Tag Archives: Exchange

Hotfix for Exchange 2016 and 2019 (Apr2024)

Posted on by
Reply

Today, Microsoft released a hotfix for Exchange Server 2016 and 2016 that will not only fix some issues but, importantly, also add a much-welcomed functionality change: Hybrid Modern Authentication support OWA and ECP. You can deploy the hotfix directly on the Cumulative Update, similar to Security Updates. There is no need to deploy the March 2024 Security Update first.

The Hotfix for each supported Exchange Server build is linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14 HU2Download15.2.1258.34KB5037224KB5036402
Exchange 2019 CU13 HU6Download15.2.1544.11KB5037224KB5036402
Exchange 2016 CU23 HU13Download15.1.2507.39KB5037224KB5036386

HMA support for OWA/ECP

This hotfix adds support for OWA and ECP when used in Hybrid Modern Authentication (HMA). This removes the need to deploy Azure Web Application Proxy for OWA and ECP when you want to deploy HMA. If you already deployed an Azure WebApp Proxy configuration for this purpose, you can choose to remove it after deploying the hotfix and configuring HMA on OWA/ECP. More information on enabling OWA and ECP for HMA support is here.

Caution: if you do not synchronize the identities of (Exchange) administrators to Entra, they will be unable to authenticate against Entra Identity and thus unable to manage Exchange on-premises using ECP. In those cases, they have the option to use Exchange Management Shell or synchronize their identities. Since Entra will be performing the authentication, you can add additional controls, such as location conditions or MFA, for those accounts.

ECC Certificate Support

The hotfix adds support for ECC certificates to Exchange, except for scenarios where Active Directory Federation Services (AD FS) is utilized. More information here.

Fixed Issues

The hotfix addresses the following issues, some of which were introduced after deploying the March 2024 SU:

IssueExchange 2016Exchange 2019
Download domains not working after installing the March 2024 SUYesYes
Search error in Outlook cached mode after installing March 2024 SUYesYes
OwaDeepTestProbe and EacBackEndLogonProbe fail after installing March 2024 SUYesYes
Edit permissions option in the ECP can’t be editedYesYes
Outlook doesn’t display unread message icon after installing Exchange Server March 2024 SUYesYes
My Templates add-in isn’t working after installing Microsoft Exchange Server March 2024 SUYesYes

Notes

  • The hotfix is Exchange build level specific. You cannot apply the hotfix for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name, and I would suggest tagging the file name with the Exchange version and CU when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.

On a final note, as with any patch or update, it is recommended to apply this update in a test environment first, prior to implementing it in production.

Security Updates Exchange 2016-2019 (Mar2024)

Posted on by
5

The Exchange product group released March 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2024-26198Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14Download15.2.1544.9KB5036401KB5032146
Exchange 2019 CU13Download15.2.1258.32KB5036402KB5032146
Exchange 2016 CU23Download15.1.2507.37KB5036386KB5032147

OutsideInModule

Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
EWS search request displays inaccurate resultsYesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Exchange 2019 CU14 (2024 H1)

Posted on by
Reply

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2024, or CU14. Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following changes:

  • .NET Framework 4.8.1 support on Windows Server 2022
  • Extended Protection will be enabled by default on the server where you installed CU14 (and later). You can override this behavior during setup or by specifying the DoNotEnableEP or DoNotEnableEPFEEWS when running setup unattended. More info on these switches, as well as the Extended Protection requirements and how to configure it, can be found here.

Unfortunately, TLS 1.3 support has been moved to CU15.

CVE-2024-21410
Enabling Extended Protection also addresses the just released CVE-2024-21410. This also applies to Exchange 2016 and even Exchange 2013 when you deployed the August 2022 Security Update on those servers and enabled Extended Protection on them.

VulnerabilityCategorySeverityRating
CVE-2024-21410Elevation of PrivilegeCriticalCVSS:3.1 9.8 / 9.1

Download
Link to the update as well as a description of changes and fixes are below. The columns Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1415.2.1544.4KB5035606Download NY

Exchange 2019 CU14 fixes:

  • 5035442 Exchange Mitigation Service does not log incremental updates
  • 5035443 Read receipts are returned if ActiveSyncSuppressReadReceipt is “True” in Exchange Server 2019
  • 5035444 System.argumentnullexception when you try to run an eDiscovery search
  • 5035446 OAB shadow distribution fails if legacy authorization is blocked
  • 5035448 MCDB fails and leads to lagged copy activation
  • 5035450 Exchange 2019 setup installs an outdated JQuery library
  • 5035452 Usernames are not displayed in Event ID 23 and 258 
  • 5035453 Issues in Exchange or Teams when you try to delegate information
  • 5035455 MSExchangeIS stops responding and returns “System.NullReferenceExceptions” multiple times per day
  • 5035456 “Deserialization blocked at location HaRpcError” error and Exchange replication stops responding
  • 5035493 FIP-FS Proxy Customizations are disabled after a CU or an SU update
  • 5035494 Modern attachment doesn’t work when web proxy is used in Exchange Server 2019
  • 5035495 OWA displays junk operations even if junk mail reporting is disabled
  • 5035497 Edit permissions option in the ECP can’t be edited
  • 5035542 Remote equipment and room mailboxes can now be managed through EAC 
  • 5035616 Logon events failure after updating Windows Server
  • 5035617 Transport rules aren’t applied to multipart or alternative messages
  • 5035689 “High %Time in GC” and EWS doesn’t respond

Notes

  • If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution
As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange 0-days: CVE-2022-41040 & CVE-2022-41082

Posted on by
5

Update (Oct10, 2022): Updated URL Rewrite Rule (again).

End of last week, the Exchange world was made aware of a 0-day vulnerability and exploit through the following tweet by security researcher Kevin Beaumont. The tweet referenced a write-up by GTSC Cyber Security, which published their discovery on a what looked like a variation on ProxyShell, allowing for Remote code execution. The vulnerabilities have been registered by the Common Vulnerabilities and Exposures program as CVE-2022-41040 (ZDI-CAN-18333 at Zero Day Initiative) and CVE-2022-41082 (ZDI-CAN-18802).

The 0-day impacts current versions of Exchange Server 2019, Exchange Server 2016 as well as Exchange Server 2013 when published externally. If you have Exchange Hybrid deployed only for recipient management or mail-flow (i.e. no inbound traffic for https/443), you should be OK. Similar to ProxyShell, the vulnerability consists of sending manufactured requests to Exchange server, e.g.

Read the full of this article on ENow here.

Update (Oct10): The (original) filter to mitigate the situation, as specified originally by the GTSC as well as various websites, is too specific. The filter can easily be circumvented by – but effectively identical – variations on the manufactured request. The latest rule to filter requests is:

(?=.*autodiscover)(?=.*powershell)

Update any existing mitigation IIS URL Rewrite Rules with this Regular Expressions filter for {UrlDecode:{REQUEST_URI}} blocking (Abort Request) any matching request. When using EEMS, this rule will also be deployed in the most recent update (1.0.9). Microsoft rather silently updated the filter in their published EEMS rules during the weekend.

Microsoft added to their advisory, recommending organizations to disable Remote PowerShell for non-administrators roles (instructions here). For those wanting to hunt for indicators of compromise, check the end of the Security blog.

Vendors are also offering solutions to filter these requests using their network devices:

At the time of writing, Microsoft has not publish a security fix yet.

MEC: Bringing your Exchange Scripts into the Modern Age

Posted on by
Reply

Yesterday, I had the pleasure of presenting at the Microsoft Exchange Conference Community Technical Airlift 2022. I talked about the challenges that organizations are facing that use Exchange scripts in their work processes or run them scheduled unattended.

Some of the challenges I mentioned, apart from the upcoming demise of Basic Authentication, and resources to methodically assess and make the necessary changes, are:

  • Get your code more secure leveraging Certificate Based Authentication, especially for scheduled tasks.
  • Get current with the most recent version of the Exchange Online Management Module for PowerShell.
  • The same exercise with regards to AzureAD when using MSOnline or AzureAD modules, and the inevitable move to the PowerShell Graph SDK.

In the end I also quickly demonstrated how much easier and secure things can be when utilizing Azure Automation, which might especially appeal to organizations that want to totally get rid of any infrastructure for running jobs.

You can watch the presentation below. All sessions are you published on YouTube, and its playlist can be accessed at aka.ms/MEC2022.

The presentation as well as the deck and script used in the live demonstration can be retrieved from GitHub. The Analyse-ExoScript used in the demo can be found on GitHub as well, or look at the accompanying blog I wrote a while ago here.

Note that during MEC, it was announced that the next GA release of the Exchange Online Management module will be version 3. This jump is likely to prevent any confusion with earlier GA and preview releases. It was said the next GA release might be as early as next week, which should be good news for organizations who’s policy it is to not run Preview software in production environments.

If you have any questions, ask them in the comments or send me a message via the contact form.

MEC Airlift 2022 #WeAreMEC

Posted on by
2

It seems ages ago – 8½ years to be exact – that the most recent Microsoft Exchange Conference took place in Austin in 2014. Much has happened since then, Exchange Online became a thing and there seemed to be no need for Microsoft to host an Exchange themed conference any longer. All this while events around products such as SharePoint did not slow down a single bit.

Then the pandemic happened, and we went to zero in-person conferences. It did not take long online/virtual/digital conferences took off. But alas, no Exchange conference. Until 2022 arrived, and Microsoft announced continued commitment to Exchange on-premises. Now, early in the FY22/23, a free 2-day online event will take place on September 13th & 14th, the Microsoft Exchange Conference Community Technical Airlift 2022. Target audience are IT professionals working with Exchange Online/On-Premises as well people developing solutions that integrate with Exchange. While nothing comes close to the experience and value of an in-person event, MEC 2022 will take place online. I am guessing that if this event is a success, and there is enough content to talk about as well as interest, that might switch to becoming at least a hybrid event, with a mix of an in-person and online audience, similar to Microsoft Ignite this year.

The agenda for MEC 2022 looks very promising, with sessions from both the Exchange product group as well as some very smart people from the Exchange community. Not totally surprising, there are sessions on the demise of Basic Authentication and how to deal with that, hosted by Greg Taylor. Also have a look at Scott Schnoll’s famous Exchange Tips & Tricks, or Jeff Mealiffe talking about connectivity. The event kicks off with a welcome keynote with Perry Clarke and Rajesh Jha. You can still submit questions for this “Geek Out with Perry!” here.

Yours truly will also present at MEC, presenting “Bringing your Exchange Scripts into the Modern Age” on September 14th, 9:00am PDT. Note that MEC sessions will be recorded, and will be made available for on-demand viewing after the event, which is great in case you cannot attend sessions as they happen. You can still register for MEC at https://aka.ms/MECAirlift.

If I do not “see” you at MEC, there is also an opportunity to have an in-person chat next week in Atlanta, where I will be attending – not presenting as I missed the submit deadline – The Experts Conference, or just TEC. It seems you can still register, but Anyway, it is good to see Exchange themed events pick-up and confereces in general returning to a certain level of pre-pandemic numbers, as there is enough to talk about, discuss and learn from others.

The Last Exchange Server

Posted on by
Reply

In the announcement of the most recent set of Cumulative Updates for Exchange Server 2019 and 2016, Microsoft introduced some changes – features if you will – as well, which were received with enthusiasm. An overview of these Cumulative Updates and the features introduced was given in an earlier article. In this article however, I would like to zoom in on one of those features, which also happens to be a popular topic among customers running Exchange Hybrid deployments, “The Last Exchange Server”.

Up to Exchange 2019 CU12 (2022 H1), customers that migrated to Exchange Online were still required to leave Exchange-related components running on-premises. Even today, with all the information published around this topic, I am surprised this still surprised customers. This Exchange server running on-premises is to be used for managing recipients which have their source of authority in Active Directory, leveraging Active Directory Connect to propagate objects to Azure Active Directory and thus Exchange Online. Also, when there is a need to relay messages from applications or multi-functional devices, customers often need to have an Exchange server on-premises to accept these messages, as Exchange is the only supported mail relay product for hybrid deployments.

Click here to read the full article on ENow Solutions blog.

Exchange Updates (and more) – H1 2022

Posted on by
4

20220423: Added TLS 1.3 note.

The Exchange Team released the quarterly half-yearly Cumulative Updates for Exchange Server 2019 and Exchange 2016. You read that right, half-yearly updates are replacing the cadence of quarterly update servicing model for Exchange Server. Effectively, this will be Exchange 2019 only, as Exchange 2016 will be out of mainstream support in H2 of 2022, and will therefor only receive Security Updates after this round. Note that this change also alters the effective ‘current’ state (n-1 or later) of your Exchange Server environment from half year to one year.

And that’s not the only good news that comes with these sets of updates. In short:

  • If you run Exchange 2019 in Hybrid only for the purpose of managing recipients, you can now use Exchange 2019 CU12’s Exchange Management Tools to accomplish this; no more need to have an Exchange server running just for this. More details here.
  • Exchange 2019 CU12 will reintroduce the Hybrid Key option. Its Hybrid Configuration Wizard supports this licensing method.
  • Exchange 2019 CU12 support managing the Hybrid Agent with MFA-enabled accounts.
  • Exchange 2019 CU12 adds support for Windows Server 2022, both for its underlying operating system, as well as deployment in environments running Windows Server 2022 Domain Controllers.
  • Note that while Windows Server 2022 supports TLS 1.3, Exchange 2019 CU12 on WS2022 does not yet support it. Adding support is scheduled for somewhere next year.
  • The supportability matrix has been updated for the supported Windows Server 2022 scenarios.
  • Exchange Server is now also part of Microsoft’s Bounty Program, which is an indication of continued focus for customers still running Exchange Servers on-premises.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1215.2.1118.7KB5011156Download NY
Exchange 2016 CU2315.1.2507.6KB5011155DownloadUMLPNY

Apart from DST changes and the fixes mentioned below, these Cumulative Updates also contain a change which will not allow using UNC paths with several cmdlets. More information about this change and cmdlets affected can be found here: KB5014278.

Exchange 2019 CU12 fixes:

  • 5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
  • 5012758 Start-MailboxAssistant is not available in Exchange Server 2019
  • 5012760 You can’t access OWA or ECP after installing the July 2021 security update
  • 5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
  • 5012762 PST creation is unexpectedly triggered again during multiple mailbox export
  • 5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
  • 5012766 Transport Services fail repeatedly because of * Accepted Domain
  • 5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
  • 5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
  • 5012770 No response from public folder for users migrating to Microsoft Exchange 2019
  • 5012772 Items are skipped at the start of a new search page request
  • 5012773 OWAMailboxPolicy is bypassed and high resolution profile images can be uploaded
  • 5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
  • 5012775 No additional global catalog column in the address book service logs
  • 5012776 Exchange Server 2019 help link in OWA redirects users to online help for Exchange Server 2016
  • 5012777 Can’t find forwarded messages that contain attachments in Exchange Server 2019
  • 5012778 Exchange Server stops responding when processing PDF files with set transport rule
  • 5012779 Invalid new auth certificate for servers that are not on UTC time zone
  • 5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
  • 5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
  • 5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
  • 5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
  • 5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
  • 5012785 Read Only Domain Controllers (RODCs) in other domains do not get desired permissions
  • 5012786 Forwarded meeting appointments are blocked or considered spam
  • 5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
  • 5012789 Can’t use Copy Search Results after eDiscovery & Hold search
  • 5012790 OWA doesn’t remove the “loading” image when a message is opened in Chrome and Edge browsers
  • 5012791 MailboxAuditLog doesn’t work in localized (non-English) environments

Exchange 2016 CU23 fixes:

  • 5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
  • 5012760 You can’t access OWA or ECP after installing the July 2021 security update
  • 5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
  • 5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
  • 5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
  • 5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
  • 5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
  • 5012779 Invalid new auth certificate for servers that are not on UTC time zone
  • 5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
  • 5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
  • 5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
  • 5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
  • 5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
  • 5012786 Forwarded meeting appointments are blocked or considered spam
  • 5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
  • 5012789 Can’t use Copy Search Results after eDiscovery & Hold search
  • 5012791 MailboxAuditLog doesn’t work in localized (non-English) environments
  • 5012829 Group metrics generation fails in multidomain environment

Notes:

  • If these Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates – September 2021

Posted on by
5

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016.

Be advised that these CUs will introduce something which is called the Exchange Emergency Mitigation Service. This service is designed to distribute and implement mitigations addressing potential threats. For this, the URL Rewrite Module needs to be installed on the Exchange server. When you have Exchange running on Windows Server 2012 R2, you will also need an update for the Universal C Runtime (KB2999226). Periodically, the EEM service will reach out to the Office Config Service (OCS) through endpoint https://officeclient.microsoft.com, and update its set of configured mitigations. More on EEM and managing its configuration here.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1115.2.986.5KB5005334Download NY
Exchange 2016 CU2215.1.2375.7KB5005333DownloadUMLPNY

Exchange 2019 CU11 fixes:

  • 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
  • 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
  • 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
  • 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
  • 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
  • 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
  • 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
  • 5006990 Exchange CU installation fails after you configure fallback to use default character set (5006990)
  • 5006991 Mail quota warning messages no longer sent daily in Exchange Server 2019 (KB5006991)
  • 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
  • 5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
  • 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
  • 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
  • 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
  • 5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
  • 5006999 “401” error and Outlook repeatedly prompts for credentials in Exchange Server 2019 (KB5006999)
  • 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
  • 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)
  • 5007044 Start-MailboxAssistant not available in EMS in Exchange Server 2019 (KB5007044)

Exchange 2016 CU22 fixes:

  • 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
  • 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
  • 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
  • 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
  • 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
  • 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
  • 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
  • 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
  • 5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
  • 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
  • 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
  • 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
  • 5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
  • 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
  • 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)

Notes:

  • If these Cumulative Updates contain schema changes compared to the Cumulative Update you have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates – December 2020

Posted on by
2

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Be advised that Exchange 2016 will receive its final CU in March, 2021.

Links to the updates as well as a description of changes and fixes are described below.

VersionBuildKBDownloadUMLPSchemaPrepareAD
Exchange 2019 CU815.2.792.3KB4588885VLSC NY
Exchange 2016 CU1915.1.2176.2KB4588884DownloadUMLPNY

Exchange 2019 CU8 fixes:

  • 4588297 Attachments can’t be downloaded or previewed from Outlook Web App
  • 4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2019
  • 4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2019
  • 4583533 Exchange Server 2019 installation fails with error “The user has insufficient access rights” 
  • 4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2019
  • 4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2019
  • 4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2019
  • 4583537 Update Korean word breaker in Exchange Server 2019
  • 4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2019
  • 4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2019
  • 4583542 Server assisted search in Outlook doesn’t return more than 175 items in Exchange Server 2019
  • 4583544 Lots of LDAP requests for FE MAPI w3wp lead to DDoS on DCs in Exchange Server 2019
  • 4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2019
  • 4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

Exchange 2016 CU19 fixes:

  • 4588297 Attachments can’t be downloaded or previewed from Outlook Web App
  • 4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2016
  • 4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2016
  • 4583533 Exchange Server 2016 installation fails with error “The user has insufficient access rights” 
  • 4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2016
  • 4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2016
  • 4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2016
  • 4583537 Update Korean word breaker in Exchange Server 2016
  • 4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2016
  • 4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2016
  • 4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2016
  • 4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

Notes:

  • These Cumulative Updates contain schema changes compared to the previous Cumulative Update. This requires you to run /PrepareSchema. Also, Active Directory changes require you to run PrepareAD (which also can perform the schema update, depending permissions). Consult the Exchange schema versions page for object version numbers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.