Today, Microsoft released a hotfix for Exchange Server 2016 and 2016 that will not only fix some issues but, importantly, also add a much-welcomed functionality change: Hybrid Modern Authentication support OWA and ECP. You can deploy the hotfix directly on the Cumulative Update, similar to Security Updates. There is no need to deploy the March 2024 Security Update first.
The Hotfix for each supported Exchange Server build is linked below:
This hotfix adds support for OWA and ECP when used in Hybrid Modern Authentication (HMA). This removes the need to deploy Azure Web Application Proxy for OWA and ECP when you want to deploy HMA. If you already deployed an Azure WebApp Proxy configuration for this purpose, you can choose to remove it after deploying the hotfix and configuring HMA on OWA/ECP. More information on enabling OWA and ECP for HMA support is here.
Caution: if you do not synchronize the identities of (Exchange) administrators to Entra, they will be unable to authenticate against Entra Identity and thus unable to manage Exchange on-premises using ECP. In those cases, they have the option to use Exchange Management Shell or synchronize their identities. Since Entra will be performing the authentication, you can add additional controls, such as location conditions or MFA, for those accounts.
ECC Certificate Support
The hotfix adds support for ECC certificates to Exchange, except for scenarios where Active Directory Federation Services (AD FS) is utilized. More information here.
Fixed Issues
The hotfix addresses the following issues, some of which were introduced after deploying the March 2024 SU:
The hotfix is Exchange build level specific. You cannot apply the hotfix for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name, and I would suggest tagging the file name with the Exchange version and CU when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
On a final note, as with any patch or update, it is recommended to apply this update in a test environment first, prior to implementing it in production.
Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.
Fixed Issues
Apart from security fixes, these Security Updates also correct the following issues:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.
On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
Be advised that these updates will enable payload signing by default. Payload serialization signing signs PowerShell payloads to identify possible tampering. Support for certificate-based signing of PowerShell serialization payloads got added with January security updates and is a per-server configuration. In other words, make sure you have deployed the January security updates before implementing these security updates, so your Exchange servers support payload signing before you can enable it one server at a time.
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.
On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
If you are looking for a way to automate and simplify your Microsoft 365 administration tasks, PowerShell is a great option. However, PowerShell scripting is not without its challenges. Not proactively maintaining code can quickly become an issue because of the changes made to dependencies such as modules, as well as the cmdlets you use.
In an article I wrote for Practical 365, related to the presentation of the same name held at the The Experts Conference 2023 in Atlanta this year, I discuss some of the challenges administrators might encounter with PowerShell scripts. Also, I provide some guidance and point out a few tools that can assist with rewriting or refactoring code, i.e., updating code while keeping its external functionality.
The recommendation for the August updates was to disable the TokenCacheModule in IIS to mitigate an Elevation of Privilege issue in IIS. That issue is fixed with a Windows update for CVE-2023-36434. Thus, after installing this update for IIS, it is no longer recommended to disable TokenCacheModule. When you have disabled it after installing the August 2023 updates, you can enable it again using New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\System32\inetsrv\cachtokn.dll", or use the CVE-2023-21709.ps1 script specifying the -Rollback switch to (re-)enable it on all of your Exchange servers.
Fixed Issues
Apart from security fixes, these Security Updates also correct the following issues:
Extended Protection causes Outlook for Mac to fail to download the OAB (use updated Extended Protection script)
Yes
Yes
Notes
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
CVE-2023-21709 requires additional steps, which need to be performed after installing the August updates. These steps will remove the TokenCacheModule from IIS, preventing IIS (thus implicitly Exchange) from caching security tokens for password-authenticated sessions (Anonymous, BasicAuth, and Client Certificates) at a performance penalty as every request needs to get re-authenticated. Documentation on these steps, as well as a script to implement or undo these changes, can be found here.
Update October 10: Removal of TokenCacheModule is no longer recommended, as the vulnerability has been addressed in a Windows patch, CVE-2023-36434.
AES256 in Cipher Block Chaining mode
After installing these August updates, AES256-CBC will be the default encryption mode. In order to allow decrypting of Microsoft Purview Information Protection or Active Directory Rights Management Services, additional configuration is required. If you utilize RMS with Exchange on-premises, consult the steps in this KB article.
Issue with Non-English Operating Systems
The issue with the initial release of the August 2023 SU’s has been fixed in the V2 versions. Take note of the What-if table in the August SU V2 publication on how to proceed if you already installed V1 using the workaround. TLDR;:
If you installed V1 successfully (English OS), no action is needed, and installing V2 is optional (will only increase Exchange build numbers).
If you installed V1 on a non-English OS with the workaround, uninstall August SU V1, restart, install August SU V2, and clean up the workaround (dummy ‘Network Service’ account)
If you did not install V1 on a non-English OS or tried installing without success and re-enabled services using ServiceControl.ps1 -AfterPatch, install the August SU V2 update.
Right after the release of the Security Update, reports came in from customers with failed deployments for non-English operating systems. Installing the SU failed, leaving their Exchange server in a non-functional state as Exchange-related services were disabled. After Microsoft investigated the issue, it was found the SU installer uses the textual “Network Service” security principal during configuration. This does not work in other languages, where it needs to be the localized name, e.g. Netzwerkdienst (German) or SERVICE LOCAL (French). Using the well-known SID for this service principal (S-1-5-20), or using this to look up the actual name, would be the way to address this. This is also what the workaround in the support article is basically doing:
Restore the startup state of Echange services using $exscripts\ServiceControl.ps1 AfterPatch.
Creating a dummy “Network Service” account.
Manually add Full Control on the ACL of HKLM:\SOFTWARE\Microsoft\MSIPC\Server for the ‘real’ Network Service security principal, which is what the SU should be doing. Under this key is where licenses used for Azure Information Protection are stored.
While having a workaround helps, it is not very maintainable, which is why I expect Microsoft to publish an update for the Security Update. Also, the whole situation gives to think about the mindset of developers who apparently only test using English operating systems. With still significant on-premises Exchange presence in countries such as Germany and France, making code OS language-independent and having it tested could use improvement.
Fixed Issues
Apart from security fixes, these Security Updates also correct the following issues:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend applying this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.
The vulnerability addressed in these Security Updates for Exchange Server is:
Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.
Other Issues Apart from security fixes, these SUs also fix the following:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.
Other Issues Apart from security fixes, these SUs also fix the following:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.
Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:
Restart IIS and the Windows Activation Proces on each server Restart-Service -Name W3SVC, WAS -Force
Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.
In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.
Payload Serialization Signing Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.
Other Issues Apart from security fixes, these SUs also fix the following:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.