Hybrid Configuration Wizard & F12

A small tip for those running the Exchange Hybrid Configuration Wizard. As announced at Ignite yesterday, a convenient feature was added to the HCW and is available now. Pressing F12 in the HCW will now open up a panel with shortcuts to the following tools and locations:

  • Exchange Management Shell
  • Exchange Online PowerShell
  • (current) Hybrid Configuration Wizard Log File
  • Create Support Package (to zip HCW logs for support)
  • Open Logging folder (of HCW)
  • Open Process Folder (of the HCW app)

Here is how it looks:

image

This might save you an occasional click or two.

Exchange Announcements @ Ignite

Ex2013 LogoUpdate Sep27th: Added Outlook 2013 to list of supported clients.

During Ignite 2018, details are announced to the public on Exchange Server 2019, Exchange Online, as well as Office 365 and related technologies. In this article I’ll try to summarize all the details in a readable format for your reference. The list is probably inconclusive; if you think anything is missing, let me know to I can update the article.

Exchange Server 2019

  • Distributed through Volume licensing only
    • Implication is that there will be no “Hybrid Server Key”
  • Release planned for later this year
  • Windows Server 2019 required
    • Windows Server Core recommended (security, smaller attack surface and disk footprint)
    • Exchange supports in-place upgrading of underlying operating system per Windows Server 2019.
  • Support for co-existence with n-2
    • Exchange Server 2016 and Exchange Server 2013.
    • Outlook 2013-Outlook 2019, Outlook 2016/Max and Outlook for Mac for Office 365.
  • Forest Functionality Level 2012R2 or later
  • Support for up to 48 CPU cores (Exchange 2016: 24)
  • Recommended minimum memory for Mailbox server 128GB, and 64GB for Edge Transport. Maximum memory is 256GB (Exchange 2016: 192GB). The reason for 128GB recommendation is that the .NET scaling benefits (see below) only work from around 100GB and up.
  • Page file 25% of installed memory (Exchange 2016: Maximized at 32GB).
  • .NET Framework 4.7.2, Visual C++ Redistributable and UCMA (Mailbox only)
  • Uses Server GC instead of Workstation GC for some IIS application pools. Better .NET memory management and improves CPU/memory scaling.
  • Will only use TLS 1.2 (there’s a transition mode supporting lower TLS versions, but for that all existing Exchange versions need to support 1.2 as well)
  • No more UM, options:
    • Move all users and mailboxes to Office 365
    • Migrate to Skype for Business Server 2019
    • Remain on Exchange 2016 (EOL 2026)
    • 3rd party VoiceMail solution
  • MetaCache Database uses storage tiering
    • Leverages SSD’s
    • Use SSD to spinning disk ratio 1:3
    • Caches indexes, mailbox folder structures and small items
    • Improves UX: faster logons, searches and small items retrieval
    • Allows for higher mailbox density per server (+20%
    • Utilize larger disks
  • Client Access Rules
    • Restrict external access to EAC and PowerShell
    • Evaluated at server level, so external connections need to hit Exchange 2019.
  • Additional perks for administration and end users
    • Remove-CalendarEvents to remove meetings from a person (e.g. leaver)
    • Recurring meetings will receive a default end date
    • Meetings can be restricted to prevent forwarding
    • Setting Out of Office in OWA allows for blocking calendar for that period, as well as decline current meetings and future meeting invites during that period.
  • Calculator and additional guidance on its way
  • On the Roadmap
    • On-premises Modern Authentication
    • Extending Client Access Rules to other protocols
    • Mailbox Encryption using Customer Keys
    • Monitoring and Analytics tools
    • Blocking legacy authentication methods
    • Removal of RPC/HTTP support (Outlook Anywhere)
    • Simplified Calendar Sharing

The Exchange Server 2019 documentation went live here. Some additional details were included in this list.

On another note: Greg Taylor gave an interview to Phoummala Schmitt (aka @ExchangeGodess) for Channel 9 on Exchange 2019. That replay can be watched here. Also, Scott Schnoll and JeffMealiffe as well as Greg Taylor and Ross Smith were interviewed by TheCube; those recordings can be watched here and here respectively.

