Upgrade Paths for CU’s & .NET

Ex2013 LogoUpdate 2/13/2018: Revised Microsoft upgrade guidance added.
Update 2/15/2018: Added missing CU14.

Microsoft keeps track of the current supported combinations of .NET Framework and Exchange Cumulative Updates at the Exchange Server Supportability Matrix. However, as time progresses, support information on older Cumulative Updates might be removed from the information presented, and you may need to resort to cached versions of this page or other sources to find this information.

This might be problematic for organizations that are not current, and need to find out which upgrade path they are required to follow to stay within the boundaries of supported Exchange deployment configurations. For example, you may need to upgrade to a specific Cumulative Update first, that is supported with a newer release of the .NET Framework, in order to be able to upgrade to a later Cumulative Update.

For these situations, the following tables contains the supportability matrix, enhanced with information regarding earlier Cumulative Updates and .NET Framework versions. These will provide you the supported upgrade paths for older versions of Exchange.

Exchange 2016

.NET RTM-CU1 CU2 CU3-CU4 CU5-CU7 CU8
4.5
4.5.1
4.5.2 X X X
4.6.11 X X
4.6.2 X X X
4.7.12 X

Exchange 2013

.NET RTM-CU3 CU4(SP1)-CU12 CU13-CU14 CU15 CU16-CU18 CU19
4.5 X X X
4.5.1 X X X
4.5.2 X X X
4.6.11 X X
4.6.2 X X X
4.7.12 X

Notes

  1. When possible, bypass .NET Framework 4.6.1, as it not only requires updating the CU level prior to updating the .NET Framework, but also requires an additional hotfix: kb3146715 (ws2012r2), kb3146714 (ws2012) or kb3146716 (ws2008r2).
  2. NET Framework 4.7.1 is recommended but not yet required for the indicated product versions.

Usage
Suppose your organization loves procrastinating, and you are running Exchange 2013 CU6. Luckily, you run it on .NET Framework 4.5.1, which was already a supported configuration back in 2014 – yes, it’s been that long. Looking at the table, to get current with a minimal number of updates in mind, you can derive the following path:

image

The upgrade path to CU19 would therefor be:

  1. Upgrade to Exchange 2013 Cumulative Update 15
  2. Upgrade .NET Framework to 4.6.2
  3. Upgrade to Exchange 2013 Cumulative Update 19
  4. Optionally, upgrade .NET Framework to 4.7.1

Note that in addition to information being refreshed on Microsoft pages, availability of older Cumulative Updates or .NET Framework updates might also change, so archive those files accordingly, if not for recovery of existing Exchange servers, then for this exact purpose.

Of course, you should stay current as possible from a support and security perspective, making the above a non-issue. Reality is, there are customers who have reasons, legitimate or not, to be trailing with updates in their environment, and at some point may need guidance on how to proceed in order to get current. I hope this information helps in those situations.

Thoughts and feedback is welcomed in the comments.

Update: Per February 13th, Microsoft updated upgrade guidance on the Exchange Supportability Matrix page, stating:

“When upgrading Exchange from an unsupported CU to the current CU and no intermediate CUs are available, you should upgrade to the latest version of .NET that’s supported by Exchange first and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest, supported, CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services”.

This means you will be supported when upgrading in the revised upgrade path, but the risk is still there. In the example above, when going from Exchange 2013 CU6 with .NET 4.5.1 to CU19, the support statement indicates you can upgrade to .NET Framework  4.7.1, when install CU19. However, things might break and you may need to contact support to get back in a supported, working situation. Therefor, I repeat my recommendation to download and archive CU’s and .NET Framework files, even when you are not planning on installing them (yet).

