The Exchange Team released Exchange Server 2019 Cumulative Update H1 2024, or CU14. Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following changes:
- .NET Framework 4.8.1 support on Windows Server 2022
- Extended Protection will be enabled by default on the server where you installed CU14 (and later). You can override this behavior during setup or by specifying the DoNotEnableEP or DoNotEnableEPFEEWS when running setup unattended. More info on these switches, as well as the Extended Protection requirements and how to configure it, can be found here.
Unfortunately, TLS 1.3 support has been moved to CU15.
CVE-2024-21410
Enabling Extended Protection also addresses the just released CVE-2024-21410. This also applies to Exchange 2016 and even Exchange 2013 when you deployed the August 2022 Security Update on those servers and enabled Extended Protection on them.
Vulnerability | Category | Severity | Rating |
---|---|---|---|
CVE-2024-21410 | Elevation of Privilege | Critical | CVSS:3.1 9.8 / 9.1 |
Download
Link to the update as well as a description of changes and fixes are below. The columns Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.
Exchange 2019 CU14 fixes:
- 5035442 Exchange Mitigation Service does not log incremental updates
- 5035443 Read receipts are returned if ActiveSyncSuppressReadReceipt is “True” in Exchange Server 2019
- 5035444 System.argumentnullexception when you try to run an eDiscovery search
- 5035446 OAB shadow distribution fails if legacy authorization is blocked
- 5035448 MCDB fails and leads to lagged copy activation
- 5035450 Exchange 2019 setup installs an outdated JQuery library
- 5035452 Usernames are not displayed in Event ID 23 and 258
- 5035453 Issues in Exchange or Teams when you try to delegate information
- 5035455 MSExchangeIS stops responding and returns “System.NullReferenceExceptions” multiple times per day
- 5035456 “Deserialization blocked at location HaRpcError” error and Exchange replication stops responding
- 5035493 FIP-FS Proxy Customizations are disabled after a CU or an SU update
- 5035494 Modern attachment doesn’t work when web proxy is used in Exchange Server 2019
- 5035495 OWA displays junk operations even if junk mail reporting is disabled
- 5035497 Edit permissions option in the ECP can’t be edited
- 5035542 Remote equipment and room mailboxes can now be managed through EAC
- 5035616 Logon events failure after updating Windows Server
- 5035617 Transport rules aren’t applied to multipart or alternative messages
- 5035689 “High %Time in GC” and EWS doesn’t respond
Notes
- If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
- When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
- Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
- When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
- Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
- If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
- Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
- Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
- The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.
Caution
As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.