MEC: Bringing your Exchange Scripts into the Modern Age

Posted on September 15, 2022 by Michel de Rooij

Yesterday, I had the pleasure of presenting at the Microsoft Exchange ~~Conference~~ Community Technical Airlift 2022. I talked about the challenges that organizations are facing that use Exchange scripts in their work processes or run them scheduled unattended.

Some of the challenges I mentioned, apart from the upcoming demise of Basic Authentication, and resources to methodically assess and make the necessary changes, are:

Get your code more secure leveraging Certificate Based Authentication, especially for scheduled tasks.
Get current with the most recent version of the Exchange Online Management Module for PowerShell.
The same exercise with regards to AzureAD when using MSOnline or AzureAD modules, and the inevitable move to the PowerShell Graph SDK.

In the end I also quickly demonstrated how much easier and secure things can be when utilizing Azure Automation, which might especially appeal to organizations that want to totally get rid of any infrastructure for running jobs.

You can watch the presentation below. All sessions are you published on YouTube, and its playlist can be accessed at aka.ms/MEC2022.

The presentation as well as the deck and script used in the live demonstration can be retrieved from GitHub. The Analyse-ExoScript used in the demo can be found on GitHub as well, or look at the accompanying blog I wrote a while ago here.

Note that during MEC, it was announced that the next GA release of the Exchange Online Management module will be version 3. This jump is likely to prevent any confusion with earlier GA and preview releases. It was said the next GA release might be as early as next week, which should be good news for organizations who’s policy it is to not run Preview software in production environments.

If you have any questions, ask them in the comments or send me a message via the contact form.

MEC Airlift 2022 #WeAreMEC

Posted on September 12, 2022 by Michel de Rooij

It seems ages ago – 8½ years to be exact – that the most recent Microsoft Exchange Conference took place in Austin in 2014. Much has happened since then, Exchange Online became a thing and there seemed to be no need for Microsoft to host an Exchange themed conference any longer. All this while events around products such as SharePoint did not slow down a single bit.

Then the pandemic happened, and we went to zero in-person conferences. It did not take long online/virtual/digital conferences took off. But alas, no Exchange conference. Until 2022 arrived, and Microsoft announced continued commitment to Exchange on-premises. Now, early in the FY22/23, a free 2-day online event will take place on September 13th & 14th, the Microsoft Exchange ~~Conference~~ Community Technical Airlift 2022. Target audience are IT professionals working with Exchange Online/On-Premises as well people developing solutions that integrate with Exchange. While nothing comes close to the experience and value of an in-person event, MEC 2022 will take place online. I am guessing that if this event is a success, and there is enough content to talk about as well as interest, that might switch to becoming at least a hybrid event, with a mix of an in-person and online audience, similar to Microsoft Ignite this year.

The agenda for MEC 2022 looks very promising, with sessions from both the Exchange product group as well as some very smart people from the Exchange community. Not totally surprising, there are sessions on the demise of Basic Authentication and how to deal with that, hosted by Greg Taylor. Also have a look at Scott Schnoll’s famous Exchange Tips & Tricks, or Jeff Mealiffe talking about connectivity. The event kicks off with a welcome keynote with Perry Clarke and Rajesh Jha. You can still submit questions for this “Geek Out with Perry!” here.

Yours truly will also present at MEC, presenting “Bringing your Exchange Scripts into the Modern Age” on September 14th, 9:00am PDT. Note that MEC sessions will be recorded, and will be made available for on-demand viewing after the event, which is great in case you cannot attend sessions as they happen. You can still register for MEC at https://aka.ms/MECAirlift.

If I do not “see” you at MEC, there is also an opportunity to have an in-person chat next week in Atlanta, where I will be attending – not presenting as I missed the submit deadline – The Experts Conference, or just TEC. It seems you can still register, but Anyway, it is good to see Exchange themed events pick-up and confereces in general returning to a certain level of pre-pandemic numbers, as there is enough to talk about, discuss and learn from others.

Security Updates Exchange 2013-2019 (Aug2022)

Posted on August 9, 2022 by Michel de Rooij

The Exchange product group released Augustus updates for Exchange Server 2013, 2016 and 2019.