Exchange Updates – December 2017

Ex2013 LogoThe Exchange Team released the December updates for Exchange Server 2013 and 2016. Apart from the usual set of fixes, these Cumulative Updates also have the following enhancements:

  • Like announced earlier, these quartely updates introduce support for .NET Framework 4.7.1. Be advised that .NET Framework 4.7.1 will be required for the quarterly updates to be released in June 2018.
  • Upgrading an existing Exchange deployment with these Cumulative Updates will preserve TLS cryptography settings.
  • Support for Hybrid Modern Authentication (Info).
Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU8 15.1.1415.2 KB4035145 Download UMLP Yes
Exchange 2013 CU19 15.0.1365.1 KB4037224 Download UMLP No

Exchange 2016 CU8 fixes:

  • 4056329 Can’t access EWS from Outlook/OWA add-ins via makeEwsRequestAsync in Exchange Server 2016 and Exchange Server 2013
  • 4054516 “Your request can’t” error when accessing an archive mailbox via OWA in Exchange Server 2016
  • 4055953 The recipient scope setting doesn’t work for sibling domains in Exchange Server 2016
  • 4055435 No MAPI network interface is found after you install Exchange Server 2016 CU7
  • 4056609 Event ID 4999 and mailbox transport delivery service does not start after you install Exchange Server 2016 CU7
  • 4045655 Description of the security update for Microsoft Exchange: December 12, 2017
  • 4057248 Many Watson reports for StoragePermanentException in Exchange Server 2016

Exchange 2013 CU19 fixes:

  • 4046316 MAPI over HTTP can’t remove client sessions timely if using OAuth and the resource has a master account in Exchange Server 2013
  • 4046205 W3wp high CPU usage in Exchange Server 2013
  • 4046182 Event ID 4999 or 1007 if diagnostics service crashes repeatedly in Exchange Server 2013
  • 4056329 Can’t access EWS from Outlook/OWA add-ins via makeEwsRequestAsync in Exchange Server 2016 and Exchange Server 2013
  • 4045655 Description of the security update for Microsoft Exchange: December 12, 2017

Exchange 2010
In addition the Cumulative Updates, Exchange Server 2010 SP3 also received an important update, which fixes the issue described in KB4054456. You can download Rollup 19 here, which will raise the version number to 14.3.382.0. The related KB article is KB4035162.

Notes:
  • Exchange 2016 CU7 and later requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareSchema to manually update the schema, or use /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To see if you need to update the schema compared to your version or verify the update has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates for Exchange 2013 & 2016

Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.

This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.

You can download the security updates here:

Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.

Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.

Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

 

Exchange Certificate Reporting

powershellA quick tip on retrieving the expiration of certificates configured on your Exchange servers. While some certificate providers like DigiCert will proactively notify you when certificates are expiring in the near future, you may want to run such a report yourself. Or perhaps you want to verify configured certificates on all your Exchange servers are aligned.

To accomplish this, you could use readily available scripts, such as this one published by fellow MVP Paul Cunningham. But with some PowerShell you could easily construct yourself a one-liner which will perform the same task. We will first show the one-liner, after we will dissect and talk you through it. Note that being a lazy typist, I used several aliases to make the whole command a bit shorter, but not a lot.

Command
A command to retrieve basic certificate reporting for Exchange servers in your environment is as follows (wrapped for readability):

$D=(Get-Date).AddDays(30); Get-ExchangeServer | %{$S=$_.Identity;$R=$_.ServerRole; Get-ExchangeCertificate -Server $S |
Sort NotAfter | Select @{n='Server';e={'{0} ({1})' -f $S,$R}},
@{n='CertSubject';e={($_.Subject -split '( , )*..=')[1]}},
@{n='Expires';e={'{0:MM/dd/yyyy}' -f $_.NotAfter}},
@{n='IssuedBy';e={($_.Issuer -split '(, )*..=')[1]}},
@{n='Domains';e={$_.CertificateDomains -join ','}},
@{n='Alert';e={' !'[(Get-Date $_.NotAfter) -le $D]}},*} |
ft -a Alert, CertSubject, Status, Expires, IsSelfsigned, IssuedBy,
Services, Thumbprint, Domains -GroupBy Server | Out-String -Width 8192

Sample output
image

Dissection

$D=(Get-Date).AddDays(30) | Get-ExchangeServer

First, we want get a visual indication of certificates expiring in the coming 30 days. The command is followed by a semi-colon, which can be used to separate commands on the same line. The first cmdlet in our pipeline is Get-ExchangeServer, which returns all Exchange server objects.