Exchange Hybrid

  • Organization Configuration Transfer (OCT) version 2
    • Planned for October 2018
    • Adds the following to OCT v1 (current)
      • ActiveSync Device Access Rules
      • ActiveSync Organization Settings
      • Address Lists
      • DLP Policies
      • Malware Filter Policies
      • Policy Tips
      • Organization Config
    • Introduces conflict handling with review mode
    • Generates a script to undo changes
  • Exchange Hybrid deployment
    • Microsoft Hybrid Agent
    • Installed using HCW (‘Modern Hybrid’); ‘Classic Hybrid’ still an option
    • Hybrid Agent leverages Azure Application Proxy technology
      • Hybrid Proxy Service in the service will proxy requests between Exchange Online and Exchange on-premises.
      • No changes required to URLs or certificates
      • Hybrid Agent uses outbound connection only (port 80/443) to obfuscated unique URL (https://{GUID}.resource.{flow}.his.msappproxy.net. This URL is configured as TargetSharingEpr on the OrganizationalRelationship in Office 365
      • Running multiple agents is supported for availability and scaling
      • Outbound connections means less arrangements to make on (inbound) firewall rules (but another agent, like PTA, ADConnect Health Agent, regular Azure Application Proxy, to bypass security blockades may introduce other concerns)
    • Version 1 will support Free/Busy and MRSProxy and is in Private Preview now

The Exchange team published a quick blog on OCT and Hybrid Agent here.

Exchange Sessions @ Ignite 2018

ignite2018Among all the announcements of upcoming products and changes in the service, more details will also be revealed of Exchange Server 2019 and related products at Ignite next week. To those who are not able to attend, like yours truly: do not despair as Microsoft will be live streaming all keynote, breakout and community theater sessions.

The place to view those streams is through the Tech Community portal, and likely the session info pages will be used to embed the streams or provide links as they become available.

For this purpose, I made a short list of Exchange Server related sessions scheduled at Ignite 2018 for reference and easy access next week:

Session When Title Speakers
THR3024 9/24 3:00PM How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less Jeff Guillet
BRK2176 9/24 16:00 PM Welcome to Exchange Server 2019! Greg Taylor, Brent Alinger
BRK3148 9/25 10:45 AM Securing Exchange Online from modern threats Brandon Koeller
BRK3375 9/25 2:15 PM Notes from the field: How a large global bank moved to Office 365 Erik Knoppert, Michael Van Horenbeeck
BRK2165 9/25 3:15 PM What’s new in Groups in Outlook Ravin Sachdeva, Sri Ramya Mallipudi
THR3123 9/25 4:00 PM Getting stuff done: Solving Office 365 problems with PowerShell Tony Redmond
BRK3128 9/25 4:00 PM Outlook on the web: What’s new and why you should care Joey Masterson, Charlie Chung, Gabriel Valdez Malpartida, Cindy Kwan
THR3076 9/25 11:05 PM Azure Information Protection and Exchange Online – better together Michael Van Horenbeeck
BRK3129 9/26 9:00 AM Turbo charge your Exchange on-premises and hybrid environment: Notes from the field Steve Goodman
BRK3143 9/26 10:00 AM Hybrid Exchange: Making it easier and faster to move to the cloud Jeff Kizner
THR2129 9/26 11:20 AM Office 365: Five important lessons learned during a one million mailbox migration J. Peter Bruzzese
BRK2177 9/26 12:00 PM Outlook mobile for the enterprise Tali Roth, Michael Palermiti, David Pearson
THR3025 9/26 15:00 PM Preparing to move (or remove) those public folders to the cloud Michael Van Horenbeeck
BRK3130 9/26 16:00 PM Email search in a flash! Accelerating Exchange 2019 with SSDs Tobias Klima, Damon Gilkerson
BRK3146 9/27 9:00 AM What’s amazing and new in calendaring in Outlook! Julia Foran, Jennifer Lu, Will Holmes
BRK3145 9/27 10:00 AM Deploying Outlook mobile securely in the enterprise Ross Smith IV
THR2044 9/27 10:45 AM The top six PowerShell commands you need to know to manage Office 365 Steve Goodman
THR2392 9/27 11:00 AM Executive impersonators & fraudsters be gone! Using active defense & predictive artificial intelligence to secure your Office 365 email environment Vidur Apparao
BRK3131 9/27 12:45 PM Office 365: Marriages, divorces, and adoptions Steve Goodman
BRK3258 9/27 2:00 PM Panel discussion: Microsoft Exchange/Calendar/OWA Damon Gilkerson, Brent Alinger, Julia Foran, Jeff Kizner, Brandon Koeller, Joey Masterson, Brian Day, Robin Thomas
THR3024R 9/27 15:00 PM How to add MFA to your Exchange on-premises or Exchange Online mailboxes in 20 minutes or less (REPEAT) Jeff Guillet
THR2145 9/27 16:00 PM Why do we need to keep an Exchange Server on-premises when we move to the cloud? Brian Reid
BRK3279 9/28 9:00AM So long and thanks for all the (email) phish Brian Reid
BRK3147 9/28 12:00 PM Scott Schnoll’s Exchange and Office 365 tips and tricks Scott Schnoll

