Rerelease of MS13-06/KB2874216 for Exchange 2013

Ex2013 LogoToday the rereleases of MS13-061 Security Fix for Exchange 2013 CU1 and Exchange 2013 CU2 saw daylight. This security update KB2874216 fixes the issue described in Microsoft Security Bulletin MS13-061 and supposedly fixes the issues found with the original release. After installing the v2 patch, the version will be upped 2 notches compared to the original patch.

As mentioned in an earlier article, security fixes are Cumulative Update level specific. In practice, this means there are two different versions of the security update patch file: one for CU1 and one for CU2.

Be advised both files carry the same file name, Exchange2013-KB2874216-v2-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when you archive it, e.g. Exchange2013-KB2874216-v2-x64-en-CU2.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. If you don’t have the resources and risk management can agree, you might want to consider postponing implementation for a short period while monitoring for issues in the online.

You can download the security updates here:

Fix for MS13-061 breaking Exchange 2013 (Updated)

Ex2013 LogoUPDATE: The MS13-061 security update for Exchange 2013 CU1 & CU2 has been pulled until further notice. Microsoft recommends not installing MSI13-061 at the moment and disable Data Loss Prevention and WebReady as described in the Oracle Outside In Contains Multiple Exploitable Vulnerabilities section in the MS13-061 bulletin.

After some people reported issues after installing the MS13-061 (KB2874216) security update on Exchange 2013, it turns out MS13-061 breaks your installation of Exchange 2013 and you can experience the following symptoms:

  • The Microsoft Exchange Search Host Controller service is missing;
  • You see a new service named “Host Controller service for Exchange”;
  • Content index (CI) for mailbox databases shows Failed on affected server.

This is described in KB2879739 including the ‘workaround’, which is consists of three steps:

  1. Set HKLM\SOFTWARE\Microsoft\Search Foundation for Exchange\Data Directory to $exinstall\Bin\Search\Ceres\HostController\Data (REG_SZ), where $exinstall is the installation folder of your Exchange 2013 installation folder, e.g. C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data;
  2. Set HKLM\SYSTEM\CurrentControlSet\Services\HostControllerService\DisplayName=”Microsoft Exchange Search Host Controller” (REG_SZ);
  3. Set HKLM\SYSTEM\CurrentControlSet\Services\HostControllerService\DependOnService=”http” (REG_MULTI_SZ);
  4. (Re)start the “Microsoft Exchange Search Host Controller” service.

For your convenience, I’ve create a small quick & dirty script as a potential time saver (as far as you can call a three-liner a script and don’t expect extensive error handling as well). This script Workaround-KB2879739.ps1 performs the steps described in the KB2879739 so you can run it right after deploying MS13-061 / KB2874216 on your Exchange 2013 server.

You can download the script here.

MS13-061 Security Fix for Exchange 2013 (updated)

Ex2013 LogoUPDATE: The MS13-061 security update for Exchange 2013 CU1 & CU2 has been pulled until further notice.If you have installed it, there are issues with it which can be fixed (link). Microsoft recommends not installing MSI13-061 at the moment and disable Data Loss Prevention and WebReady as described in the Oracle Outside In Contains Multiple Exploitable Vulnerabilities section in the MS13-061 bulletin.

Today the Exchange Team released the first Security Update for Exchange 2013. This security update KB2874216 fixes the issue described in Microsoft Security Bulletin MS13-061.

As mentioned in an earlier article, security fixes are Cumulative Update level specific. How that would turn out in practice remained to be seen at the time of writing that article, but at the moment it means there are two different versions of the security update, one patch file for CU1 and one for CU2 (or the re-release of CU2 actually, version 15.0.712.24 – more information on that here). I assume the .MSP format limits the ability to merge the two and let it make an intelligent decision on what to install.

Be warned that both files carry the same file name, I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2013-KB2874216-x64-en-CU2.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

You can download the security updates here:

Exchange 2013 CU2 v2

Ex2013 LogoCumulative Update 2 for Exchange Server 2013 was re-released today.  This re-release fixes a serious permission issue when moving modern public folders mailboxes around, as described by the Exchange team here. For more information on changes already incorporated in the original CU2, check the original post on CU2 here.

The part which might confuse some people is that they updated the version of the CU (like they did for some Rollups in the past) while keeping the knowledge base article KB2859928 and download link identical to the original CU2; only the version number has been increased a notch (15.0.712.24). When you download the file it will contain a v2 postfix, i.e. Exchange2013-KB2859928-x64-v2.exe, which is helpful for identification purposes.

Because of the “every server is an island” principle, you don’t need to stick to a certain order when implementing Exchange 2013 updates and in theory you can just update your Mailbox servers. However, be advised that Exchange 2013 security fixes – which are CU level bound as mentioned here and emphasized here – will be based on CU2v2, which means you ultimately must implement CU2v2 on all of your Exchange 2013 servers.

Note that CU2v2 is a full installation set. Before installing CU2v2, make sure to save customized OWA settings as the web.config files might get overwritten causing OWA to use default settings (see KB2871485).

As with any update, I’d recommend to thoroughly test this in a test and acceptance environment first (re-releases make a great business case), prior to implementing it in production.

You can download Exchange 2013 CU2 v2 here.

Exchange 2013 Cumulative Update 2

Ex2013 LogoCumulative Update 2 for Exchange Server 2013 was released today by the Exchange Team (KB2859928). This update raises Exchange 2013 version number to 15.0.712.22.

This CU contains the following major changes:

  • CU2 increases the maximum number of supported databases per server from 50 to 100 in the Enterprise Edition;
  • Enables silent redirection for Outlook Web App (OWA) to Exchange 2007 and Exchange 2013 when using multiple internet-facing AD sites or alternative ExternalURL settings (i.e. for legacy purposes);
  • Introduces the DAG Management Service which will offload monitoring and reporting from the Replication Service;
  • Shifting several responders from per-server throttling to per-group throttling;
  • Support for updating local help files using the cmdlet Update-ExchangeHelp;
  • Improvements in OWA Search to indicate search hit locations;
  • Introduction of *-MalwareFilterRule Cmdlets to apply custom malware policies to users, groups or domains.

The majority of the enhancements are in line with announcements at TechEd, on which I reported earlier here. Only exception is the Azure File Share Witness which didn’t make it in CU2 but it’s expected to appear in a later build.

Unfortunately, the list of bug fixes in this CU is undisclosed. However, I was able to assemble the following (incomplete) list with things fixed in this CU:

  • KB2866064 Can’t load OWA Premium by using Internet Explorer 11 in an Exchange Server 2013, Exchange Server 2010 or Exchange Server 2007 environment
  • KB2846288 Information store worker process crashes when you export mailboxes in an Exchange Server 2013 environment
  • KB2842504 EAS users incorrectly throttled in an Exchange Server 2013 environment
  • KB2830765 “MAPI_E_FAILONEPROVIDER” error when you use a MAPI application in a mixed Exchange Server 2013 and Exchange Server 2007 or Exchange Server 2010 environment
  • KB2835562 You can’t disable Outlook Web App access for users in on-premises Exchange Server

This Cumulative Update includes schema and AD changes, so make sure you run PrepareSchema/PrepareAD. Note that Cumulative Updates can be installed directly, i.e. no need to install RTM then CU1 etc. and once installed, you can’t uninstall a CU nor any of the installed roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

As with any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2013 Cumulative Update 2 here. More details about these changes, preparing Active Directory or installing this Cumulative Update can be found in the original announcement.