Note that per the previous May cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues when admins simply double-click the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.

Windows Extended Protection
Special attention in this cycle for Windows Extended Protection, which needs to be enabled to address certain vulnerabilities. WEP is ONLY supported for specific versions of Exchange server – see the documentation for details regarding requirements and known issues. TLDR; – list might change over time, consult the pages linked earlier:

Requirements
- Supported on Exchange 2013 CU23, Exchange 2016 CU22 and Exchange Server 2019 CU11 or later, with the August 2022 Security Updates installed.
- Cannot be enabled on Exchange Server 2013 servers hosting Public Folders in co-existence with Exchange 2016/2019.
- Cannot be enabled on Exchange 2016 CU22 or Exchange 2019 CU11 or older hosting a Public Folder Hierarchy.
- Does not work with hybrid servers using Modern Hybrid configuration.
- SSL Offloading scenarios are currently not supported.
- Consistent TLS configuration is required across all Exchange servers.
Known Issues
- Retention Policies using action Move to Archive stops working.
- In Exchange 2013, the MAPI over HTTP probe OutlookMapiHttpCtpProbe might show FAILED.

To perform prerequisite checks and implement WEP, a supporting script ExchangeExtendedProtectionManagement.ps1 has been published. Since enabling WEP impacts how clients and Exchange server communicates, it is highly recommended to test this first on your specific configuration, especially with 3rd party products, before enabling it in production.

Security Updates
So, on with the security updates. The vulnerabilities addressed in the Security Updates for August are:

Vulnerability	Category	Severity	Rating
CVE-2022-21979	Information Disclosure	Important	CVSS:3.1 4.8 / 4.2
CVE-2022-21980	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24477	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-24516	Elevation of Privilege	Critical	CVSS:3.1 8.0 / 7.0
CVE-2022-30134	Elevation of Privilege	Important	CVSS:3.1 7.6 / 6.6
CVE-2022-34692	Information Disclosure	Important	CVSS:3.1 5.3 / 4.6

The following Security Updates address this vulnerability:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU12	Download	15.2.1118.12	KB5015322	KB5014261
Exchange 2019 CU11	Download	15.2.986.29	KB5015322	KB5014261
Exchange 2016 CU23	Download	15.1.2507.12	KB5015322	KB5014261
Exchange 2016 CU22	Download	15.1.2375.31	KB5015322	KB5014261
Exchange 2013 CU23	Download	15.0.1497.40	KB5015321	KB5014260

These Security Updates also fix the following issues:

KB5017261 Start-DatabaseAvailabilityGroup fails with BlockedDeserializeTypeException
KB5017430 E-Discovery search fails in Exchange Online

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

MVP’s around the World (2022)

Posted on July 8, 2022 by Michel de Rooij

A new Microsoft MVP award cycle, a new moment to have a look at the MVP statistics. Below numbers are taken from the public MVP site. July 1st is normally the day of the award cycle, but this year got delayed for a few days due to unknown circumstances. Because people get awarded every month, the comparison to July of every year should give an idea of the yearly trend.

Few points of attention:

Apparently, during the award cycle MVP’s located in Russia or Belarus were removed, including MVP’s that were awarded in the first half of 2022 and thus not up for renewal.
19 anonymous MVP awardees do not disclose location. Those are not represented in below numbers.
The Office Development category was rebranded M365 Development.
The Office Apps & Services category was rebranded M365 Apps & Services.

Awardees per Category

The following table contains the awardees per award category from July of 2019 up to 2022, plus change percentage. It therefor does not reflect on changes during the year (people newly awarded or moving to Microsoft). I will leave the interpretation up to you.

