Tag Archives: CU1

Exchange Updates – February 2019

Posted on by
10

Update: Added note that Exchange 2010 SP3 RU26 adds support for Windows Server 2012 R2.

Today, the Exchange Team released the overdue quarterly Cumulative Updates for Exchange Server 2013, Exchange 2016 and Exchange 2019, as well as a Rollup for Exchange Server 2010.

The KB articles that describe the fixes in each release and product downloads are available as follows:

Version Build KB Download UMLP Schema
Exchange 2019 CU1 15.2.330.5 KB4471391 VLSC N
Exchange 2016 CU12 15.1.1713.5 KB4471392 Download UMLP N
Exchange 2013 CU22 15.0.1473.3 KB4345836 Download UMLP N
Exchange 2010 SP3 RU26 14.3.442.0 KB4487052 Download N

This update contain the following important changes and notes:

  • Due to issue CVE-2018-8581, the EWS architecture was changed, in particular push notifications. Details on the change are described in KB4490060; while the change has been tested against EWS clients such as Outlook for Mac and Skype for Business, organizations may need to test any applications leveraging EWS to estimate potential impact of installing these Cumulative Updates or Rollup. In addition, organizations are advised to password reset Exchange computer accounts.
  • These Exchange builds introduces a change in the shared permissions model (this does not apply to Split Permissions Model). Result is that Exchange no longer requires fargoing permissions in Active Directory (e.g. WriteDACL on root of domain). To makes these changes become effective:
    • For Exchange 2013-2019 Cumulative Updates, run setup using /PrepareAD. In multi-forest environments, this needs to be done in every domain of the forest.
    • For Exchange 2010, go through the instructions mentioned in KB4490059.
  • Organizations considering moving to the Split Permissions because of CVE-2018-8581 should know Microsoft fully supports both models. Switching can have serious consequences and therefor should be fully evaluated.
  • This build of Exchange 2019 introduces cmdlets to block usage of legacy authentication protocols for users through policies, e.g. Basic Authentication.
  • Prior to deploying Exchange 2016 CU12 or Exchange 2013 CU22 on Edge Transport servers, install Visual C++ 2012 Runtime.
  • These Cumulative Updates will remove the DisableLoopbackCheck key when present; removing this key was a mitigation for CVE-2018-8581.
  • Exchange 2010 SP3 RU26 adds support for Windows Server 2012 R2, to accommodate for the Hybrid Agent.

Exchange 2019 CU1 fixes:

  • 4487596 Emails are blocked in moderator mailbox Outbox folder when you send large volumes of emails in Exchange Server 2019
  • 4487591 The recipient scope setting doesn’t work for sibling domains when including OUs in the scope in Exchange Server 2019
  • 4487602 Outlook for Mac users can still expand a distribution group when hideDLMembership is set to true in Exchange Server 2019
  • 4488076 Outlook on the Web can’t be loaded when users use an invalid Windows language in operating system in Exchange Server 2019
  • 4488079 Exchange Server 2016 allows adding Exchange Server 2019 mailbox server into a same DAG and vice versa
  • 4488263 X-MS-Exchange-Organization-BCC header isn’t encoded correctly in Exchange Server 2019
  • 4488080 New-MigrationBatch doesn’t honor RBAC management scope in Exchange Server 2019
  • 4488262 Delivery Reports exception when tracking a meeting request that’s sent with a room resource in Exchange Server 2019
  • 4488268 Disable the irrelevant Query logs that’re created in Exchange Server 2019
  • 4488267 Test-OAuthConnectivity always fails when Exchange Server uses proxy to connect to Internet in Exchange Server 2019
  • 4488266 Client application doesn’t honor EwsAllowList in Exchange Server 2019
  • 4488265 “There are problems with the signature” error occurs for digital signature message if attachment filtering is enabled in Exchange Server 2019
  • 4488398 “The Microsoft Exchange Replication service may not be running on server” error when you add a mailbox database copy in Exchange Server 2019
  • 4488264 Mailbox that has a bad move request can’t be cleaned up from destination mailbox database in Exchange Server 2019
  • 4488261 Event ID 1002 when the store worker process crashes in Exchange Server 2019
  • 4488260 New-MailboxExportRequest and New-MailboxImportRequest don’t honor RBAC management scope in Exchange Server 2019
  • 4488259 MailTip shows wrong number of users for a distribution group if the users are in different domains in Exchange Server 2019
  • 4488258 OAuth authentication is removed when saving MAPI virtual directory settings in EAC in Exchange Server 2019
  • 4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059 Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2016 CU12 fixes:

  • 4487596 Emails are blocked in moderator mailbox Outbox folder when you send large volumes of emails in Exchange Server 2016
  • 4456241 You receive a meeting request that has a “not supported calendar message.ics” attachment in Exchange Server 2016
  • 4456239 New-MailboxRepairRequest doesn’t honor RBAC RecipientWriteScope restrictions in Exchange Server 2016
  • 4487591 The recipient scope setting doesn’t work for sibling domains when including OUs in the scope in Exchange Server 2016
  • 4468363 MRM does not work for mailboxes that have an online archive mailbox in Exchange Server
  • 4487603 “The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2016
  • 4487602 Outlook for Mac users can still expand a distribution group when hideDLMembership is set to true in Exchange Server 2016
  • 4488076 Outlook on the Web can’t be loaded when users use an invalid Windows language in operating system in Exchange Server 2016
  • 4488079 Exchange Server 2016 allows adding Exchange Server 2019 mailbox server into a same DAG and vice versa
  • 4488077 Can’t configure voice mail options when user is in different domain in Exchange Server 2016
  • 4488263 X-MS-Exchange-Organization-BCC header isn’t encoded correctly in Exchange Server 2016
  • 4488080 New-MigrationBatch doesn’t honor RBAC management scope in Exchange Server 2016
  • 4488262 Delivery Reports exception when tracking a meeting request that’s sent with a room resource in Exchange Server 2016
  • 4488268 Disable the irrelevant Query logs that’re created in Exchange Server 2016
  • 4488267 Test-OAuthConnectivity always fails when Exchange Server uses proxy to connect to Internet in Exchange Server 2016
  • 4488266 Client application doesn’t honor EwsAllowList in Exchange Server 2016
  • 4488265 “There are problems with the signature” error occurs for digital signature message if attachment filtering is enabled in Exchange Server 2016
  • 4488264 Mailbox that has a bad move request can’t be cleaned up from destination mailbox database in Exchange Server 2016
  • 4488261 Event ID 1002 when the store worker process crashes in Exchange Server 2016
  • 4488260 New-MailboxExportRequest and New-MailboxImportRequest don’t honor RBAC management scope in Exchange Server 2016
  • 4488259 MailTip shows wrong number of users for a distribution group if the users are in different domains in Exchange Server 2016
  • 4488258 OAuth authentication is removed when saving MAPI virtual directory settings in EAC in Exchange Server 2016
  • 4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059 Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2013 CU22 fixes:

  • 4487603 “The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2013
  • 4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059 Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2010 SP3 RU26 fixes:

  • 4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access

Notes:

  • These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update. However, due to changes in the permissions architecture, you need to run setup /PrepareAD to implement these changes as well as apply any RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates – March 2016

Posted on by
1

Ex2013 LogoToday, the Exchange Team released one big wave of Exchange updates for Exchange 2016 down to Exchange 2007.

Changes in contained in these updates:

  • Exchange 2016 CU1 is an uncompressed ISO file. If bandwidth is scarce where you will be deploying, be sure to download this 6GB file upfront.
  • Mailbox Anchoring, introduced with the previous CU for Exchange 2013 and Exchange 2016, is reverted.
  • Exchange 2010 supports stand-alone Exchange 2010 Hybrid wizard.
  • All updates will introduce updated OWA/Ootw S/MIME control.

For a list of fixes in these updates, see below.

Exchange 2016 Cumulative Update 1 15.1.396.30 KB3134844 Download UML
Exchange 2013 Cumulative Update 12 15.0.178.4 KB3108023 Download UML
Exchange 2010 Service Pack 3 Rollup 13 14.3.294.0 KB3141339 Download
Exchange 2007 Service Pack 3 Rollup 19 8.3.459.0 KB3141352 Download

Exchange 2016 CU1 fixes:

  • KB 3139730 Edge Transport service crashes when you view the properties of a poison message in Exchange Server 2016
  • KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
  • KB 3135688 Preserves the web.config file for Outlook Web App when you apply a cumulative update in Exchange Server 2016
  • KB 3135601 Cyrillic characters are displayed as question marks when you run the “Export-PublicFolderStatistics.ps1” script in an Exchange Server 2016 environment
  • KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016

Exchange 2013 CU12 fixes:

  • KB 3143710 “Failed Search or Export” error occurs when an eDiscovery search in the Exchange Admin Center finishes
  • KB 3138644 Messages are stuck in the Submission queue until NDRs are returned or the server is restarted
  • KB 3137585 OAuth authentication fails in a proxy scenario between Exchange Server 2013 hybrid on-premises and Office 365
  • KB 3137581 An eDiscovery search of all mailboxes or some Distribution Groups fails when you use the Exchange Administration Center
  • KB 3137390 “DeviceId cannot contain hyphens” warning occurs when you use the Exchange Management Shell or the Exchange Administration Center to remove the associations in Exchange Server
  • KB 3137384 Error occurs when you remove an ActiveSync device in the Exchange Management Shell or from the Exchange Administration Center
  • KB 3137383 CafeLocalProbe fails if the Health Mailbox UPN doesn’t match its Active Directory domain name
  • KB 3137380 Both read receipts and Non-read receipts are generated when an email is read through IMAP or POP in Exchange Server 2013
  • KB 3137377 MSExchange FrontEnd Transport service crashes when email messages are processed that contain a null “X-OriginatorOrg” message header
  • KB 3136694 Calendar items are not synced correctly when you use Exchange ActiveSync on a mobile device
  • KB 3136404 Searching by Furigana in Outlook’s address book is unsuccessful in an Exchange Server 2013 environment
  • KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
  • KB 3135334 Cannot set Title in Exchange Admin Center (ECP) if it contains more than 64 characters
  • KB 3135269 Event ID 4999 with MSExchangerepl.exe and MSExchangeDagMgmt.exe crash in Exchange Server 2013 environment
  • KB 3135018 Cannot remove devices when the DeviceType property includes a forward slash
  • KB 3134952 EdgeTransport.exe crashes when you view details of messages in the poison message queue
  • KB 3134918 An IRM-protected message sent to an external contact isn’t returned in a search or discovery results when journaling is implemented in an Exchange Server 2013 environment
  • KB 3134894 The “Search-Mailbox” cmdlet together with the “Attachment” property keyword lists all items that contain the query string of “attachment”
  • KB 3128706 HttpProxy overloads a downlevel Client Access Server in an Exchange Server 2013 co-existence environment
  • KB 3124248 Managed Availability responders fail because of invalid WindowsService names in an Exchange Server 2013 environment
  • KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016
  • KB 3124064 Event ID 1009 is logged and no Health Manager alerts on failed content indexes during migration in Exchange Server 2013
  • KB 3118902 Resource Booking Assistant doesn’t update the subject of a recurring meeting in Exchange Server 2013
  • KB 3109539 Exchange Management Shell doesn’t return the correct number of Exchange Server 2013 Enterprise CALs license
  • KB 3108415 Logon for POP3 client disconnects randomly in an Exchange Server 2013 environment
  • KB 3106236 The “Export-PublicFolderStatistics.ps1” cmdlet exports Russian (Cyrillic) characters as question marks
  • KB 3098561 “Error executing child request for /owa/auth/errorFE.aspx” when you browse to /ECP in Exchange Server 2013

Notes:

  • Exchange 2016 CU1 includes schema changes, and Exchange 2013 CU12 may introduce RBAC changes in your environment. When applicable, make sure you run PrepareSchema /PrepareAD before deploying. To verify this step has been performed, consult the Exchange schema overview.
  • If you have deployed KB3097966 on your Exchange server running on Windows Server 2012 R2, you may want to manually recompile the .NET assemblies before upgrading Exchange to significantly speed up the process. To accomplish this, run the following on every Exchange server on Windows Server 2012 R2:
    “%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update”
    Don’t get upset by the messy output and any error messages; if the result of this command shown in the output is ‘0’ you’re good to go.
  • Be advised .NET Framework 4.6.1 is still not supported; make sure you don’t install this .NET update on your Exchange servers.
  • The Windows Management Framework (WMF)/ PowerShell version 5 is not supported. Don’t install this on your Exchange servers.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.
  • Rollups are cumulative per service pack level, meaning you can apply the latest Rollup for Service Pack X to a Service Pack X installation.

Finally, as always for any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the original article or TechNet forum for any issues.

 

Rerelease of MS13-06/KB2874216 for Exchange 2013

Posted on by
1

Ex2013 LogoToday the rereleases of MS13-061 Security Fix for Exchange 2013 CU1 and Exchange 2013 CU2 saw daylight. This security update KB2874216 fixes the issue described in Microsoft Security Bulletin MS13-061 and supposedly fixes the issues found with the original release. After installing the v2 patch, the version will be upped 2 notches compared to the original patch.

As mentioned in an earlier article, security fixes are Cumulative Update level specific. In practice, this means there are two different versions of the security update patch file: one for CU1 and one for CU2.