Note that the table above was constructed using the Get-EventSession script. That script has been updated recently so it can also download on-demand sessions when downloadable video contents aren’t available (e.g. Inspire). I’ll be closely monitoring next week to check if the script can cope with the way Ignite contents will be published.

Security Updates for Exchange 2016, 2013 and 2010

Ex2013 LogoA quick heads-up as during my vacation Microsoft released security updates for supported releases of Exchange Server 2016 and 2013 as well as Exchange Server 2010.

The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:

  • CVE-2018-8302 Microsoft Exchange Memory Corruption Vulnerability
  • CVE-2018-8374 Microsoft Exchange Server Tampering Vulnerability (Exchange 2016 only)

You can download the security updates here:

Notes:

  • Be advised that Exchange 2010 SP3 Rollup 23, like recent Cumulative Updates of Exchange 2016 and 2013, requires Visual C++ Redistributable Packages for Visual Studio 2013 (download).
  • KB4340731 supersedes the previous security update KB4092041 for Exchange 2016 and Exchange 2013.

Be advised that for Exchange 2013 and 2016, Security Updates are Cumulative Update level specific. While the downloaded security updates may carry the same name, the files are different and you cannot apply the downloaded security update file for Exchange 2016 CU8 to Exchange 2016 CU9. I suggest adding some form of identification of the Cumulative Update to the file name when you archive it, e.g. Exchange2016-KB4340731-x64-en-CU10.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

Exchange Server 2019 Preview is here!

Ex2013 LogoToday, long after its announcement at Ignite 2017, finally Exchange Server 2019 Public Preview was released. The Product Groups’ post contains information on the changes and features introduced with this Exchange 2019 Public Preview version, some of which were already teased at at Ignite 2017, e.g. session BRK3222 (announcement) and BRK3249 (Modern Authentication on-premises).

The most noticeable changes included in this Public Preview are summarized below. But before continuing, you can start downloading the Exchange 2019 Public Preview bits here.

Deployment
No official statement on required Forest and Domain Functional Levels, so it’s the same for Exchange 2019 Preview as for Exchange 2016, which is Windows Server 2008 R2 minimum. That might change at release time though, as Windows Server 2008 R2 is already in extended support. With WS2012 going out of mainstream support in October, WS2012 R2 is the most likely FFL/DFL requirement.

The build number of the preview is 15.2.191.1; the schema version for Exchange 2019 Public Preview is the same as Exchange 2016 CU7 and later, 15332.

Operating Systems
Exchange 2019 Public Preview can be installed on Windows Server 2016 as well as Windows Server 2019 Preview, both Desktop Experience and Core editions. Yes, Exchange 2019 runs on Server Core! In fact, the Exchange team really want you to try running it on Server Core. Also, by running on Server Core, you are reducing the potential attack surface, which makes it more secure system.

Scaling
Exchange 2019 can take advantage of hardware developments, and will support a larger number of cores as well as memory. Where Exchange 2016 scaling support was limited to 24 cores and 192GB of memory, Exchange 2019 will happily support up to 48 CPU cores and 256GB of memory.

