Exchange Updates (and more) – H1 2023

Posted on May 4, 2023 by Michel de Rooij

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2023, or CU13. This is Exchange 2019 only; no Exchange 2016 CU.

Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following functionality enhancements:

Modern Authentication On-Premises Support
After dropping support for Basic Authentication in Exchange Online, organizations that remained on-premises for various reasons, and could not deploy Exchange Hybrid, were left out in doubt how to proceed. Last year, Microsoft gave them some perspective, following a roadmap announcement.

This CU is a first step, allowing organizations running AD FS 2019 to deploy Exchange 2019 CU13, and configure AD FS as their authentication provider. Be advised that this also requires clients to support this change in authentication logic. First, Outlook for Windows will contain support for this in build 16327.20200 and later. Support for other Outlook clients has an ETA of end of year. Outlook on the Web already supports claims-based authentication using AD FS, which is a form of Modern Authentication.

Finally, organization running Exchange 2016 can deploy Exchange 2019 CU13 in front of those Exchange 2016 servers, allowing then to handle clients request, and thus authenticate them using AD FS. After deployment, organizations can enable Modern Authentication on the organization or at the mailbox level, using Exchange’s Authentication Policies.

For more information about deploying Modern Authentication with Exchange on-premises, see Enabling Modern Auth in Exchange On-Premises. The page also includes an insightful diagram on the authentication flow.

Configuration Backup/Restore
Administrators might tweak configuration files belonging to their Exchange deployment, e.g. web.config. Deploying CUs meant that those files were overwritten, and administrators had to re-apply changes. With CU13, setup will now preserve a fixed set of elements in those configuration files. For more information, see Exchange Server custom configuration preservation.

TLS 1.3
Unfortunately, nothing yet about TLS 1.3 support.

Earlier Exchange Versions
Exchange 2013 reached end of life early April. No Cumulative Update for Exchange 2016 CU23, which is in extended support, and will only receive security updates until October, 2025. Exchange 2016 is supported when you run CU23 with the March 2023 Security Update applied.

Download
Link to the update as well as a description of changes and fixes are below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, in order to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.

Version	Build	KB	Download	UMLP	Schema	AD
Exchange 2019 CU13	15.2.1258.12	KB5020999	Download		N	Y

Exchange 2019 CU13 fixes:

5027150 Enable Modern Auth for pure On-Premises Exchange users
5026134 “InvalidRecipientsException” when you try to run MRM
5026135 CertificateDeploymentServicelet failure in multiple domain forest Exchange deployments
5026136 Microsoft Exchange Transport doesn’t re-encrypt IRM messages
5026138 Users receive reminders although the meeting reminder is set to None
5026139 You can’t move the public folder mailbox
5026142 Journal message returns “ConversionFailedException”
5026143 OAB shadow distribution threshold must be reduced or made configurable
5026146 Expiry notification is sent to moderator and sender for approved and delivered messages
5026147 BlockLegacyAuthentication fail Organization Policy because of BackendRehydrationModule implementation
5026149 Group metrics generation doesn’t finish in multidomain environment
5026150 Edge server Filtering Agent removes journal attachments
5026151 Oab-Processing-Threshold is set to 0 for On-Premises
5026152 Microsoft Exchange ActiveSync or Current Requests counter inaccurately counts requests
5026153 Delivery Flow Control setting override is now available
5026154 On-premises Exchange has 35MB file size limit for online archiving
5026155 “No support for this operation” error on an Exchange 2019 DAG member server
5026156 Outlook search fails in a shared On-Premises mailbox if the primary user mailbox is migrated to Exchange Online
5026158 The body of recurring meeting is not clear if it has Chinese characters
5026159 IconIndex returns Default value when Server Assisted Search is used in Outlook
5026266 “Could not start MS Exchange Service Host service” error and Exchange stops responding
5026267 OWA stops responding in an Exchange 2019 and 2016 coexistence topology
5026268 Store Worker process crashes and returns “System.NullReferenceExceptions” multiple times per day
5026269 Block deserialization error when using eDiscovery
5026271 IIS URL Rewrite Module link is incorrect
5026273 Outlook configuration fails in Android or iOS
5026274 Hybrid Agent Validation fails after Extended Protection is enabled
5026277 Mail configuration fails on iOS device after Extended Protection is enabled
5026278 Mailbox migration fails after Extended Protection is enabled

Notes

If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to inability to validate script signatures.
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2013-2019 (Mar2023)

Posted on March 14, 2023 by Michel de Rooij

The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.