Be advised both files carry the same file name, Exchange2013-KB2874216-v2-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when you archive it, e.g. Exchange2013-KB2874216-v2-x64-en-CU2.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. If you don’t have the resources and risk management can agree, you might want to consider postponing implementation for a short period while monitoring for issues in the online.

You can download the security updates here:

Fix for MS13-061 breaking Exchange 2013 (Updated)

Posted on by
14

Ex2013 LogoUPDATE: The MS13-061 security update for Exchange 2013 CU1 & CU2 has been pulled until further notice. Microsoft recommends not installing MSI13-061 at the moment and disable Data Loss Prevention and WebReady as described in the Oracle Outside In Contains Multiple Exploitable Vulnerabilities section in the MS13-061 bulletin.

After some people reported issues after installing the MS13-061 (KB2874216) security update on Exchange 2013, it turns out MS13-061 breaks your installation of Exchange 2013 and you can experience the following symptoms:

  • The Microsoft Exchange Search Host Controller service is missing;
  • You see a new service named “Host Controller service for Exchange”;
  • Content index (CI) for mailbox databases shows Failed on affected server.

This is described in KB2879739 including the ‘workaround’, which is consists of three steps:

  1. Set HKLM\SOFTWARE\Microsoft\Search Foundation for Exchange\Data Directory to $exinstall\Bin\Search\Ceres\HostController\Data (REG_SZ), where $exinstall is the installation folder of your Exchange 2013 installation folder, e.g. C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data;
  2. Set HKLM\SYSTEM\CurrentControlSet\Services\HostControllerService\DisplayName=”Microsoft Exchange Search Host Controller” (REG_SZ);
  3. Set HKLM\SYSTEM\CurrentControlSet\Services\HostControllerService\DependOnService=”http” (REG_MULTI_SZ);
  4. (Re)start the “Microsoft Exchange Search Host Controller” service.

For your convenience, I’ve create a small quick & dirty script as a potential time saver (as far as you can call a three-liner a script and don’t expect extensive error handling as well). This script Workaround-KB2879739.ps1 performs the steps described in the KB2879739 so you can run it right after deploying MS13-061 / KB2874216 on your Exchange 2013 server.

You can download the script here.

MS13-061 Security Fix for Exchange 2013 (updated)

Posted on by
2

Ex2013 LogoUPDATE: The MS13-061 security update for Exchange 2013 CU1 & CU2 has been pulled until further notice.If you have installed it, there are issues with it which can be fixed (link). Microsoft recommends not installing MSI13-061 at the moment and disable Data Loss Prevention and WebReady as described in the Oracle Outside In Contains Multiple Exploitable Vulnerabilities section in the MS13-061 bulletin.

Today the Exchange Team released the first Security Update for Exchange 2013. This security update KB2874216 fixes the issue described in Microsoft Security Bulletin MS13-061.

As mentioned in an earlier article, security fixes are Cumulative Update level specific. How that would turn out in practice remained to be seen at the time of writing that article, but at the moment it means there are two different versions of the security update, one patch file for CU1 and one for CU2 (or the re-release of CU2 actually, version 15.0.712.24 – more information on that here). I assume the .MSP format limits the ability to merge the two and let it make an intelligent decision on what to install.

Be warned that both files carry the same file name, I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2013-KB2874216-x64-en-CU2.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

You can download the security updates here:

Exchange 2013 CU1 ETA: April 2nd

Posted on by
3

Ex2013 LogoToday the Exchange Team announced postponing the release of Exchange 2013 Cumulative Update 1 for a few more days. Originally, CU1 was scheduled for Q1 2013, but the date has been set now at April 2nd, 2013.

While it may sound disappointing when you’re waiting for Exchange 2013 RTM CU1, it makes sense to postpone it a bit. As the team indicated,the time is used to add functionality required for coexistence scenarios with Exchange Server 2010 which otherwise had to be put in an update for Exchange 2010 Client Access servers. I expect people to be less happy as Exchange 2010 Service Pack 3 was heralded as the Exchange 2010 product level for coexistence support with Exchange 2013 (running CU1).

Also, looking at time frames involved with testing and accepting updates in production environments, I personally applaud this decision as putting that code in Exchange 2013 at the cost of a few days may in the end be faster than adding that code to Exchange Server 2010, requiring customers to initiate test an acceptance tracks for production updates.

So, until further notice we’ll have to wait just a few more additional days to see what Cumulative Update 1 will bring us.