Search and Indexing
Search will leverage yet another a new engine, Big Funnel, which is already being used for Exchange Online. Result of this change is that indexes will no longer be a separate ecosystem of files per database copy, but will be stored within the mailbox database. The advantages of this are that indexes will leverage the existing replication mechanism and protection offered by the Database Availability Group, and as indexes replicate with the data, this also means no more rebuilding of unhealthy indexes or trailing content indexes. This is also beneficial for fail-over times.

Storage
Exchange 2019 will support tiering of storage using SSD’s at release time, but that is currently not enabled for the Public Preview release. SSD’s are going to be used to store (read/write) hot data in a sort of intelligent cache, lowering overall latency and in the end benefitting user experience.

Calendaring
imageThe new Calendar Sharing model from Office 365 will be ported to Exchange on-premises. More information on this feature in Exchange Online here.

Also in the ported functionality department, it will be possible for meeting organizers to set Do not Forward for meeting requests, preventing attendees from forwarding those meeting requests to others.

And last but not least, administrators will receive some convenient PowerShell cmdlets to manage Calendars, such as Remove-CalendarEvents for cancelling future meetings on attendee and resource calendars, and Add-MailboxFolderPermission gets the SharingPermissionFlags parameter to assign delegate permissions.

Unified Messaging
Exchange 2019 will no longer support Unified Messaging. If you’re using a 3rd party PBX or Skype for Business Server, that will no longer work with Exchange 2019. In those circumstances, apart from staying on or migrating to Exchange 2016 for the time being depending on your scenario, steps to take when you want to migrate to Exchange 2019 in those circumstances will be:

  • Migrate to Skype for Business Server 2019 using Cloud Voice-Mail.
  • Migrate to Office 365 with Cloud Voice-Mail.

Co-existence
No official statement yet, but if the policy set by Exchange 2016 and Exchange 2013 continues, only Exchange major version n-2 will be supported for co-existence, meaning Exchange 2013 and later for co-existence, and the need to leverage Exchange 2016 when migrating from Exchange 2010 (EOL April 2020).

.NET Framework
No word yet on supportability, so assume the same policy as for the latest Exchange 2013 and Exchange 2016 CU’s, which require .NET Framework 4.7.1. No information yet if .NET Framework 4.7.2 is or will be supported.

UCMA
The required UCMA for Server Core is provided with the ISO, and is located in the UCMAredist subfolder.

Concluding
Of course, with Ignite coming up end of September, it is expected a lot more will be disclosed on the new Exchange release, such as guidance on the deprecation of UM, deploying Modern Authentication, storage tiering and Core support.

Needless to say, this is a preview. It’s great to play with in a lab, but don’t install it in your production environment unless you are part of the TAP program. I repeat, this is not intended for your production deployment.

Apart from Exchange 2019 Preview, other previews of wave 2019 products were also released today (or earlier):

Finally, the update of the Hybrid Configuration Wizard app with integrated Licensing feature was released today as well. You can access it at http://aka.ms/HybridWizard.

Issues with July Updates of Windows

bandaidLast Update July 19th: Corrected Update information.

About a week ago, Microsoft released the July Updates for Windows systems. Unfortunately, something must have gone wrong in quality control, because people were reporting all sorts of issues, mostly related to IIS and Exchange servers.

The issue is created at the operating system level, probably due to changes in networking as mentioned in the July update notes. Therefor, symptoms can be experienced on systems running Exchange Server 2016 or even back to Exchange Server 2007.

Some of the symptoms are:

  • The World Wide Web Publishing Service – W3SVC – won’t come up, remains in a “stopping” state, but cannot fully stop or it cannot be restarted.
  • Exchange Transport and SMTP services becomes unresponsive or stops, causing mail flow issues (Source).

The issues were serious enough to have the Exchange PG publish a notice.

Meanwhile, Microsoft has released a superseding update for Windows Server 2016, and updates for older operating systems. However, looking at the information provided with updates for older operating systems, there are fixes for the original security updates, and (previews of) Monthly Rollups for the July updates. Replacements and updates may manifest themselves in Windows Update only after installing the original – faulty – update, meaning you might have to go through more than one Windows Update cycle (and possibly reboot) for the updates to become visible and installable. This applies to the Monthly Rollups as well.

The table below contains information on the original rollups and updates, the update you need to apply, and the type of update.

