Exchange Updates ‚Äď February 2019

Update: Added note that Exchange 2010 SP3 RU26 adds support for Windows Server 2012 R2.

Today, the Exchange Team released the overdue quarterly Cumulative Updates for Exchange Server 2013, Exchange 2016 and Exchange 2019, as well as a Rollup for Exchange Server 2010.

The KB articles that describe the fixes in each release and product downloads are available as follows:

Version Build KB Download UMLP Schema
Exchange 2019 CU1 15.2.330.5 KB4471391 VLSC N
Exchange 2016 CU12 15.1.1713.5 KB4471392 Download UMLP N
Exchange 2013 CU22 15.0.1473.3 KB4345836 Download UMLP N
Exchange 2010 SP3 RU26 14.3.442.0 KB4487052 Download N

This update contain the following important changes and notes:

  • Due to issue CVE-2018-8581, the EWS architecture was changed, in particular push notifications. Details on the change are described in KB4490060; while the change has been tested against EWS clients such as Outlook for Mac and Skype for Business, organizations may need to test any applications leveraging EWS to estimate potential impact of installing these Cumulative Updates or Rollup. In addition, organizations are advised to password reset Exchange computer accounts.
  • These Exchange builds introduces a change in the shared permissions model (this does not apply to Split Permissions Model). Result is that Exchange no longer requires fargoing permissions in Active Directory (e.g. WriteDACL on root of domain). To makes these changes become effective:
    • For Exchange 2013-2019 Cumulative Updates, run setup using /PrepareAD. In multi-forest environments, this needs to be done in every domain of the forest.
    • For Exchange 2010, go through the instructions mentioned in KB4490059.
  • Organizations considering moving to the Split Permissions because of CVE-2018-8581 should know Microsoft fully supports both models. Switching can have serious consequences and therefor should be fully evaluated.
  • This build of Exchange 2019 introduces cmdlets to block usage of legacy authentication protocols for users through policies, e.g. Basic Authentication.
  • Prior to deploying Exchange 2016 CU12 or Exchange 2013 CU22 on Edge Transport servers, install Visual C++ 2012 Runtime.
  • These Cumulative Updates will remove the DisableLoopbackCheck key when present; removing this key was a mitigation for CVE-2018-8581.
  • Exchange 2010 SP3 RU26 adds support for Windows Server 2012 R2, to accommodate for the Hybrid Agent.

Exchange 2019 CU1 fixes:

  • 4487596¬†Emails are blocked in moderator mailbox Outbox folder when you send large volumes of emails in Exchange Server 2019
  • 4487591¬†The recipient scope setting doesn’t work for sibling domains when including OUs in the scope in Exchange Server 2019
  • 4487602¬†Outlook for Mac users can still expand a distribution group when hideDLMembership is set to true in Exchange Server 2019
  • 4488076¬†Outlook on the Web can’t be loaded when users use an invalid Windows language in operating system in Exchange Server 2019
  • 4488079¬†Exchange Server 2016 allows adding Exchange Server 2019 mailbox server into a same DAG and vice versa
  • 4488263¬†X-MS-Exchange-Organization-BCC header isn’t encoded correctly in Exchange Server 2019
  • 4488080¬†New-MigrationBatch doesn’t honor RBAC management scope in Exchange Server 2019
  • 4488262¬†Delivery Reports exception when tracking a meeting request that’s sent with a room resource in Exchange Server 2019
  • 4488268¬†Disable the irrelevant Query logs that’re created in Exchange Server 2019
  • 4488267¬†Test-OAuthConnectivity always fails when Exchange Server uses proxy to connect to Internet in Exchange Server 2019
  • 4488266¬†Client application doesn’t honor EwsAllowList in Exchange Server 2019
  • 4488265¬†“There are problems with the signature” error occurs for digital signature message if attachment filtering is enabled in Exchange Server 2019
  • 4488398¬†“The Microsoft Exchange Replication service may not be running on server” error when you add a mailbox database copy in Exchange Server 2019
  • 4488264¬†Mailbox that has a bad move request can’t be cleaned up from destination mailbox database in Exchange Server 2019
  • 4488261¬†Event ID 1002 when the store worker process crashes in Exchange Server 2019
  • 4488260¬†New-MailboxExportRequest and New-MailboxImportRequest don’t honor RBAC management scope in Exchange Server 2019
  • 4488259¬†MailTip shows wrong number of users for a distribution group if the users are in different domains in Exchange Server 2019
  • 4488258¬†OAuth authentication is removed when saving MAPI virtual directory settings in EAC in Exchange Server 2019
  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059¬†Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2016 CU12 fixes:

  • 4487596¬†Emails are blocked in moderator mailbox Outbox folder when you send large volumes of emails in Exchange Server 2016
  • 4456241¬†You receive a meeting request that has a “not supported calendar message.ics” attachment in Exchange Server 2016
  • 4456239¬†New-MailboxRepairRequest doesn’t honor RBAC RecipientWriteScope restrictions in Exchange Server 2016
  • 4487591¬†The recipient scope setting doesn’t work for sibling domains when including OUs in the scope in Exchange Server 2016
  • 4468363¬†MRM does not work for mailboxes that have an online archive mailbox in Exchange Server
  • 4487603¬†“The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2016
  • 4487602¬†Outlook for Mac users can still expand a distribution group when hideDLMembership is set to true in Exchange Server 2016
  • 4488076¬†Outlook on the Web can’t be loaded when users use an invalid Windows language in operating system in Exchange Server 2016
  • 4488079¬†Exchange Server 2016 allows adding Exchange Server 2019 mailbox server into a same DAG and vice versa
  • 4488077¬†Can’t configure voice mail options when user is in different domain in Exchange Server 2016
  • 4488263¬†X-MS-Exchange-Organization-BCC header isn’t encoded correctly in Exchange Server 2016
  • 4488080¬†New-MigrationBatch doesn’t honor RBAC management scope in Exchange Server 2016
  • 4488262¬†Delivery Reports exception when tracking a meeting request that’s sent with a room resource in Exchange Server 2016
  • 4488268¬†Disable the irrelevant Query logs that’re created in Exchange Server 2016
  • 4488267¬†Test-OAuthConnectivity always fails when Exchange Server uses proxy to connect to Internet in Exchange Server 2016
  • 4488266¬†Client application doesn’t honor EwsAllowList in Exchange Server 2016
  • 4488265¬†“There are problems with the signature” error occurs for digital signature message if attachment filtering is enabled in Exchange Server 2016
  • 4488264¬†Mailbox that has a bad move request can’t be cleaned up from destination mailbox database in Exchange Server 2016
  • 4488261¬†Event ID 1002 when the store worker process crashes in Exchange Server 2016
  • 4488260¬†New-MailboxExportRequest and New-MailboxImportRequest don’t honor RBAC management scope in Exchange Server 2016
  • 4488259¬†MailTip shows wrong number of users for a distribution group if the users are in different domains in Exchange Server 2016
  • 4488258¬†OAuth authentication is removed when saving MAPI virtual directory settings in EAC in Exchange Server 2016
  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059¬†Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2013 CU22 fixes:

  • 4487603¬†“The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2013
  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059¬†Reducing permissions required to run Exchange Server using Shared Permissions Model

Exchange 2010 SP3 RU26 fixes:

  • 4490060¬†Exchange Web Services Push Notifications can be used to gain unauthorized access

Notes:

  • These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update. However, due to changes in the permissions architecture, you need to run setup /PrepareAD to implement these changes as well as apply any RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU‚Äôs & .NET.
  • Don‚Äôt forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher‚Äôs certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can‚Äôt uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates ‚Äď June 2018

Ex2013 LogoThe Exchange Team released the June updates for Exchange Server 2013 and 2016, and an additional Rollup 22 for Exchange Server 2010 Service Pack 3.

Apart from fixes and time zone changes, these updates contain the following important changes and notes:

  • As announced earlier, Exchange 2013 CU21 and Exchange 2016 CU10 require .NET Framework 4.7.1.
  • All three updates require the VC++ 2013 runtime library, because it is needed by a 3rd component in¬†WebReady Document Viewing in Exchange 2010/2013 and Data Loss Prevention in Exchange 2013/2016. Exchange 2010 SP3 RU22 will force installation of this VC++ runtime.
  • Updates include a critical security patch for Oracle Outside In libraries. More about the issue in MSRC advisory ADV180010.
  • Exchange 2013 CU21 and Exchange 2016 CU10 introduce support for directly creating and enabling remote shared mailboxes, e.g.
    New-RemoteMailbox [-Shared] [-Name remoteMailboxName]
    Enable-RemoteMailbox [-Identity user] [-Shared] [-RemoteRoutingAddress user@domain]
    Set-RemoteMailbox [-Name user] [-Type Shared]

    You need to run setup /PrepareAD to see these changes. More information in KB4133605.

  • This is the last planned Cumulative Update for Exchange 2013 as it enters Extended Support.
  • Exchange 2010 SP3 RU22 adds support for Windows Server 2016 Domain Controllers.

 

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU10 15.1.1531.3 KB4099852 Download UMLP No
Exchange 2013 CU21 15.0.1395.4 KB4099855 Download UMLP No
Exchange 2010 SP3 RU22 14.3.411.0 KB4295699 Download

Exchange 2016 CU10 fixes:

  • 4056609¬†Event ID 4999 and mailbox transport delivery service won’t start with Exchange Server 2016 CU7 installed
  • 4133605¬†Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133620¬†“HTTP 500 due to ADReferralException”¬†error when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4095974¬†“System.InvalidOperationException”¬†occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4095973¬†Set-ServerComponentState cmdlet does not honor the write scope defined in the RBAC management scope in Exchange Server
  • 4095993¬†HTTP 500 error when an administrator tries to manage regional settings in ECP on Windows Server 2016
  • 4294209¬†Cannot clear the ‚ÄúMaximum message size‚ÄĚ check box for Send messages or Receive messages in EAC in Exchange Server 2016
  • 4294208¬†“TooManyObjectsOpenedException” error when you run the “Get-PublicFolderMailboxDiagnostics” cmdlet in Exchange Server
  • 4294212¬†Cannot send VBScript-created messages in the Outlook 2016 client
  • 4294211¬†Cannot run ‚ÄúSet-CalendarProcessing‚ÄĚ cmdlets after you apply CU8 or CU9 for Exchange Server 2016
  • 4294210¬†Cannot edit an email attachment in OWA in an Exchange Server 2016 environment
  • 4294204¬†Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment
  • 4092041¬†Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018

Exchange 2013 CU20 fixes:

  • 4133605¬†Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133604¬†User can’t log on to a POP/IMAP account by using NTLM authentication in Exchange Server 2013
  • 4133618¬†Unexpected error occurs when running the Get-DatabaseAvailabilityGroupNetwork cmdlet in Exchange Server 2013
  • 4133620¬†‚ÄúHTTP 500 due to ADReferralException‚ÄĚ when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4058473¬†An Office 365 primary mailbox user cannot be assigned full access permissions for an on-premises mailbox in Exchange Server
  • 4094167¬†The MSExchangeRPC service crashes with a System.NullReferenceException exception in Exchange Server 2013
  • 4095974¬†‚ÄúSystem.InvalidOperationException‚ÄĚ occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4092041¬†Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018
  • 4294205¬†POP3 services intermittently stop in an Exchange Server 2013 environment
  • 4294204¬†Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment

Exchange 2010 Rollup 22 fixes:

  • 4295751 EWS impersonation not working when accessing resource mailboxes in a different site in Exchange Server 2010 SP3

Notes:

  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they introduce RBAC changes in your environment. Use setup /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU‚Äôs & .NET.
  • When upgrading your Exchange 2013 or 2016 installation, don‚Äôt forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher‚Äôs certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can‚Äôt uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.