Expertise	Jul’19	Jul’20	%	Jul’21	%	Jul’22	%
Cloud and Datacenter Management	232	209	-10%	219	5%	164	-25%
Microsoft Azure	409	463	13%	534	15%	546	2%
M365 Apps & Services	491	512	4%	556	9%	492	-12%
Business Applications	166	240	45%	323	35%	351	9%
Data Platform	332	358	8%	392	9%	364	-7%
Developer Technologies	644	697	8%	770	10%	715	-7%
Enterprise Mobility	106	103	7%	133	18%	149	12%
AI	84	122	45%	138	13%	128	-7%
M365 Development	47	64	36%	69	8%	59	-14%
Windows Development	119	110	-8%	120	9%	92	-23%
Windows and Devices for IT	57	43	-25%	42	-2%	45	7%
Total no. of Awards	2687	2931	9%	3296	12%	3105	-6%
Total no. of MVP’s	2634	2850	8%	3224	13%	3024	-6%

Note: The difference between total number of awards and total number of MVP’s is caused by MVP’s awarded in multiple categories. A total of 124 MVP’s were awarded in two or more categories.

M365 Apps & Services per Country

When zooming in on the M365 Apps & Services category, the awards per country are shown below, including the % change compared to last year. As you might notice, there are quiet a number of countries without MVP’s compared to last year.

Country	Number	Country	Number	Country	Number	Country	Number
AUS	26 (-4%)	FRA	16 (-34%)	NZL	6 (0%)	ESP	10 (-34%)
AUT	3 (-25%)	DEU	30 (-4%)	NGA	4 (0%)	LKA	0 (-100%)
BEL	5 (0%)	GHA	1 (0%)	NOR	5 (-29%)	SWE	8 (-20%)
BIH	1 (0%)	GRC	1 (0%)	PAK	1 (0%)	CHE	2 (-50%)
BRA	12 (-15%)	HUN	1 (-50%)	PER	1 (0%)	TWN	4 (0%)
BGR	3 (0%)	IND	10 (-29%)	POL	5 (-38%)	THA	2 (0%)
KHM	1 (0%)	IRL	1 (-75%)	PRT	3 (0%)	NLD	22 (4%)
CAN	34 (-15%)	ISR	3 (0%)	RUS	0 (-100%)	TUR	2 (0%)
CHN	19 (0%)	ITA	4 (0%)	SAU	1 (-50%)	UKR	2 (0%)
COL	5 (-29%)	JPN	17 (-15%)	SEN	1 (0%)	ARE	1 (-50%)
HRV	5 (0%)	KOR	14 (-18%)	SRB	0 (-100%)	GBR	37 (-16%)
CZE	2 (0%)	MKD	2 (0%)	SGP	4 (0%)	USA	112 (-16%)
DNK	5 (-29%)	MYS	1 (0%)	SVK	1 (0%)	URY	1 (0%)
EGY	1 (0%)	MEX	8 (0%)	SVN	2 (0%)	VNM	1 (0%)
SLV	1 (0%)	MMR	1 (0%)	ZAF	4 (0%)
FIN	5 (-17%)	NPL	0 (-100%)

If you have questions or comments, please leave them in the comments below.

Exchange Announcements

Posted on June 4, 2022 by Michel de Rooij

Few days ago, the Exchange Product made several announcements related to Exchange Server and its future. The overall message throughout these announcements can be interpreted as that Microsoft is publicly declaring to be committed to developing and supporting the Exchange Server product. This is especially of interest to those customers running it as part of their on-premises infrastructure. It is also assuring those that believe the road ahead was a dead end, eventually forcing them to move to Exchange Online, or look for alternatives.

The announcements made were in the area of:

Lifecycle policies remain intact for current versions of Exchange Server.
The next version of Exchange Server, also known as Exchange vNext, will move to a continuous support model, but comes with requirements.
Upgrade path for Exchange vNext.
Modern Authentication support for non-hybrid Exchange 2019 deployments.
Exchange 2019 support for TLS 1.3.
Possibility to receive pre-release builds of Exchange server through Microsoft’s TAP program.
Exchange Admin Center will receive overview section for Exchange servers update status in Exchange hybrid deployments.
HCW will allow admins to skip configuration steps.
Script to remove obsolete mitigations from EEMS.
Microsoft Exchange ~~Conference~~ Community Virtual Airlift (MEC) for September 13-14! (register)
Feedback forums for Exchange Online and Exchange Server.