Operating System Original Update Update Type Comments
Windows Server 2016 KB4338814 KB4345418 Monthly Rollup Replacement
Windows Server 2012 R2 KB4338815 KB4338831 Monthly Rollup Replacement
KB4338824 KB4345424 Security Update Update for v1
Windows Server 2012 KB4338830 KB4338816 Monthly Rollup Replacement
KB4338820 KB4345425 Security Update Update for v1
Windows Server 2008 R2 KB4338823 KB4345459 Security Update Update for v1
KB4338818 KB4338821 Monthly Rollup Replacement
Windows Server 2008 KB4295656 KB4345397 Security Update Update for v1

Finally, apart from adopting a less aggressive updating strategy, this again shows unfortunately that having a separate production environment next to your test environment is no frivolous luxury.

Exchange Updates – June 2018

Ex2013 LogoThe Exchange Team released the June updates for Exchange Server 2013 and 2016, and an additional Rollup 22 for Exchange Server 2010 Service Pack 3.

Apart from fixes and time zone changes, these updates contain the following important changes and notes:

  • As announced earlier, Exchange 2013 CU21 and Exchange 2016 CU10 require .NET Framework 4.7.1.
  • All three updates require the VC++ 2013 runtime library, because it is needed by a 3rd component in WebReady Document Viewing in Exchange 2010/2013 and Data Loss Prevention in Exchange 2013/2016. Exchange 2010 SP3 RU22 will force installation of this VC++ runtime.
  • Updates include a critical security patch for Oracle Outside In libraries. More about the issue in MSRC advisory ADV180010.
  • Exchange 2013 CU21 and Exchange 2016 CU10 introduce support for directly creating and enabling remote shared mailboxes, e.g.
    New-RemoteMailbox [-Shared] [-Name remoteMailboxName]
    Enable-RemoteMailbox [-Identity user] [-Shared] [-RemoteRoutingAddress user@domain]
    Set-RemoteMailbox [-Name user] [-Type Shared]

    You need to run setup /PrepareAD to see these changes. More information in KB4133605.

  • This is the last planned Cumulative Update for Exchange 2013 as it enters Extended Support.
  • Exchange 2010 SP3 RU22 adds support for Windows Server 2016 Domain Controllers.

 

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU10 15.1.1531.3 KB4099852 Download UMLP No
Exchange 2013 CU21 15.0.1395.4 KB4099855 Download UMLP No
Exchange 2010 SP3 RU22 14.3.411.0 KB4295699 Download

Exchange 2016 CU10 fixes:

  • 4056609 Event ID 4999 and mailbox transport delivery service won’t start with Exchange Server 2016 CU7 installed
  • 4133605 Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133620 “HTTP 500 due to ADReferralException” error when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4095974 “System.InvalidOperationException” occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4095973 Set-ServerComponentState cmdlet does not honor the write scope defined in the RBAC management scope in Exchange Server
  • 4095993 HTTP 500 error when an administrator tries to manage regional settings in ECP on Windows Server 2016
  • 4294209 Cannot clear the “Maximum message size” check box for Send messages or Receive messages in EAC in Exchange Server 2016
  • 4294208 “TooManyObjectsOpenedException” error when you run the “Get-PublicFolderMailboxDiagnostics” cmdlet in Exchange Server
  • 4294212 Cannot send VBScript-created messages in the Outlook 2016 client
  • 4294211 Cannot run “Set-CalendarProcessing” cmdlets after you apply CU8 or CU9 for Exchange Server 2016
  • 4294210 Cannot edit an email attachment in OWA in an Exchange Server 2016 environment
  • 4294204 Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment
  • 4092041 Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018

Exchange 2013 CU20 fixes:

  • 4133605 Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133604 User can’t log on to a POP/IMAP account by using NTLM authentication in Exchange Server 2013
  • 4133618 Unexpected error occurs when running the Get-DatabaseAvailabilityGroupNetwork cmdlet in Exchange Server 2013
  • 4133620 “HTTP 500 due to ADReferralException” when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4058473 An Office 365 primary mailbox user cannot be assigned full access permissions for an on-premises mailbox in Exchange Server
  • 4094167 The MSExchangeRPC service crashes with a System.NullReferenceException exception in Exchange Server 2013
  • 4095974 “System.InvalidOperationException” occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4092041 Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018
  • 4294205 POP3 services intermittently stop in an Exchange Server 2013 environment
  • 4294204 Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment

Exchange 2010 Rollup 22 fixes:

  • 4295751 EWS impersonation not working when accessing resource mailboxes in a different site in Exchange Server 2010 SP3

Notes:

  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they introduce RBAC changes in your environment. Use setup /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates for Exchange 2016, 2013 and 2010

Ex2013 LogoA quick heads-up for those that missed it that earlier this month, as Microsoft released security updates for supported releases of Exchange Server 2016 and 2013 as well as Exchange Server 2010.

The security updates patch issues as reported in the following Microsoft Common Vulnerabilities and Exposures:

  • CVE-2018-8151 – Microsoft Exchange Memory Corruption Vulnerability
  • CVE-2018-8154 – Microsoft Exchange Memory Corruption Vulnerability
  • CVE-2018-8159 – Microsoft Exchange Elevation of Privilege Vulnerability
  • CVE-2018-8153 – Microsoft Exchange Spoofing Vulnerability
  • CVE-2018-8152 – Microsoft Exchange Server Elevation of Privilege Vulnerability

You can download the security updates here:

You may notice that Exchange 2013 Service Pack 1 is still in there, but this is because Cumulative Updates and Service Packs are on a different servicing model. Every Cumulative Update is supported for three months after the release of the next Cumulative Update; Exchange 2013 SP1 entered extended support early April, and will only receive critical updates such as this one.

Be advised that for Exchange 2013 and 2016, Security Updates are Cumulative Update level specific. While the downloaded security updates may carry the same name, the files are different and you cannot apply the downloaded security update file for Exchange 2016 CU8 to Exchange 2016 CU9. I suggest adding some form of identification of the Cumulative Update to the file name when you save it, e.g. Exchange2016-KB4092041-x64-en-CU9.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

 

Exchange & .NET Framework 4.7.2

Ex2013 LogoA quick blog on the recent release of .NET Framework 4.7.2. In the past I blogged about the tight relationship between Exchange versions and the .NET Framework, and the supported combinations of those two to deploy and run Exchange. Shortly after publishing that article, Microsoft revised its support statement:

“When upgrading Exchange from an unsupported CU to the current CU and no intermediate CUs are available, you should upgrade to the latest version of .NET that’s supported by Exchange first and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest, supported, CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services”.

Now while 4.7.2 is a minor release, it is not mentioned in the Exchange supportability matrix at this moment. As such, it is not a validated combination, and you will be in uncharted territory with an unsupported configuration. The revised support statement only mentions upgrading Cumulative Update directly to a recent release as many customers were faced with a two-step upgrade process coming from old Cumulative Updates, basically ignore the supportability matrix. However, it does not mention anything about upgrading to the latest .NET Framework version at this moment. So don’t.

To block (accidental) installation of .NET Framework 4.7.2, you can configure the following registry key on your current Exchange servers to block its installation:

HKLM\Software\Microsoft\NET Framework Setup\NDP\WU\BlockNetFramework472= 1 (REG_DWORD)

or using PowerShell code:

$Version='472'
$RegKey= 'HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU'
$RegName= ('BlockNetFramework{0}' -f $Version)
If( -not (Test-Path $RegKey -ErrorAction SilentlyContinue)) {
    New-Item -Path (Split-Path $RegKey -Parent) -Name (Split-Path $RegKey -Leaf) -ErrorAction SilentlyContinue | out-null
}
New-ItemProperty -Path $RegKey -Name $RegName -Value 1 -ErrorAction SilentlyContinue| out-null
If( ( Get-ItemProperty -Path $RegKey -Name $RegName -ErrorAction SilentlyContinue)) {
    Write-Output ('Installation blockade for .NET Framework {0} set' -f $Version)
}
Else {
    Write-Error ('Unable to set registry entry {0}\{1}' -f $RegKey, $RegName)
} 

Exchange Updates – March 2018

Ex2013 LogoThe Exchange Team released the March updates for Exchange Server 2013 and 2016, and these Cumulative Updates contain a ton of fixes. Like the earlier Cumulative Updates for Exchange 2013 and Exchange 2016, and in addition to the fixes – see below – these Cumulative Updates contain the following important changes:

  • Support for .NET Framework 4.7.1. Be advised that .NET Framework 4.7.1 will be required for the next cycle of quarterly updates, which will be released in June 2018.
  • Full support for TLS 1.2. More information and guidance here.