%{$S=$_.Identity;$R=$_.ServerRole; Get-ExchangeCertificate -Server $S | Sort NotAfter | Select @{n='Server';e={'{0} ({1})' -f $S,$R}}, @{n='CertSubject';e={($_.Subject -split '( , )*..=')[1]}}, @{n='Expires';e={'{0:MM/dd/yyyy}' -f $_.NotAfter}}, @{n='IssuedBy';e={($_.Issuer -split '(, )*..=')[1]}}, @{n='Domains';e={$_.CertificateDomains -join ','}},@{n='Alert';e={' !'[(Get-Date $_.NotAfter) -le $D]}},*}

We are passing every Exchange server object to ForEach (%). For each of these objects, we will perform the following tasks:

  • First, we store its current Identity ($S) and Serverrole ($R) property in variables for later usage. This, because if we create a calculated properties later on, we have no reference anymore to the Exchange object in the calculated field expression, as $_ will then contain the current object passed to Select (Select-Object).
  • Next, we retrieve all certificates from the Exchange server we are looking at using Get-ExchangeCertificate, and we pipe those certificate objects to sort to order them by expiration date.
  • We then create several calculated properties in the pipeline stream:
    • A property named Server will contain a formatted string consisting of the server Identity ($S) and its server roles ($R).
    • A property named CertSubject, containing the name of the subject, without the ‘CN=’ prefix.
    • A property expires with a formatted expiration string (NotAfter).
    • A property named Issues, containing the name of the issuer of the certificate, without the ‘CN=’ prefix.
    • A property Domains containing the SAN names of the certificate, separated by commas.
    • A property Alert, showing an exclamation mark when certificate expires (NotAfter) before the date determined earlier ($D).
    • All other certificate properties are also retained by finally selecting all properties (*).
ft -a Alert, CertSubject, Status, Expires, IsSelfsigned, IssuedBy, Services, Thumbprint, Domains -GroupBy Server | Out-String -Width 8192


Finally, we format the output by selecting and ordering properties using Format-Table (ft), auto-sizing (-a) columns. In addition to the previously added calculated properties, we also return the SelfSigned, Services and Thumbprint properties. Using the GroupBy parameter, we make Format-Table group the objects on a specific property, in this case Server. Because the output can be very wide we use Out-String, specifying a large width to generate output larger than the host session without wrapping or truncating output.

Exchange Updates – September 2017

Ex2013 LogoHoneymoon caused some backlog, and one of the things to post was that the Exchange Team released the September updates for Exchange Server 2013 and 2016. Like the previous Cumulative Updates for these Exchange versions, Exchange 2013 CU18 and Exchange 2016 CU7 require .NET Framework 4.6.2; NET Framework 4.7.1 is currently being tested (4.7 will be skipped), and support for 4.7.1 is expected for the December updates.

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU7 15.1.1261.35 KB4018115 Download UMLP Yes
Exchange 2013 CU18 15.0.1347.2 KB4022631 Download UMLP No
  • KB 4040754 “Update UseDatabaseQuotaDefaults to false” error occurs when you change settings of user mailbox in Exchange Server 2016
  • KB 4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
  • KB4036108 Security update for Microsoft Exchange: September 12, 2017

Exchange 2013 CU18 fixes:

  • KB4040755 New health monitoring mailbox for databases is created when Health Manager Service is restarted in Exchange Server 2013
  • KB4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
  • KB4040120 Synchronization may fail when you use the OAuth protocol for authorization through EAS in Exchange Server 2013
  • KB4036108 Security update for Microsoft Exchange: September 12, 2017

Notes:

  • Exchange 2016 CU7 requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU7 includes schema changes, but Exchange 2013 CU18 does not. However, Exchange 2013 CU17 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • NET Framework 4.7.1 is being tested by the Exchange Team, but .NET Framework 4.7.1 nor .NET Framework 4.7 are supported.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

The UC Architects Podcast Ep64

iTunes-Podcast-logo[1]Episode 64 and last episode of The UC Architects podcast is now available. Contrary to the belief of some, people’s agendas rather than lack of contents made it more and more difficult to get sufficient people together for recording. Thanks for the great 5 year ride, people!

This episode is hosted by Pat Richard, who is joined by Tom Arbuthnot, Stale Hansen and John Cook. Editing was done by Andrew Price.

