Category Archives: Exchange Server

Security Updates Exchange 2016-2019 (Nov2024)

Posted on by
Reply

NOTICE (Nov27): The SUs have been re-released. The v2 adds additional control over the X-MS-Exchange-P2FromRegexMatch header, which is set for messages with a non-RFC5322 compliant P2 FROM header. Install these on your Exchange server, also if you already deployed the v1 SU to benefit from the additional control.

The Exchange product group released November 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2024-49040SpoofingImportantCVSS:3.1 7.5 / 6.7

The v2 Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14 Download15.2.1544.14KB5044062
KB5049233		KB5036401
Exchange 2019 CU13Download15.2.1258.39KB5044062
KB5049233		KB5036402
Exchange 2016 CU23Download15.1.2507.44KB5044062
KB5049233		KB5036386

Added Features

Anti-Malware Scan Interface (AMSI) integration

The ability of products that use the Exchange Server AMSI integration to perform additional tasks on message bodies. The feature is disabled by default. You can enable it on a protocol base like Exchange Web Services or PowerShell. More information on this feature here.

Non-RFC5322 compliant header detection

Similar to the change in Exchange Online mentioned in MC886603, after installing this SU, messages with a non-compliant P2 FROM header (RFC5322) will be detected. Unlike Exchange Online, which will drop these messages, Exchange will add a header that can be used in transport rules as organizations see fit. To be compliant, organizations should ensure messages with multiple From addresses include a Sender header. More information here.

Elliptic Curve Cryptography (ECC) certificate support

ECC certificates can now be used on Edge Transport servers and bound to the POP and IMAP services. Note that unlike the previous implementation, which required enabling using New-SettingOverride, they are now configured through a registry key, i.e.

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics" -Name "EnableEccCertificateSupport" -Value 1 -Type String

More information here.

Microsoft Information Protection Client (MSIPC)

MSIPC will now ne enabled by default, replacing Microsoft Digital Rights Management (MSDRM) for information rights management.

Fixed Issues

Apart from security fixes and added features, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Journal report decryption doesn’t decrypt attachment in journal mailboxYesYes
Error after adding support for AES256-CBC–encrypted content in August 2023 SUYesYes
Exchange can’t decrypt IRM messagesYes
Server with PowerShell_ISE doesn’t serialize when connecting to EMSYesYes
Email sent through Pickup folder displays admin versionYesYes
CSR created by Exchange are signed with outdated Encryption algorithmYesYes
OWA displays incorrect time zone for AmmanYesYes
Kazakhstan changes to single time zone in 2024YesYes
Moderated messages are marked as expired after they are approved or rejectedYes
Exchange Transport Rules and Data Loss Prevention rules don’t work after installing November 2024 SU V1YesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU14-KBXXXXXX-x64-en.msp.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management, it is recommended that you apply the Security Update. Be aware of a few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings indicate the level of urgency.

Hotfix for Exchange 2016 and 2019 (Apr2024)

Posted on by
Reply

Today, Microsoft released a hotfix for Exchange Server 2016 and 2016 that will not only fix some issues but, importantly, also add a much-welcomed functionality change: Hybrid Modern Authentication support OWA and ECP. You can deploy the hotfix directly on the Cumulative Update, similar to Security Updates. There is no need to deploy the March 2024 Security Update first.

The Hotfix for each supported Exchange Server build is linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14 HU2Download15.2.1258.34KB5037224KB5036402
Exchange 2019 CU13 HU6Download15.2.1544.11KB5037224KB5036402
Exchange 2016 CU23 HU13Download15.1.2507.39KB5037224KB5036386

HMA support for OWA/ECP

This hotfix adds support for OWA and ECP when used in Hybrid Modern Authentication (HMA). This removes the need to deploy Azure Web Application Proxy for OWA and ECP when you want to deploy HMA. If you already deployed an Azure WebApp Proxy configuration for this purpose, you can choose to remove it after deploying the hotfix and configuring HMA on OWA/ECP. More information on enabling OWA and ECP for HMA support is here.

Caution: if you do not synchronize the identities of (Exchange) administrators to Entra, they will be unable to authenticate against Entra Identity and thus unable to manage Exchange on-premises using ECP. In those cases, they have the option to use Exchange Management Shell or synchronize their identities. Since Entra will be performing the authentication, you can add additional controls, such as location conditions or MFA, for those accounts.

ECC Certificate Support

The hotfix adds support for ECC certificates to Exchange, except for scenarios where Active Directory Federation Services (AD FS) is utilized. More information here.

