 1 (0%) Kuwait 1 (0%) Sri Lanka 6 (-15%)
Bulgaria 2 (0%) Latvia 1 (0%) Sweden 8 (-20%)
Canada 38 (-18%) Macedonia F.Y.R.O 1 (-50%) Switzerland 5 (-29%)
Chile 1 (-50%) Malaysia 2 (-34%) Taiwan 0 (-100%)
China 15 (-25%) Mexico 3 (-25%) Thailand 1 (0%)
Colombia 2 (-34%) Myanmar 0 (-100%) The Netherlands 13 (0%)
Croatia 5 (0%) Nepal 1 (0%) Turkey 4 (0%)
Czech Republic 2 (0%) New Zealand 5 (-17%) Ukraine 2 (0%)
Denmark 4 (0%) Norway 5 (0%) United Arab Emirates 3 (-40%)
Egypt 2 (0%) Pakistan 1 (-50%) United Kingdom 21 (-20%)
Finland 2 (0%) Palestine 1 (0%) United States 103 (-11%)
France 16 (-16%) Peru 2 (0%) Uruguay 1 (0%)
Germany 17 (-6%) Poland 3 (0%) Vietnam 2 (-34%)
Greece 1 (0%) Portugal 4 (-20%) Total 429 (-16%)
Guatemala 0 (-100%) Romania 2 (0%)

Looking at the names that were not on the MVP portal per July, one may notice there are quite a number of long-standing MVP’s that were not re-awarded. Apart from being a big loss for the community, it is also an indication Microsoft is further looking ahead to the Cloud First, Mobile First, On First™ world, indiscriminately coming clean with the MVP population in the process.

For those that were not re-awarded, thank you for all your past contribution, some for being an inspiration long before I became one, your honest feedback to the program and other MVP’s. Don’t forget: Once an MVP, always an MVP!

Office 365 Engage 2017 Wrap-up

Last week the inaugural Office 365 Engage conference took place in the small but charming city of Haarlem, The Netherlands. With hotels for speakers and attendees close by, the event took place in the Philharmonie, a venue normally used for concerts and theater performances. This lead to some amazing shots on social media of sessions being held in “Room A” (the theater), “Room B” (with bar) and “Room E” (the concert hall).


“Room A”

With Tony Redmond being the chair for this non-Microsoft event, one of the few big Microsoft-technology related events remaining in Europe, organizer BWW Media Group managed to attract an amazing line-up of speakers. Amongst them were quite a number of Microsoft MVP’s, some like Paul Robichaux or Chris Goosen even flying in from overseas. Being sort of a home game to me, it was other speaker’s turn to having to cope with jetlag.

Sessions presented were on all things Office 365 related, such as Azure AD, Exchange Online, SharePoint Online, Groups and Teams, and also more dev-oriented sessions on things like the Graph API. Also, more generic topics were also put to the table, like the roadmap and coping with continuous development, GDPR or hybrid strategies.


“Room B”

On Monday, Jaap Wesselius and I held a full-day workshop on PowerShell for Office 365. The attendees were coming from all over Europe, which shows that there is a demand for an European event of this size on this topic. On Tuesday, I presented a session on Managing Exchange Online using PowerShell, Tips & Tricks. Pending feedback from evaluations, the workshop and session went very well. For those that attended our workshop on Monday, PowerShell for Office 365, or my session on Tuesday on Exchange Online and PowerShell Tips & Tricks, the slide decks will be made available later through the organizer. Sample code from the session is available from the TechNet Gallery here.

Image may contain: one or more people and indoor
“Room E”

Finally, a big thank you to BWW’s Megan Keller, their CEO George Coll, and all the other staff as well, who made speakers and attendees feel welcome at this event, which was small and intimate, a different experience from more massive events like Microsoft Ignite. Also a big thank you to the folks of Quadro-Tech for sponsoring the post-conference drinks.

With everything being walking distance, and with pleasant summer weather, the after-conference hours for catching up with peers and attendees were very enjoyable. BWW was also so kind to offer us speakers a boat trip, where we could experience Haarlem from the waterside, including the obligatory snapshots of windmills, fields and cows.

Note that the organizer is still looking for feedback on the event. Share with them what you like or didn’t like, so they can improve next year’s conference. I am really looking forward to next year’s event, to be held in June 2018, and would highly recommend it to anyone. Hope to see you there next year!

Exchange Updates – June 2017

Ex2013 LogoToday, the Exchange Team released the June updates for Exchange Server 2013 and 2016. Like the previous Cumulative Updates for these Exchange versions, Exchange 2013 CU17 and Exchange 2016 CU6 require .NET Framework 4.6.2.; NET Framework 4.7 has been tested by the Exchange team, but is still unsupported until further notice.

Exchange 2016 CU6 contains much awaited feature enhancements:

  • Sent Items Behavior Control. The implementation of Sent Items behavior in Exchange 2016 CU6 won’t be backported to earlier Exchange versions, as these have their own implementation.
  • Original Folder Item Recovery. This feature won’t be backported to previous versions of Exchange as well.

Apart from DST changes, check the lists below for changes contained in these updates.

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU6 15.1.1034.26 KB4012108 Download UMLP Yes
Exchange 2013 CU17 15.0.1320.4 KB4012114 Download UMLP No
  • KB4024658 FIX: The EAS web.config file is not updated on the CAFE server during a build-to-build upgrade
  • KB4024654 POP/IMAP clients can’t log on with NTLM when Alias and SamAccountName are different in Exchange Server 2016
  • KB4024653 Active Monitoring probes fail when you use a new accepted domain as the default domain in Exchange Server 2016
  • KB4024652 Repeated IMAP SEARCH BODY requests may not return newly delivered messages in Exchange Server
  • KB4024651 The “MessageRetrievalMimeFormat” setting isn’t honored for plain text-only email messages in IMAP in Exchange Server
  • KB4024650 Emoji is displayed as question marks in iOS clients in an Exchange Server environment
  • KB4024649 The Read or Unread flag isn’t synchronized correctly after you turn off an ActiveSync device overnight in Exchange Server
  • KB4024648 FIX: A new contact created in OWA may be merged into an existing contact on Exchange Server 2016

Exchange 2013 CU17 fixes:

  • KB4024652 Repeated IMAP SEARCH BODY requests may not return newly delivered messages in Exchange Server
  • KB4024651 The “MessageRetrievalMimeFormat” setting isn’t honored for plain text-only email messages in IMAP in Exchange Server
  • KB4024650 Emoji is displayed as question marks in iOS clients in an Exchange Server environment
  • KB4024647 “The property is too long” error when you update the “Department” field of user mailbox in Exchange Server 2013
  • KB4024646 “Insufficient access rights” error when you run setup.exe as member of “Delegated Setup” group in Exchange Server 2013

Notes:

  • Exchange 2016 CU6 includes schema changes, but Exchange 2013 CU17 does not. However, Exchange 2013 CU17 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • NET Framework 4.7 is being tested by the Exchange Team, but is not supported until further notice.
  • Customers who have deployed Exchange in Hybrid or use Exchange Online Archiving need to stay current, or at least run the prior Cumulative Update version.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange and .NET Framework 4.7

Ex2013 Logo A quick heads-up on that .NET Framework 4.7 has recently been released and will be made available through Windows Update channels. The current versions of Exchange Server are not supported with this version of the .NET Framework, and you should not install or update to this version.

Similar to the situation with .NET Framework 4.61 around a year ago, you can prevent  (accidental) upgrades of the .NET Framework by creating the following registry key on your Exchange servers:

HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU\BlockNetFramework47 = 1 (REG_DWORD)

To report on the currently installed .NET Framework version on one or more computers, you can use this PowerShell script, Get-DotNetVersion.ps1. It will not only report the .NET Framework version information, but also if those registry entries to block .NET Framework 4.6.1 or .NET Framework 4.7 upgrades are present.

[PS] C:\> .\get-DotNetVersion.ps1 -ComputerName ex1,ex2 | ft -a

Computer Release NetFramework Net461Block Net47Block
-------- ------- ------------ ----------- ----------
ex1      461268  4.7          False       True
ex2      461268  4.7          False       False

The related article by the Exchange Team on this topic contains steps on how to recover the situation, in case you did upgrade. Of course, with all the dependencies on the .NET Framework by Exchange Server, you may prefer migrating contents to a new Exchange servers with a supported .NET Framework, and decommission servers where you had to remove the unsupported .NET Framework from.

More information can be found in KB4024204.

PS: The updated Unattended Exchange 2013 & 2016 Installation script will now also set the .NET Framework 4.7 blockade registry key.

The UC Architects Podcast Ep63

iTunes-Podcast-logo[1]Episode 63 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by Steve Goodman who’s joined by John Cook. Editing was done by Andrew Price.

Topics discussed in this episode are:

Exchange

  • Exchange 2007 was end of life on April 11th

Office 365

  • Microsoft Teams is GA
  • Microsoft Teams Bandwidth Calculator
  • Microsoft Advanced Threat Protection
  • Google Suite vs Office 365

Lync/Skype for Business

  • Skype for Business updates for Mac
  • Skype for Business Online Trusted Application API
  • Consult Transfer option
  • Lync 2013 CUs for March 2017
  • Skype for Business 2015 CUs
  • RUCT updated
  • Convert-SonusSBCConfigToWord

Events

  • MS Cloud UG
  • UC and Cloud Day UK
  • Office 365 Engage

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

Speaking at Office 365 Engage 2017

I am happy to announce I will be co-hosting a workshop, as well as present a session at the Office 365 Engage conference. The event will be held in the beautiful city of Haarlem, The Netherlands, from June 19 to June 22.

For an independent event in Europe, track chair Tony Redmond managed to come up with a pretty impressive line-up with lots of Microsoft MVPs, consisting of folks such as Michael van Horenbeeck, Jaap Wesselius, Ingo Gegenwarth, Siegfried Jagott, Brian Reid, Vasil Michev, Paul Robichaux, Chris Goosen, Alan Byrne, Brian Desmond, and last but not least Steve Goodman who I am finally going to meet in person after missing each other for several reasons for the last 5 years.

The single day workshop will be hosted together with Jaap, and we will discuss managing Office 365 and its workloads using PowerShell, and its part of the Office 365 Administration track. The day after, I will be giving a session on Managing Exchange Online using PowerShell – Tips & Tricks, part of the Exchange Online track. If you would like to see something specific addressed, leave it in the comments section or pop me an e-mail.

For visitors, the city of Haarlem, a small distance from Amsterdam or The Netherlands – well, everything in The Netherlands is near, is also a nice city to spend some leisure time. You can check out the Office 365 Engage schedule here. I hope to see you there!

PS: The people behind the conference gave me discount code which you can use when registering. Use code SPRMR467 to get 20% off. You can register here.

Michel de Rooij 728x90

Exchange Updates – March 2017

Ex2013 LogoToday, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.

As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:

  • If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
  • If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU5 15.1.845.34 KB4012106 Download UMLP
Exchange 2013 CU16 15.0.1293.2 KB4012112 Download UMLP
Exchange 2010 SP3 Rollup 17 14.3.352.0 KB4011326 Download
Exchange 2007 SP3 Rollup 23 8.3.517.0 KB4011325 Download
  • KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
  • KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
  • KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
  • KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
  • KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
  • KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016

Exchange 2013 CU16 fixes:

  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013

Exchange 2010 SP3 RU17 fixes:

  • KB4014076 Migration ends and errors reported when you on-board or off-board a mailbox through Exchange Online in an Exchange Server 2010 hybrid environment
  • KB4014075 UNC path does not open in OWA when the path contains non-ASCII characters in an Exchange Server 2010 environment
  • KB4013917 You cannot search in a shared mailbox through OWA in an Exchange Server 2010 Service Pack 3 (Update Rollup 15 or 16) environment
  • KB4012911 Culture element is added in the wrong order when you use the ResolveNames operation in EWS in Exchange Server 2010

Notes:

  • Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.
  • Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

MS17-015: Security Fix for Exchange 2013 SP1+CU14 & 2016 CU3

Ex2013 LogoMicrosoft published security fixes for the issue described in bulletin MS17-105. Fixes have been released for the following product levels:

You are reading it correctly: the later Cumulative Updates are not affected. Earlier builds will not receive a security fix, as support is provided up to N-2 generation builds. Reason for Exchange 2013 SP1 being in there is that Service Packs are on a different support scheme.

Note that this Rollup or security fix replaces MS16-108 (kb3184736) – you can install MS13-105 over installations containing this security fix (no need to uninstall it first).

Exchange admins & PowerShell

imageMany people I encounter in the field of Office 365 or Exchange have an infrastructure background. That is, they know a lot about their product(s), how to make it work (or don’t), how to manage, deploy or troubleshoot, etcetera.

Then there is, the let us call it, the reality check of the cloud era, with a roller coaster of cloud-originating developments. This requires a different management focus for these products, resulting in products architected for scale, and introducing configuration and management instruments primarily designed to be ready for automation and operate on scale as well. PowerShell support in Microsoft products is such an instrument.

The introduction of PowerShell required folks with an infrastructure background to develop a new skill: instead of clicking buttons in an interface, they should also become a PowerShell practitioner. Not necessarily wizard level, but at least they need to know their way around when managing their environment using PowerShell, reading and interpreting scripts provided by Microsoft or other vendors prior to usage, or even make changes to make those scripts fit for their own environment.

Writing scripts is another matter. This requires a tad different mindset, where you make repeatable tasks repeatable (time-saving), less prone to error (job-saving), and reusable by your coworkers or even the community who may need to perform the same task. Of course, everybody also expects your scripts to be generic (no hard-coded elements), robust and resilient, adding 90% more code (a bit exaggerated, but you get the idea).

What most of administrators struggle with, is making the connection between managing the product using PowerShell, and how to start using PowerShell to develop their own set of scripts or tools to automate tasks their environment. Administrators wanting to learn such skills will usually find is great books about the product, and great books on learning (generic) PowerShell. Of course, existing scripts found using their favorite search engine can also be a great starting point, provided somebody already developed it for the task you are trying to accomplish.

With the Exchange Server 2016 administrator in mind, Exchange fellows Dave Stork and Damian Scoles tried to bridge that gap with their book, Practical PowerShell: Exchange Server 2016. It uses some practical Exchange-themed examples, how to approach the problem, and how to go from running a few cmdlets in sequence to developing small scripts which operate against one or multiple servers. Also, while this book aims at the on-premises Exchange administrators, the skills learned are not lost when the organization moves to Exchange Online as these scripting skills are compatible.

Knowing how difficult it can be to transfer knowledge to paper from my own experience, I think Dave & Damian did a respectable job. The timing of the book release is also interesting, as the product which introduced PowerShell to so many of us, Exchange Server 2007, is going End of Life soon, on April 2011, 2017 to be exact. Realizing PowerShell has been around now for so many years, there is no excuse to get your PowerShell skills going, unless you want to share the faith of dinosaurs.

More information on the book, including a sample chapter, is available at https://www.practicalpowershell.com. You can also order the book from Amazon here.