Topics discussed in this episode are:

  • 5 years of The UC Architects podcast.
  • What made it fun, the friendships, the guests, the topics, and how social media has changed how info gets disseminated about Skype for Business, Exchange, Office 365, Teams, and more.
  • We talk about what the crew are up to these days, and their involvement/sessions at Ignite.
  • Skype for Business v.Next and Teams.
  • Some of the issues that arise when deploying Skype for Business when there is no Exchange in the org.
  • The upcoming Ignite and UCDay events.

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

Exchange 2010-2016 Security Fixes

Ex2013 LogoMicrosoft released security updates to fix a remote code execution vulnerability in Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Exchange and .NET Framework 4.7

Ex2013 Logo A quick heads-up on that .NET Framework 4.7 has recently been released and will be made available through Windows Update channels. The current versions of Exchange Server are not supported with this version of the .NET Framework, and you should not install or update to this version.

Similar to the situation with .NET Framework 4.61 around a year ago, you can prevent  (accidental) upgrades of the .NET Framework by creating the following registry key on your Exchange servers:

HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU\BlockNetFramework47 = 1 (REG_DWORD)

To report on the currently installed .NET Framework version on one or more computers, you can use this PowerShell script, Get-DotNetVersion.ps1. It will not only report the .NET Framework version information, but also if those registry entries to block .NET Framework 4.6.1 or .NET Framework 4.7 upgrades are present.

[PS] C:\> .\get-DotNetVersion.ps1 -ComputerName ex1,ex2 | ft -a

Computer Release NetFramework Net461Block Net47Block
-------- ------- ------------ ----------- ----------
ex1      461268  4.7          False       True
ex2      461268  4.7          False       False

The related article by the Exchange Team on this topic contains steps on how to recover the situation, in case you did upgrade. Of course, with all the dependencies on the .NET Framework by Exchange Server, you may prefer migrating contents to a new Exchange servers with a supported .NET Framework, and decommission servers where you had to remove the unsupported .NET Framework from.

More information can be found in KB4024204.

PS: The updated Unattended Exchange 2013 & 2016 Installation script will now also set the .NET Framework 4.7 blockade registry key.

The UC Architects Podcast Ep63

iTunes-Podcast-logo[1]Episode 63 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by Steve Goodman who’s joined by John Cook. Editing was done by Andrew Price.

Topics discussed in this episode are:

Exchange

  • Exchange 2007 was end of life on April 11th

Office 365

  • Microsoft Teams is GA
  • Microsoft Teams Bandwidth Calculator
  • Microsoft Advanced Threat Protection
  • Google Suite vs Office 365

Lync/Skype for Business

  • Skype for Business updates for Mac
  • Skype for Business Online Trusted Application API
  • Consult Transfer option
  • Lync 2013 CUs for March 2017
  • Skype for Business 2015 CUs
  • RUCT updated
  • Convert-SonusSBCConfigToWord

Events

  • MS Cloud UG
  • UC and Cloud Day UK
  • Office 365 Engage

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

Exchange Updates – March 2017

Ex2013 LogoToday, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.

As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:

  • If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
  • If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU5 15.1.845.34 KB4012106 Download UMLP
Exchange 2013 CU16 15.0.1293.2 KB4012112 Download UMLP
Exchange 2010 SP3 Rollup 17 14.3.352.0 KB4011326 Download
Exchange 2007 SP3 Rollup 23 8.3.517.0 KB4011325 Download
  • KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
  • KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
  • KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
  • KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
  • KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
  • KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016

Exchange 2013 CU16 fixes:

  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013

Exchange 2010 SP3 RU17 fixes:

  • KB4014076 Migration ends and errors reported when you on-board or off-board a mailbox through Exchange Online in an Exchange Server 2010 hybrid environment
  • KB4014075 UNC path does not open in OWA when the path contains non-ASCII characters in an Exchange Server 2010 environment
  • KB4013917 You cannot search in a shared mailbox through OWA in an Exchange Server 2010 Service Pack 3 (Update Rollup 15 or 16) environment
  • KB4012911 Culture element is added in the wrong order when you use the ResolveNames operation in EWS in Exchange Server 2010

Notes:

  • Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.
  • Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.