The vulnerability addressed in these Security Updates for Exchange Server is:

Vulnerability	Category	Severity	Rating
CVE-2022-21978	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.26	KB5024296	KB5023038
Exchange 2019 CU11	Download	15.2.986.42	KB5024296	KB5023038
Exchange 2016 CU23	Download	15.1.2507.23	KB5024296	KB5023038
Exchange 2013 CU23	Download	15.0.1497.48	KB5024296	KB5023038

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue	Exchange 2013	Exchange 2016	Exchange 2019
You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigning	Yes	Yes	Yes
EEMS stops responding after TLS endpoint certificate update	Yes	Yes	Yes
Get-App and GetAppManifests fail and return an exception	Yes	Yes	Yes
EWS does not respond and returns an exception	Yes	Yes	Yes
An exception is returned while opening a template in the Exchange Toolbox	Yes	Yes	Yes

Notes:

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Feb2023)

Posted on February 15, 2023 by Michel de Rooij

[20Feb] Added information regarding issues reported.

The Exchange product group released February updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

Vulnerability	Category	Severity	Rating
CVE-2023-21529	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2023-21706	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2023-21707	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2023-21710	Remote Code Execution	Important	CVSS:3.1 7.2 / 6.3

The Security Updates for each supported Exchange Server build are linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.25	KB5023038	KB5022193
Exchange 2019 CU11	Download	15.2.986.41	KB5023038	KB5022193
Exchange 2016 CU23	Download	15.1.2507.21	KB5023038	KB5022143
Exchange 2013 CU23	Download	15.0.1497.47	KB5023038	KB5022188

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue	Exchange 2013	Exchange 2016	Exchange 2019
Export-UMPrompt fails with InvalidResponseException	Yes	Yes	N/A
Edge Transport service returns an “EseNtOutOfSessions” Exception	Yes	Yes	Yes
Exchange services in automatic startup mode do not start automatically	Yes	Yes	Yes
Data source returns incorrect checkpoint depth	Yes	Yes	Yes
Serialization fails while tried accessing Mailbox Searches in ECP	Yes	Yes	Yes
Transport delivery service mishandles iCAL events	Yes	Yes	Yes

Notes:

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.

Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:

E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.

follow the instructions in the following KB article link:

On each Exchange server, create a registry key
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name 'DisableBaseTypeCheckForDeserialization' -Value 1 -Type String
Create a global override setting
New-SettingOverride -Name 'Adding learning location ClientExtensionCollectionFormatter' -Component Data -Section DeserializationBinderSettings -Parameters @('LearningLocations=ClientExtensionCollectionFormatter') -Reason 'Deserialization failed'
If you cannot wait until the override configuration kicks in (may take an one hour), refresh it manually:
- Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
- Restart IIS and the Windows Activation Proces on each server
  Restart-Service -Name W3SVC, WAS -Force

Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.

Security Updates Exchange 2013-2019 (Jan2023)

Posted on January 10, 2023 by Michel de Rooij

The Exchange product group released January updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

Vulnerability	Category	Severity	Rating
CVE-2023-21764	Elevation of Privilege	Important	CVSS:3.1 7.8 / 6.8
CVE-2023-21763	Elevation of Privilege	Important	CVSS:3.1 7.8 / 6.8
CVE-2023-21745	Spoofing	Important	CVSS:3.1 8.8 / 7.9
CVE-2023-21762	Spoofing	Important	CVSS:3.1 8.0 / 7.0
CVE-2023-21761	Information Disclosure	Important	CVSS:3.1 7.5 / 6.5

The Security Updates for each Exchange Server version are linked below. Note that only CVE-2023-21762 applies to Exchange Server 2013:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.21	KB5022193	KB5019758
Exchange 2019 CU11	Download	15.2.986.37	KB5022193	KB5019758
Exchange 2016 CU23	Download	15.1.2507.17	KB5022143	KB5019758
Exchange 2013 CU23	Download	15.0.1497.45	KB5022188	KB5019758

In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.

Payload Serialization Signing
Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue	Ex2013	Ex2016	Ex2019
Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per day		Yes	Yes
Can’t record or play in Exchange Unified Messaging	Yes	Yes
Exchange Application log is flooded with Event ID 6010		Yes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.

Security Updates Exchange 2013-2019 (Nov2022)

Posted on November 8, 2022 by Michel de Rooij

The Exchange product group released November updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that were reported end of September. More on those in an earlier post.

Note: You can keep the current URLScan mitigations in-place, and remove them after installing these security updates at your convenience. The recommendation to disable Remote PowerShell for non-admins is upheld, but this is best practice regardless.

