Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.
When working on PowerShell scripts, there might come a point where a set of instructions is – in small or larger form – a repeat of code that occurs elsewhere in the script. Or it might be code you used in another script or sourced from other locations, and you want to incorporate it into your script to easily call the code.
In the second installment of the Practical PowerShell series, I will discuss how to leverage code’s reusability through functions and scripts.
Among the topics discussed are:
(Advanced) functions, including custom parameters, common parameters, and typing.
Adding helpful instructions so your script and functions become documenting.
Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.
Fixed Issues
Apart from security fixes, these Security Updates also correct the following issues:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.
On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
“How do I start using scripting?” or “How do I turn this piece of code into a fully working script?” These are just some of the questions that reach me through mail or during events. Even after 17 years since its introduction with Exchange Server 2007, there is still a gap regarding PowerShell. Not all administrators are natural developers, despite Microsoft expecting them in some ways. Some may need more help in this area.
To address this need, I am starting a series of PowerShell-related articles on Practical 365. I will be covering skills needed when going from a piece of code or concept to a script with all major bells and whistles. I will also throw in best practices and the occasional tip. The series aims to help this target audience improve their skills using practical examples. Note that practical is the keyword here, as I am trying to start theoretical or aesthetic discussions on code layout or which style is better.
The Exchange Team released Exchange Server 2019 Cumulative Update H1 2024, or CU14. Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following changes:
.NET Framework 4.8.1 support on Windows Server 2022
Extended Protection will be enabled by default on the server where you installed CU14 (and later). You can override this behavior during setup or by specifying the DoNotEnableEP or DoNotEnableEPFEEWS when running setup unattended. More info on these switches, as well as the Extended Protection requirements and how to configure it, can be found here.
Unfortunately, TLS 1.3 support has been moved to CU15.
CVE-2024-21410 Enabling Extended Protection also addresses the just released CVE-2024-21410. This also applies to Exchange 2016 and even Exchange 2013 when you deployed the August 2022 Security Update on those servers and enabled Extended Protection on them.
Download Link to the update as well as a description of changes and fixes are below. The columns Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.
5035442 Exchange Mitigation Service does not log incremental updates
5035443 Read receipts are returned if ActiveSyncSuppressReadReceipt is “True” in Exchange Server 2019
5035444 System.argumentnullexception when you try to run an eDiscovery search
5035446 OAB shadow distribution fails if legacy authorization is blocked
5035448 MCDB fails and leads to lagged copy activation
5035450 Exchange 2019 setup installs an outdated JQuery library
5035452 Usernames are not displayed in Event ID 23 and 258
5035453 Issues in Exchange or Teams when you try to delegate information
5035455 MSExchangeIS stops responding and returns “System.NullReferenceExceptions” multiple times per day
5035456 “Deserialization blocked at location HaRpcError” error and Exchange replication stops responding
5035493 FIP-FS Proxy Customizations are disabled after a CU or an SU update
5035494 Modern attachment doesn’t work when web proxy is used in Exchange Server 2019
5035495 OWA displays junk operations even if junk mail reporting is disabled
5035497 Edit permissions option in the ECP can’t be edited
5035542 Remote equipment and room mailboxes can now be managed through EAC
5035616 Logon events failure after updating Windows Server
5035617 Transport rules aren’t applied to multipart or alternative messages
5035689 “High %Time in GC” and EWS doesn’t respond
Notes
If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.
Caution As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
Be advised that these updates will enable payload signing by default. Payload serialization signing signs PowerShell payloads to identify possible tampering. Support for certificate-based signing of PowerShell serialization payloads got added with January security updates and is a per-server configuration. In other words, make sure you have deployed the January security updates before implementing these security updates, so your Exchange servers support payload signing before you can enable it one server at a time.
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.
On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
EighTwOne (821) 