Fixed Issues

The hotfix addresses the following issues, some of which were introduced after deploying the March 2024 SU:

IssueExchange 2016Exchange 2019
Download domains not working after installing the March 2024 SUYesYes
Search error in Outlook cached mode after installing March 2024 SUYesYes
OwaDeepTestProbe and EacBackEndLogonProbe fail after installing March 2024 SUYesYes
Edit permissions option in the ECP can’t be editedYesYes
Outlook doesn’t display unread message icon after installing Exchange Server March 2024 SUYesYes
My Templates add-in isn’t working after installing Microsoft Exchange Server March 2024 SUYesYes

Notes

  • The hotfix is Exchange build level specific. You cannot apply the hotfix for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name, and I would suggest tagging the file name with the Exchange version and CU when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.

On a final note, as with any patch or update, it is recommended to apply this update in a test environment first, prior to implementing it in production.

Security Updates Exchange 2016-2019 (Mar2024)

Posted on by
5

The Exchange product group released March 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2024-26198Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14Download15.2.1544.9KB5036401KB5032146
Exchange 2019 CU13Download15.2.1258.32KB5036402KB5032146
Exchange 2016 CU23Download15.1.2507.37KB5036386KB5032147

OutsideInModule

Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
EWS search request displays inaccurate resultsYesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Exchange 2019 CU14 (2024 H1)

Posted on by
Reply

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2024, or CU14. Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following changes:

  • .NET Framework 4.8.1 support on Windows Server 2022
  • Extended Protection will be enabled by default on the server where you installed CU14 (and later). You can override this behavior during setup or by specifying the DoNotEnableEP or DoNotEnableEPFEEWS when running setup unattended. More info on these switches, as well as the Extended Protection requirements and how to configure it, can be found here.

Unfortunately, TLS 1.3 support has been moved to CU15.

CVE-2024-21410
Enabling Extended Protection also addresses the just released CVE-2024-21410. This also applies to Exchange 2016 and even Exchange 2013 when you deployed the August 2022 Security Update on those servers and enabled Extended Protection on them.

VulnerabilityCategorySeverityRating
CVE-2024-21410Elevation of PrivilegeCriticalCVSS:3.1 9.8 / 9.1

Download
Link to the update as well as a description of changes and fixes are below. The columns Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1415.2.1544.4KB5035606Download NY

Exchange 2019 CU14 fixes:

  • 5035442 Exchange Mitigation Service does not log incremental updates
  • 5035443 Read receipts are returned if ActiveSyncSuppressReadReceipt is “True” in Exchange Server 2019
  • 5035444 System.argumentnullexception when you try to run an eDiscovery search
  • 5035446 OAB shadow distribution fails if legacy authorization is blocked
  • 5035448 MCDB fails and leads to lagged copy activation
  • 5035450 Exchange 2019 setup installs an outdated JQuery library
  • 5035452 Usernames are not displayed in Event ID 23 and 258 
  • 5035453 Issues in Exchange or Teams when you try to delegate information
  • 5035455 MSExchangeIS stops responding and returns “System.NullReferenceExceptions” multiple times per day
  • 5035456 “Deserialization blocked at location HaRpcError” error and Exchange replication stops responding
  • 5035493 FIP-FS Proxy Customizations are disabled after a CU or an SU update
  • 5035494 Modern attachment doesn’t work when web proxy is used in Exchange Server 2019
  • 5035495 OWA displays junk operations even if junk mail reporting is disabled
  • 5035497 Edit permissions option in the ECP can’t be edited
  • 5035542 Remote equipment and room mailboxes can now be managed through EAC 
  • 5035616 Logon events failure after updating Windows Server
  • 5035617 Transport rules aren’t applied to multipart or alternative messages
  • 5035689 “High %Time in GC” and EWS doesn’t respond

Notes

  • If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution
As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2016-2019 (Nov2023)

Posted on by
Reply

The Exchange product group released November updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-36439Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36050Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36039Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36035SpoofingImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.28KB5032146KB5030877
Exchange 2019 CU12Download15.2.1118.40KB5032146KB5030877
Exchange 2016 CU23Download15.1.2507.35KB5032147KB5030877

Payload Serialization Signing

Be advised that these updates will enable payload signing by default. Payload serialization signing signs PowerShell payloads to identify possible tampering. Support for certificate-based signing of PowerShell serialization payloads got added with January security updates and is a per-server configuration. In other words, make sure you have deployed the January security updates before implementing these security updates, so your Exchange servers support payload signing before you can enable it one server at a time.

More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. To verify or configure signing, use the script published here or follow the manual steps. Signing leverages the organization-wide available Exchange Auth Certificate, which needs to be present and valid; the MonitorExchangeAuthCertificate.ps1 script can help you verify this.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Signing of the serialisation payload fails to run the few cmdletsYesYes
Unable to migrate mailbox as communication error parameter exception occursYesYes
InvalidResponseException when you try to run Export-UMPromptYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.