The vulnerabilities addressed in these Security Updates are:

Vulnerability	Category	Severity	Rating
CVE-2022-41040	Elevation of Privilege	Critical	CVSS:3.1 8.8 / 7.9
CVE-2022-41082	Elevation of Privilege	Important	CVSS:3.1 8.8 / 8.3
CVE-2022-41078	Elevation of Privilege	Important	CVSS:3.1 8.0 / 7.0
CVE-2022-41123	Elevation of Privilege	Important	CVSS:3.1 7.8 / 6.8
CVE-2022-41079	Elevation of Privilege	Important	CVSS:3.1 8.0 / 7.0
CVE-2022-41080	Elevation of Privilege	Critical	CVSS:3.1 8.8 / 7.7

The following Security Updates address these vulnerability for the Exchange builds mentioned, with the exception of CVE-2022-41123 which does not apply to Exchange Server 2013:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.20	KB5019758	KB5019077
Exchange 2019 CU11	Download	15.2.986.36	KB5019758	KB5019077
Exchange 2016 CU23	Download	15.1.2507.16	KB5019758	KB5019077
Exchange 2016 CU22	Download	15.1.2375.37	KB5019758	KB5019077
Exchange 2013 CU23	Download	15.0.1497.44	KB5019758	KB5019076

In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

Security Updates Exchange 2013-2019 (Oct2022)

Posted on October 11, 2022 by Michel de Rooij

The Exchange product group released October updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates do NOT address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that have been reported on since end of September. For now, mitigate those by follow the instructions mentioned an earlier post here.

The vulnerabilities addressed in these Security Updates are mostly the same as the ones addressed by the Security Updates of August, with the exception of CVE-2022-34692. Also, the CVSS rating of CVE-2022-30134 has been adjusted:

Vulnerability	Category	Severity	Rating
CVE-2022-21979	Information Disclosure	Important	CVSS:3.1 4.8 / 4.2
CVE-2022-21980	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24477	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24516	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-30134	Elevation of Privilege	Important	CVSS:3.1 6.5 / 5.7 (was CVSS:3.1 7.6 / 6.6)

The following Security Updates address these vulnerability for the Exchange builds mentioned:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.15	KB5019077	KB5015322
Exchange 2019 CU11	Download	15.2.986.30	KB5019077	KB5015322
Exchange 2016 CU23	Download	15.1.2507.13	KB5019077	KB5015322
Exchange 2016 CU22	Download	15.1.2375.32	KB5019077	KB5015322
Exchange 2013 CU23	Download	15.0.1497.42	KB5019076	KB5015321

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange 0-days: CVE-2022-41040 & CVE-2022-41082

Posted on October 3, 2022 by Michel de Rooij

Update (Oct10, 2022): Updated URL Rewrite Rule (again).

End of last week, the Exchange world was made aware of a 0-day vulnerability and exploit through the following tweet by security researcher Kevin Beaumont. The tweet referenced a write-up by GTSC Cyber Security, which published their discovery on a what looked like a variation on ProxyShell, allowing for Remote code execution. The vulnerabilities have been registered by the Common Vulnerabilities and Exposures program as CVE-2022-41040 (ZDI-CAN-18333 at Zero Day Initiative) and CVE-2022-41082 (ZDI-CAN-18802).

The 0-day impacts current versions of Exchange Server 2019, Exchange Server 2016 as well as Exchange Server 2013 when published externally. If you have Exchange Hybrid deployed only for recipient management or mail-flow (i.e. no inbound traffic for https/443), you should be OK. Similar to ProxyShell, the vulnerability consists of sending manufactured requests to Exchange server, e.g.

Read the full of this article on ENow here.

Update (Oct10): The (original) filter to mitigate the situation, as specified originally by the GTSC as well as various websites, is too specific. The filter can easily be circumvented by – but effectively identical – variations on the manufactured request. The latest rule to filter requests is:

(?=.*autodiscover)(?=.*powershell)

Update any existing mitigation IIS URL Rewrite Rules with this Regular Expressions filter for {UrlDecode:{REQUEST_URI}} blocking (Abort Request) any matching request. When using EEMS, this rule will also be deployed in the most recent update (1.0.9). Microsoft rather silently updated the filter in their published EEMS rules during the weekend.

Microsoft added to their advisory, recommending organizations to disable Remote PowerShell for non-administrators roles (instructions here). For those wanting to hunt for indicators of compromise, check the end of the Security blog.

Vendors are also offering solutions to filter these requests using their network devices:

At the time of writing, Microsoft has not publish a security fix yet.

Security Updates Exchange 2013-2019 (Aug2022)

Posted on August 9, 2022 by Michel de Rooij

The Exchange product group released Augustus updates for Exchange Server 2013, 2016 and 2019.

Note that per the previous May cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues when admins simply double-click the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.

