Author Archives: Michel de Rooij

Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Exchange 2019 CU15 (2025 H1)

Posted on by
Reply

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2025, or CU15, almost one year after CU14. CU15 will also be the last CU for Exchange 2019, which will become end-of-life in October this year. Customers staying on-premises are recommended to use the remaining time this year to upgrade to this CU level to have a smooth transition to Exchange Server Subscription Edition (SE) later this year. The official announcement can be found here.

Features
Apart from fixes and updates, including those from the security update of November (e.g. AMSI changes), this Cumulative Update for Exchange 2019 introduces some feature changes:

  • Exchange 2019 CU15 and CU14 are now supported on Windows Server 2025. This includes environments running domain controllers running Windows Server 2025. This allows organizations to consider using Windows Server 2025, not having to look at migrations because of the underlying operating system when Exchange SE. Note that Windows Server 2025 is not currently a supported Forest Functional Level.
  • As announced in the roadmap article, the CU15 setup contains an Exchange 2013 coexistence block, preventing it from being deployed in organizations running Exchange 2013. The consequence is that when you are still on Exchange 2013, you might need to migrate to CU14 first (it can be on WS2025). After that, you can upgrade those CU14 servers to CU15 after decommissioning Exchange 2013 servers.
  • Certificate Management has returned to the Exchange Admin Center.
  • Partial TLS 1.3 support on Windows Server 2022 and later. TLS 1.3 is supported for all protocols except SMTP; SMTP support is expected in a future update. Deploying CU15 on Windows Server 2022 or later will enable TLS 1.3 by default; disable it when needed per these instructions.
  • DocParser replaces Oracle Outside In Technology (OIT). This library extracts text from emails during transport for purposes of Data Loss Prevention and Exchange Transport Rules.
  • Feature Flighting is a server-side component allowing selected changes to be deployed and managed through deployment rings. This resembles how updates can be managed for other products, such as Microsoft Office or Windows. Note that CU15 just introduced the Feature Flighting engine with a PING feature for testing purposes. No features are being flighted until after Exchange SE, which aligns with the promise of Exchange 2019 CU15 running the same code as Exchange SE. Feature Flighting is optional and can be disabled when needed. When diagnostics data collection is enabled, additional data related to Feature Flighting will be included.
  • Exchange SE will support Exchange 2019 product keys. Previously, it was announced that CU15 would accept SE product keys. This dependency order was changed to ease the migration path. New keys are now only required per Exchange SE CU1.


Download
Below is the link to the update. The columns Schema and AD indicate whether the CU contains changes to Schema (/PrepareSchema) and Active Directory (PrepareAD) compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

VersionBuildKBDownloadSchemaAD
Exchange 2019 CU1515.2.1748.10KB5042461DownloadNY

Fixes

  • 5047359 Clean up old Exchange OWA files automatically to free up disk space
  • 5047361 Inline images and text attachments are not visible in OWA
  • 5047402 Online Archiving bypasses the InternetWebProxy setting in Exchange 2019
  • 5047995 MFNs are not sent to remote domains
  • 5047997 Wrong server version displayed in POP and IMAP logoff strings
  • 5048017 RecoverServer operation fails in Exchange Server 2019
  • 5048019 “NullReferenceException” error and Managed Store stops responding
  • 5048020 Calendar print doesn’t work in OWA from Exchange 2019 CU14 onwards
  • 5048021 HTML message is corrupted if <&quote;> is included
  • 5048072 “Enabled Extended Protection” message when you run setup with prepare*​​​​​​​ command
  • 5047994 German umlauts in the Subject are replaced by a question mark
  • 5047358 Group Metrics generation doesn’t finish in multidomain environment

Notes

  • If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Remember to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
  • To speed up the system update process without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM before installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution
As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2016-2019 (Nov2024)

Posted on by
Reply

NOTICE (Nov27): The SUs have been re-released. The v2 adds additional control over the X-MS-Exchange-P2FromRegexMatch header, which is set for messages with a non-RFC5322 compliant P2 FROM header. Install these on your Exchange server, also if you already deployed the v1 SU to benefit from the additional control.

The Exchange product group released November 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2024-49040SpoofingImportantCVSS:3.1 7.5 / 6.7

The v2 Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14 Download15.2.1544.14KB5044062
KB5049233		KB5036401
Exchange 2019 CU13Download15.2.1258.39KB5044062
KB5049233		KB5036402
Exchange 2016 CU23Download15.1.2507.44KB5044062
KB5049233		KB5036386

Added Features

Anti-Malware Scan Interface (AMSI) integration

The ability of products that use the Exchange Server AMSI integration to perform additional tasks on message bodies. The feature is disabled by default. You can enable it on a protocol base like Exchange Web Services or PowerShell. More information on this feature here.

Non-RFC5322 compliant header detection

Similar to the change in Exchange Online mentioned in MC886603, after installing this SU, messages with a non-compliant P2 FROM header (RFC5322) will be detected. Unlike Exchange Online, which will drop these messages, Exchange will add a header that can be used in transport rules as organizations see fit. To be compliant, organizations should ensure messages with multiple From addresses include a Sender header. More information here.

Elliptic Curve Cryptography (ECC) certificate support

ECC certificates can now be used on Edge Transport servers and bound to the POP and IMAP services. Note that unlike the previous implementation, which required enabling using New-SettingOverride, they are now configured through a registry key, i.e.

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics" -Name "EnableEccCertificateSupport" -Value 1 -Type String

More information here.

Microsoft Information Protection Client (MSIPC)

MSIPC will now ne enabled by default, replacing Microsoft Digital Rights Management (MSDRM) for information rights management.

Fixed Issues

Apart from security fixes and added features, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Journal report decryption doesn’t decrypt attachment in journal mailboxYesYes
Error after adding support for AES256-CBC–encrypted content in August 2023 SUYesYes
Exchange can’t decrypt IRM messagesYes
Server with PowerShell_ISE doesn’t serialize when connecting to EMSYesYes
Email sent through Pickup folder displays admin versionYesYes
CSR created by Exchange are signed with outdated Encryption algorithmYesYes
OWA displays incorrect time zone for AmmanYesYes
Kazakhstan changes to single time zone in 2024YesYes
Moderated messages are marked as expired after they are approved or rejectedYes
Exchange Transport Rules and Data Loss Prevention rules don’t work after installing November 2024 SU V1YesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU14-KBXXXXXX-x64-en.msp.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management, it is recommended that you apply the Security Update. Be aware of a few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings indicate the level of urgency.

Practical PowerShell Series: Part 7

Posted on by
Reply

Defining dynamic parameters in advanced functions or scripts significantly enhances user experience and functionality by making these functions or scripts more intuitive and user-friendly, primarily when used interactively. For instance, with tab completion, parameters are offered – or not – based on specified conditions, guiding users toward correct usage patterns. This reduces errors and improves overall script robustness by ensuring users are directed toward the appropriate options, making the script more flexible and easier to use.

The seventh part of the Practical PowerShell series covers using dynamic parameters to enhance advanced functions or scripts, discussing both Parameter Sets and DynamicParam script block.

Click here to read the full article on Practical 365.

Practical PowerShell Series: Part 6

Posted on by
Reply

The practicalities of producing PowerShell output and generating logging are other essential scripting elements. No administrator likes to stare at a blank screen, wondering if the command just entered is functioning or not. Also, when performing bulk operations against multiple objects, it could be wise to register the success or failure of this operation in a manner that is useful for reporting. Depending on your use case, it can also be beneficial to log these failures so that they can easily be re-used for consecutive retries after remediation of the cause.

The sixth part of the Practical PowerShell series covers these topics, talking about output streams and logging.

Click here to read the full article on Practical 365.

MVPs around the World (2024)

Posted on by
1

Update: Added Sankey diagram to display award relationships between 2023 to 2024.

Another year, another Microsoft MVP award cycle. Happy to report that yours truly received his 11th MVP Award

As every year, this is also a moment to have a quick peek at the MVP population. The numbers below are taken from the public MVP portal on July 11th. Comparing them to July of recent years should give an idea of trends and what award categories (and thus products) seem to have focus.

A few notes:

  • 3.187 public MVP profiles were processed.
  • The award categories Enterprise Mobility and M365 Development have ceased to exist and are now expertise areas. Most MVPs who used to be in these categories have moved to the Security and Developer Technologies categories.
  • More countries are now represented in the program compared to last year.

MVP Awardees per Category

The following chart and table display the awardees per award category from July 2019 to 2024, plus change percentages compared to previous years. Former Enterprise Mobility and M365 Developer awardees have mostly moved to Security and Developer Technologies.

Award Category Jul2020Jul2021%Jul2022%Jul2023%Jul2024%
AI Platform12213813%128-7%105-18%269156%
Business Applications24032335%3519%44226%4747%
Cloud and Datacenter Management2092195%164-25%136-17%111-18%
Data Platform3583929%364-7%335-8%307-8%
Developer Technologies69777010%715-7%7474%7612%
Enterprise Mobility11313318%14912%100-33%0-100%
Internet of Things000%00%430%430%
M3655125569%492-12%54110%64319%
M365 Development64698%59-14%7019%0-100%
Microsoft Azure46353415%5462%526-4%5270%
Mixed Reality000%00%450%35-22%
Security000%00%1710%30578%
Windows and Devices4342-2%457%6136%10267%
Windows Development1101209%92-23%37-60%30-19%
Total2931329612%3105-6%33598%36077%
Count2849322313%3023-6%31755%31870%

Note: The difference between total awards and total MVPs is caused by MVPs that are awarded in more than one category.

MVP Awardees per Country

The following chart and table display the awardees per country, plus change percentages compared to July last year.

CountryNo.(change)CountryNo.(change)CountryNo.(change)CountryNo.(change)
ALB1 (0%)SLV2 (0%)MKD5 (0%)SVK4 (100%)
AGO1 (100%)EST4 (300%)MYS7 (16%)SVN7 (16%)
ARG17 (30%)FIN33 (6%)MLT1 (100%)ZAF11 (0%)
AUS106 (-3%)FRA117 (-2%)MUS1 (100%)ESP100 (12%)
AUT31 (-7%)GEO1 (100%)MEX18 (5%)LKA10 (11%)
AZE4 (100%)DEU138 (6%)MAR4 (100%)SWE77 (1%)
BHR1 (0%)GHA6 (-15%)MMR1 (-50%)CHE52 (4%)
BGD3 (-25%)GRC11 (120%)NPL3 (-25%)TWN44 (-5%)
BEL58 (-2%)GTM1 (0%)NLD174 (4%)TZA1 (100%)
BOL5 (66%)HND1 (0%)NZL32 (-20%)THA16 (45%)
BIH6 (-15%)HKG6 (0%)NIC3 (200%)TUN1 (0%)
BRA124 (0%)HUN8 (-12%)NGA25 (38%)TUR20 (-5%)
BGR7 (-30%)ISL4 (0%)NOR39 (-12%)TGO0 (-100%)
CMR1 (0%)IND114 (40%)PAK9 (80%)UKR13 (44%)
CAN113 (-7%)IDN7 (-13%)PAN3 (200%)ARE3 (50%)
CHL4 (0%)IRL31 (-9%)PRY1 (0%)GBR272 (5%)
CHN132 (0%)ISR12 (-15%)PER13 (0%)USA481 (1%)
COL16 (14%)ITA68 (3%)PHL6 (-15%)URY2 (100%)
COD4 (100%)JPN146 (-12%)POL65 (8%)UZB2 (0%)
CRI2 (0%)JOR1 (100%)PRT22 (4%)VEN1 (0%)
CIV1 (0%)KAZ0 (-100%)PRI0 (-100%)VNM5 (0%)
HRV13 (-14%)KEN7 (133%)REU1 (100%)UZB2 (0%)
CZE24 (-20%)KOR54 (-17%)ROU11 (-43%)VEN1 (0%)
DNK47 (4%)LVA1 (-67%)SAU4 (-20%)VNM5 (0%)
DOM3 (-50%)LBN1 (100%)SEN0 (-100%)YEM1 (100%)
ECU4 (0%)LTU6 (200%)SRB7 (40%)
EGY8 (100%)LUX1 (0%)SGP19 (35%)

MVP Awards from 2023 to 2024

The Sankey diagram below displays the number of awarded categories moving from 2023 to 2024 (click to zoom). New awardees are categorized as “New,” and those who are no longer present on the MVP portal (e.g., no longer MVP) are categorized as “Out.” Note that new awardees getting awarded in multiple categories are counted as new for each category; in other words, there are not 632 new MVPs awarded this cycle.

If you have questions or comments, please leave them in the comments below.