On a smaller note, Exchange 2010 Service Pack 3 Rollup 20 was also released, which contains two security fixes CVE-2018-0924 and CVE-2018-0940, as well as DST changes.

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU9 15.1.1466.3 KB4055222 Download UMLP No
Exchange 2013 CU20 15.0.1367.3 KB4055221 Download UMLP No
Exchange 2010 SP3 RU20 14.3.389.1 KB4073537 Download

Exchange 2016 CU9 fixes:

  • 4054513 Mailbox usage status bar in OWA displays incorrect mailbox usage
  • 4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
  • 4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
  • 4058373 “A parameter cannot be found” error when you run Install-AntiSpamAgents.ps1 in Exchange Server 2016 CU7
  • 4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
  • 4058383 Exchange Control Panel (ECP) redirection fails in Exchange Server 2016
  • 4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
  • 4058399 Disabling a mailbox can’t remove legacyExchangeDN from user’s properties in Exchange Server 2016
  • 4073094 Emails outside a UID range are returned when you request for emails by using IMAP
  • 4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
  • 4073104 PIN can be reset on a Unified Messaging (UM)-enabled mailbox for a user outside a scoped OU
  • 4073103 The Enable-Mailbox cmdlet doesn’t block migrated users from provisioning in Exchange Server 2016
  • 4073107 Language can’t be changed when a user from a child domain tries to change language in OWA
  • 4073111 Can’t access a CAS website such as OWA/ECP/Autodiscover in Exchange Server 2016
  • 4073110 You can’t access OWA or ECP after you install Exchange Server 2016 CU8
  • 4073109 Search-MailboxAuditLog -ShowDetails not showing all messages in Exchange Server 2016
  • 4073114 “ADOperationException” error when OWA text verification fails in Exchange Server 2016
  • 4073214 Can’t enable OWA offline access in Exchange Server 2016
  • 4073531 CultureNotFoundException when selecting a LCID 4096 language in OWA for Exchange Server 2016
  • 4076520 MatchSubdomains isn’t usable for Set-AcceptedDomain in Exchange Server 2016
  • 4076741 Incorrect NDR when an administrator deletes a message from a queue in Exchange Server 2016
  • 4077655 Event ID 258 “Unable to determine the installed file” after you uninstall Windows PowerShell 2.0
  • 4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
  • 4058372 Blank page in Exchange Admin Center Audit Log in Exchange Server 2016
  • 4058382 Can’t retrieve time slot information about private calendar items as a delegate on another user’s account in Exchange Server 2016
  • 4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
  • 4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
  • 4073098 The ETS and EXS groups are incorrectly granted “SeDebugPrivilege” in Exchange Server 2016 on-premises
  • 4073108 “There was a problem loading your options” error when a user accesses OWA Voice Mail options in Exchange Server 2016
  • 4077924 Store Worker process crashes when you move, restore, or repair mailboxes that have issues with the logical index within the database in Exchange Server 2016
  • 4091453 Update improves linguistics features and CJK handling for search in Exchange Server 2016
  • 4073392 Description of the security update for Microsoft Exchange: March 13, 2018

Exchange 2013 CU20 fixes:

  • 4073392 Description of the security update for Microsoft Exchange: March 13, 2018
  • 4073094 Emails outside a UID range are returned when you request for emails by using IMAP
  • 4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
  • 4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
  • 4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
  • 4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
  • 4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
  • 4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
  • 4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
  • 4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
  • 4073093 Save issues occur when you use the plain Text Editor in OWA of Exchange Server 2013
  • 4073096 Emails sent from a shared mailbox aren’t saved in Sent Items when MessageCopyForSentAsEnabled is True

Notes:

  • Exchange 2016 CU7 and later requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareSchema to manually update the schema, or use /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To see if you need to update the schema compared to your version or verify the update has been performed, consult the Exchange schema overview.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.