Windows Extended Protection
Special attention in this cycle for Windows Extended Protection, which needs to be enabled to address certain vulnerabilities. WEP is ONLY supported for specific versions of Exchange server – see the documentation for details regarding requirements and known issues. TLDR; – list might change over time, consult the pages linked earlier:

Requirements
- Supported on Exchange 2013 CU23, Exchange 2016 CU22 and Exchange Server 2019 CU11 or later, with the August 2022 Security Updates installed.
- Cannot be enabled on Exchange Server 2013 servers hosting Public Folders in co-existence with Exchange 2016/2019.
- Cannot be enabled on Exchange 2016 CU22 or Exchange 2019 CU11 or older hosting a Public Folder Hierarchy.
- Does not work with hybrid servers using Modern Hybrid configuration.
- SSL Offloading scenarios are currently not supported.
- Consistent TLS configuration is required across all Exchange servers.
Known Issues
- Retention Policies using action Move to Archive stops working.
- In Exchange 2013, the MAPI over HTTP probe OutlookMapiHttpCtpProbe might show FAILED.

To perform prerequisite checks and implement WEP, a supporting script ExchangeExtendedProtectionManagement.ps1 has been published. Since enabling WEP impacts how clients and Exchange server communicates, it is highly recommended to test this first on your specific configuration, especially with 3rd party products, before enabling it in production.

Security Updates
So, on with the security updates. The vulnerabilities addressed in the Security Updates for August are:

Vulnerability	Category	Severity	Rating
CVE-2022-21979	Information Disclosure	Important	CVSS:3.1 4.8 / 4.2
CVE-2022-21980	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24477	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24516	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-30134	Elevation of Privilege	Important	CVSS:3.1 7.6 / 6.6
CVE-2022-34692	Information Disclosure	Important	CVSS:3.1 5.3 / 4.6

The following Security Updates address this vulnerability:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.12	KB5015322	KB5014261
Exchange 2019 CU11	Download	15.2.986.29	KB5015322	KB5014261
Exchange 2016 CU23	Download	15.1.2507.12	KB5015322	KB5014261
Exchange 2016 CU22	Download	15.1.2375.31	KB5015322	KB5014261
Exchange 2013 CU23	Download	15.0.1497.40	KB5015321	KB5014260

These Security Updates also fix the following issues:

KB5017261 Start-DatabaseAvailabilityGroup fails with BlockedDeserializeTypeException
KB5017430 E-Discovery search fails in Exchange Online

Exchange Announcements

Posted on June 4, 2022 by Michel de Rooij

Few days ago, the Exchange Product made several announcements related to Exchange Server and its future. The overall message throughout these announcements can be interpreted as that Microsoft is publicly declaring to be committed to developing and supporting the Exchange Server product. This is especially of interest to those customers running it as part of their on-premises infrastructure. It is also assuring those that believe the road ahead was a dead end, eventually forcing them to move to Exchange Online, or look for alternatives.

The announcements made were in the area of:

Lifecycle policies remain intact for current versions of Exchange Server.
The next version of Exchange Server, also known as Exchange vNext, will move to a continuous support model, but comes with requirements.
Upgrade path for Exchange vNext.
Modern Authentication support for non-hybrid Exchange 2019 deployments.
Exchange 2019 support for TLS 1.3.
Possibility to receive pre-release builds of Exchange server through Microsoft’s TAP program.
Exchange Admin Center will receive overview section for Exchange servers update status in Exchange hybrid deployments.
HCW will allow admins to skip configuration steps.
Script to remove obsolete mitigations from EEMS.
Microsoft Exchange ~~Conference~~ Community Virtual Airlift (MEC) for September 13-14! (register)
Feedback forums for Exchange Online and Exchange Server.

More details on these announcements can be found in the full article on the announcements, and can be found here at the ENow Solutions blog.

Security Updates Exchange 2013-2019 (May2022)

Posted on May 10, 2022 by Michel de Rooij

The Exchange PG released May updates for Exchange Server 2013, 2016 and 2019.

Note that per this cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues from simply double-clicking the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.

The vulnerability addressed in the Security Updates for May is:

Vulnerability	Category	Severity	Rating
CVE-2022-21978	Elevation of Privilege	Important	CVSS:3.1 8.2 / 7.1

The following Security Updates address this vulnerability:

Exchange	Download	Build	KB
Exchange 2019 CU12	Download	15.2.1118.9	KB5014261
Exchange 2019 CU11	Download	15.2.986.26	KB5014261
Exchange 2016 CU23	Download	15.1.2507.9	KB5014261
Exchange 2016 CU22	Download	15.1.2375.28	KB5014261
Exchange 2013 CU23	Download	15.0.1497.36	KB5014260

The SU also fix the following issue:

KB5013118 Exchange Service Host service fails after installing March 2022 security update

Important: As mentioned in the announcement, you must run /PrepareAllDomains after deploying the SU because of hardening measures. Exception is when you have multiple domains and some of them are never prepped; in that case prepare the individual domains required. Using your currently deployed binaries, run the following command, where the /IAccept switch you need to use depends on the Exchange version deployed and whether you provide diagnostics information:

& $exbin\setup.exe /PrepareAllDomains /[IAcceptExchangeServerLicenseTerms|IAcceptExchangeServerLicenseTerms_DiagnosticDataON|IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF]