Security Updates Exchange 2013-2019 (Nov2020)

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released November 10th. These fixes address the following vulnerability:

  • CVE-2020-17085: Microsoft Exchange Server Denial of Service Vulnerability
  • CVE-2020-17084: Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2020-17083: Microsoft Exchange Server Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU7Download15.2.721.4KB4588741
Exchange 2019 CU6Download15.2.659.8KB4588741
Exchange 2016 CU18Download15.1.2106.4KB4588741
Exchange 2016 CU17Download15.1.2044.8KB4588741
Exchange 2013 CU23Download15.0.1497.8KB4588741

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Security Updates Exchange 2013-2019 (Oct2020)

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released October 13th. These fixes address the following vulnerability:

  • CVE-2020-16969: Microsoft Exchange Information Disclosure Vulnerability
    An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.

    To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.

    The security update corrects the way that Exchange handles these token validations.

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU7Download15.2.721.3KB581424
Exchange 2019 CU6Download15.2.659.7KB581424KB4577352
Exchange 2016 CU18Download15.1.2106.3KB581424
Exchange 2016 CU17Download15.1.2044.7KB581424KB4577352
Exchange 2013 CU23Download15.0.1497.7KB581424KB4536988

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU17-KB4581424-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

EWS.WebServices.Managed.Api

A short blog on the EWS Managed API and using the latest version with scripts leveraging Exchange Web Services (EWS), such as my Remove-DuplicateItems script. The installable EWS Managed API library was last updated in 2014 (version 2.2, reports as v15.0.913.22), and there have been few enhancements since then. These are included in the EWS.WebServices.Managed.Api package, which carries version 2.2.1.2.

Although this library was last updated in 2019, you might still need it to successfully run EWS scripts. The EWS.WebServices.Managed.Api package supports some Exchange Web Services calls which are not supported in the 2.2 version, and may lead to error messages like Exception calling “FindFolders” with “2” argument(s) or other messages related to the (number of) arguments. This may be an indication a particular call was used to one of the EWS functions, but which is not supported by the installed EWS Managed API library. In those cases, installing this updated library might help.

The library is published on NUGet as a package. To install the package, we first need to register NuGet as a Package Source:

Register-PackageSource -provider NuGet -name nugetRepository -location https://www.nuget.org/api/v2

Next, install the package from the newly defined NuGet source:

Install-Package Exchange.WebServices.Managed.Api

The package installs by default under C:\Program Files\PackageManagement\NuGet\Packages. I have updated my scripts to include this location when searching for the required Microsoft.Exchange.WebServices.dll as well. Alternatively, you can copy this DLL from the ..\Exchange.WebServices.Managed.Api.<Version>\lib\net35 folder to the location where the script resides. When running my EWS-based scripts in Verbose mode, it will report as version 2.2.1.0.

Hopefully this blog will potentially save you some time troubleshooting, and myself answering some support messages. Enjoy!

Exchange Announcements @ Ignite 2020

Last Update: Added points from Exchange Online Transport – Manage Email, Optics, End User Experiences.

It shouldn’t come as a surprise that this year’s Ignite event is very different than previous years. However what is also different is that at this year’s digital experience, product groups lined up articles and pre-recorded sessions with deep-dive level 300-400 contents as well as articles to accompany those. The sessions, which are available through the Virtual Hub, were all launched right after the start of the event, including the prepared articles. Speaking of a flood flood of contents to digest.

To ease digesting all this information related to Exchange without going through all the videos and blogs, I prepared a summary of all the announcements made at and during Ignite for your reference. For reference, links to the original articles and sessions are at the bottom of this article. The list might not be conclusive; if you find something missing, let me know.

Exchange vNext

  • Exchange Server vNext is scheduled for H2/2021, and will be subscription-based.
  • Will support in-place upgrades from Exchange Server 2019, just like installing another Cumulative Update. Which makes you think, maybe it is just a CU with a high version offset to avoid clashing with its predecessor.
  • Support for this in-place upgrade process is limited to 2 years after release of vNext. If everything goes to plan, this means upgrades will be supported from Exchange 2019 CU11/12-CU19/20 to Exchange vNext RTM-CU8/9.
  • Will support co-existence with Exchange Server 2013, 2016 and 2019, which is 1 down-level more than previous editions (n-3 support instead of n-2).
  • Customers staying on-premises are recommended to upgrade to Exchange Server 2019 today, so they can benefit from an in-place upgrade to vNext when it gets released.
Image Source: Exchange – Here, There and Everywhere

Exchange Online

  • Exchange Online Management PowerShell module is now GA (v2.0.3). This module contains cmdlets leveraging Graph which can show significant performance enhancements in larger tenants, supports certificate-based authentication a.o.
  • Exchange Online Management PowerShell preview module (v2.0.4) supports Linux and PowerShell Core.
  • Cross-tenant migration of mailboxes is now in Public Preview. Separate programs for cross-tenant SharePoint Online and OneDrive for Business will also launched (register for private preview at aka.ms/SPOMnAPreview). An Azure Key Vault subscription is required on the target tenant. Management of these moves is done from PowerShell, after setting things up with some MSFT scripts which you can grab from GitHub here.
Tenant preparation for mailbox migration.
Image Source: Cross-tenant mailbox migration, process overview
Set-OrganizationConfig -AllowPlusAddressInRecipients $true
  • Message Recall to orchestrate recall of message in Exchange Online as announced at Ignite 2019 is expected later this year (Q4/2020).
  • Admins can toggle the new Exchange Admin Center (was already in preview). It will become the default in Q1/2021.
  • The new Exchange Admin Center is also tailored for use on mobile browsers.
  • Outbound mail flow now supports MTA-STS (MTA Strict Transport Security).
  • The new Exchange Admin Center will host all mail flow related management options, which will be consolidated from the earlier Admin Center as well as the Security & Compliance Center.
  • The new Exchange Admin Center will get new mail flow insights and notifications, such as early certificate expiration notifications or detected reply-to-all storms.
  • Option to reduce message expiration timeout interval from the current default of 24 hours.
  • Administrators get the option to block users from moving groups (distribution groups as well as Microsoft 365 Groups) to the BCC line, which might break receivers’ inbox rules (Q1/2021).
  • Entitled organizations can appoint Priority Users. Priority Users are critical mailboxes that are monitored for mail flow issues. Requires minimum of 10,000 Office 365 E3 or E5 or Microsoft 365 E3 or E5 licenses with at least 50 monthly active Exchange Online users.
  • Microsoft 365 Network Connectivity functionality goes into preview, which is accessible via the admin portal (Health > Network Connectivity).
  • The stand-alone Network Connectivity test tool also goes in preview, and is available from connectivity.office.com.
  • Notifications for expired or soon to expire SSL certificates and Domains (Q4/2020).
  • Customizable message expiration (8-24hours, Q4/2020).
  • Reply-to-All storm protection v2 with customizable thresholds and reports (Q4/2020-H1/2021).
  • Client-agnostic improved Message Recall (Q4/2020).

Exchange 2019

  • Exchange Server 2019 Server Role Requirements Calculator or just Capacity Calculator is now available as separate download (v10.5, link).

Exchange Hybrid

  • New Exchange Hybrid Configuration Wizard, which will become available later month, will support connecting your Exchange on-premises environment to multiple tenants. Note that multiple Exchange organizations connecting to a single tenant was already an option, as mentioned in the supported Azure AD Connect topologies document (link).
Image Source: September 2020 Hybrid Configuration Wizard Update – Microsoft Tech Community
  • Multitenancy Exchange Hybrid will support up to 5 tenants.
  • Setting multitenancy up requires Exchange Server 2019 CU7 or Exchange Server 2016 CU18 or later.
  • Multitenancy does not enable SMTP domain sharing, which is logical as you can only setup domain once in Office 365.
  • Exchange Hybrid Modern Authentication (HMA) can only be configured with one single tenant.

Outlook Desktop/Mac

  • Office will get perpetual release (Windows & Mac) in H2/2021.
  • Attendees who left company get removed from meeting after first NDR.

Outlook Mobile

  • Play My Emails coming to Canada, Australia, India and the United Kingdom (Outlook for iOS and Android).
  • Option to ask Cortana to read out emails from specific people, time frame and topics in (Outlook for iOS, September).
  • Voice commands for email composition, calling and scheduling (October).
  • Sync contact folders with your phone by category (October).
  • Reactions to emails with emojis without filling your inbox (Q4)
  • QR connect to simplify work account setup (October).
  • Outlook for Mac will start using Microsoft Sync technology for enhanced performance and reliability. 
  • Widget support for iOS14 across apps.
  • Option to toggle new Outlook for Mac via in-app switch.

References to official sources

Security Updates Exchange 2016-2019 (Sep2020)

A quick blog on security updates for Exchange Server 2016 and Exchange Server 2019 released September 8th. These fixes address the following vulnerability:

  • CVE-2020-16875: Exchange Memory Corruption Vulnerability
    A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised. The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU6Download15.2.659.6KB4577352KB4540123
Exchange 2019 CU5Download15.2.595.6KB4577352KB4540123
Exchange 2016 CU17Download15.1.2044.6KB4577352KB4540123
Exchange 2016 CU16Download15.1.1979.6KB4577352KB4540123

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU17-KB4577352-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

MS Teams & pre-Exchange 2016CU3

Updated May 9th: Added Share to Teams. to table

With the emergency to facilitate working from home due to the Corona pandemic, many organizations were faced with a dilemma. When running Exchange 2013 or some even Exchange 2010 on-premises, and a desire to start using Microsoft Teams, organizations were confronted with the following requirements for integrating Microsoft Teams with Exchange on-premises (source):

  • Users with mailboxes hosted on-premises must be synchronized to Azure Active Directory.
  • Running Exchange 2016 Cumulative Update 3 or later on-premises.
  • OAuth needs to be configured (via Hybrid Configuration Wizard, or manual as MVP fellow Jaap blogged about here).
  • Recently, an additional requirement was added to explain that for delegates to schedule calendar meetings on behalf of another person, some additional steps are required (steps 2-3 mentioned here).

Now as you might know, Exchange 2010 does not support OAuth authentication. But, by putting Exchange 2016 in front of Exchange 2010, Exchange 2016 can be used for dealing with OAuth authentication, as well as dealing with client traffic as it can down-level proxy to Exchange 2010 for mailboxes hosted on those servers. Looking at these requirements, organizations might conclude that putting Exchange 2016 CU3 in front of their Exchange environment, and configuring OAuth would suffice the requirement to integrate Teams with their Exchange on-premises environment.

image

Alas, the additional requirement for full Teams integration is that the mailbox server hosting the mailbox should support REST API. Teams leverages Graph REST API calls to interact with mailboxes. In an Hybrid Exchange setup, on-premises mailboxes are identified, and related REST API calls will be directed at the on-premises REST endpoint, landing on your Exchange environment. The requirement for REST API support is something which is not explicitly stated in the Teams integration article, despite my earlier pull request.

It is however stated implicitly in an article on REST support in Hybrid Exchange or the original publication on REST API support in Exchange 2016 CU3 by the Exchange PG, two articles which you might easily have missed or forgotten about. Either way, it states that “All on-premises mailboxes that will use the REST APIs must be located on databases located on Exchange 2016 CU3 servers”.

Thus, with REST API support only being available per Exchange 2016 CU3, Teams will not fully integrate with mailboxes hosted on earlier versions of Exchange. Exchange 2016 can be used to offload OAuth when your mailbox is still on Exchange 2010 (which works fine for Exchange Web Services for Free/Busy, for example), but Exchange 2010 does not support REST API, and thus will never understand those ‘weird’ (proxied) requests landing on /api virtual directory, typical of REST API calls. Consequently, you will see AutodiscoverV2 and REST API calls greeted with a 404:

2020-04-29 20:22:52 fd86:b628:2775:1:9502:cdcc:d4b1:5950 GET /autodiscover/autodiscover.json Email=chefke%40contoso.com&Protocol=REST&RedirectCount=1 443 CONTOSO\EX2$ fd86:b628:2775:1:9f8:2d9:c8a1:3c4a SkypeSpaces/1.0a$*+ 404 0 2 31

Typically, first thing users usually will notice missing is the Calendar integration:

image

Knowing this, the assumption could be that this combination doesn’t work at all, but as often the truth lies somewhere in the middle. You can use Teams when mailboxes are still hosted on pre-Exchange 2016 CU3, if you can live with the limitations. Below I have included a short overview of these, or other noteworthy items. The information is complementary to the How Exchange and Teams interact article. I hope it may help in discussions on what works and what doesn’t.

Disclaimer: Validated with mailbox hosted on Exchange 2010 with Exchange 2016 in front, OAuth and SkypeOnline AppId configured, and using Outlook 2016 C2R. Information may be subject to change. The list may not be conclusive; if you have any additional observations, please leave them in the comments.

ActionsWorksComment
Create & View Meetings in TeamsNoNo Calendar integration as this requires Outlook Calendar REST API. Visual clue is absence of the Calendar button.
Modify User Photo in Teams (client)NoDoesn’t work when mailbox is hosted in Exchange on-premises.
Call HistoryYesHistory doesn’t propagate to mailboxes hosted in Exchange on-premises in ‘Teams Calls’ folder. Does
Access Outlook ContactsNoWorks only with Exchange Online mailboxes.
VoicemailYesMay use & receive voice-mail, but can’t play from Teams.
Free/Busy statusYesUses EWS.
Create & View/Update Teams Meetings from OutlookYesUsing default Teams Meeting add-in.
Create Teams Meetings from Outlook as DelegateNoTeams Scheduler uses AutodiscoverV2 to discover delegate EWS endpoint, and fails. Outlook will display “Sorry, but we can’t connect to the server right now. Please try again later.”
View/Update Teams Meetings from Outlook as DelegateYesEWS is used to fetch and update the calendar item.
MailTips in TeamsNoMailTips like Out of Office are not shown in Teams. MailTips work for Exchange 2016 CU3+.
Create & View Channel Meetings in TeamsNoDoesn’t work when mailbox is hosted in Exchange on-premises.
Share to TeamsNoDoesn’t work when mailbox is hosted in Exchange on-premises.

Of course, the better experience is to be had when your mailbox is hosted on Exchange 2016 CU3 or later (including Exchange 2019), or best when you simply host them in Exchange Online. However, given the circumstances and pressure from the organization to use Teams, that route might not be an option for everyone. Organizations may look at substantial investments in time and resources. In those cases, it might be good to know of alternative less preferable scenarios, and more important, any possible limitations you might encounter when taking a shortcut.

Security Updates Exchange 2010-2019 (Feb2020)

A quick blog on recently published security updates for Exchange Server 2013 up to Exchange Server 2019 and Exchange Server 2010 as well. These fixes address the following vulnerabilities:

  • CVE-2020-0692: Microsoft Exchange Server Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to change parameters in the Security Access Token and forward it to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user. To address this vulnerability, Microsoft has changed the way EWS handles these tokens.
This vulnerability does not apply to Exchange 2010.

  • CVE-2020-0688: Microsoft Exchange Memory Corruption Vulnerability

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

The CVE documents contain more details on the vulnerabilities. In addition, KB4536989 (Rollup 30) for Exchange 2010 and KB4536988 for Exchange 2013 also fixes the following issue:

  • KB4540267 MSExchangeDelivery.exe or EdgeTransport.exe crashes in Exchange Server 2013 and Exchange Server 2010

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU4Download15.2.529.8KB4536987KB4523171
Exchange 2019 CU3Download15.2.464.11KB4536987KB4523171
Exchange 2016 CU15Download15.1.1913.7KB4536987KB4523171
Exchange 2016 CU14Download15.1.1847.7KB4536987KB4523171
Exchange 2013 CU23Download15.0.1497.6KB4536988KB4523171
Exchange 2010 SP3 RU30KB4536989KB4509410

Be advised that the Security Updates for Exchange 2013-2019 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CUs, and you cannot apply the update for Exchange 2016 CU15 to Exchange 2016 CU14. I would suggest tagging the Cumulative Update in the file name used, e.g. Exchange2016-CU15-KB4536987-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Exchange Updates – December 2019

Exchange2019Logo

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. One significant change with these updates is the requirement for .NET Framework 4.8, as announced earlier. Also, Exchange 2019 CU4 comes with an updated Exchange calculator. Links to the updates as well as a description of changes and fixes are described below.

VersionBuildKBDownloadUMLPSchema
Exchange 2019 CU415.2.529.5 KB4522149VLSC N
Exchange 2016 CU1515.1.1913.5 KB4522150DownloadUMLPN

Exchange 2019 CU4 fixes:

  • 4528696 Exchange PowerShell cmdlets take longer time to run in Exchange Server 2019
  • 4528695 Event ID 4009 when using SubjectOrBodyMatchesPatterns on Edge server in Exchange Server 2019
  • 4528694 Can’t open .ics file in Outlook on the web in Exchange Server 2019
  • 4528692 “A parameter was specified that isn’t valid” error when creating transport rule in Exchange Server 2019
  • 4523519 Set-SendConnector doesn’t work for Exchange Server in hybrid scenarios with Edge Server installed
  • 4528688 Only one recipient shows when saving draft by using Exchange ActiveSync version 16.0 in Exchange Server 2019
  • 4528693 Get-CalendarDiagnosticLog is proxied for queries within the same forest in Exchange Server 2019
  • 4528687 NotificationClient logs aren’t purged and consume lots of disk in Exchange Server 2019
  • 4528689 Outlook on the web shows MailTip when recipients equal the large audience size in Exchange Server 2019
  • 4528690 Can’t move or delete folder in Outlook online mode if the destination has a folder with the same name in Exchange Server 2019
  • 4532744 System.ArgumentNullException when you use Set-user to assign block legacy auth policy in Exchange Server 2019
  • 4532747 Address list separation not working for a user without a mailbox in Exchange Server 2019
  • 4523171 Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 12, 2019

Exchange 2016 CU15 fixes:

  • 4515256 “The function cannot be performed…” error when you send a message that’s open for a long time in Exchange Server 2016
  • 4528693 Get-CalendarDiagnosticLog is proxied for queries within the same forest in Exchange Server 2016
  • 4523519 Set-SendConnector doesn’t work for Exchange Server in hybrid scenarios with Edge Server installed
  • 4528690 Can’t move or delete folder in Outlook online mode if the destination has a folder with the same name in Exchange Server 2016
  • 4528687 NotificationClient logs aren’t purged and consume lots of disk in Exchange Server 2016
  • 4528689 Outlook on the web shows MailTip when recipients equal the large audience size in Exchange Server 2016
  • 4528688 Only one recipient shows when saving draft by using Exchange ActiveSync version 16.0 in Exchange Server 2016
  • 4528695 Event ID 4009 when using SubjectOrBodyMatchesPatterns on Edge server in Exchange Server 2016
  • 4528694 Can’t open .ics file in Outlook on the web in Exchange Server 2016
  • 4528692 “A parameter was specified that isn’t valid” error when creating transport rule in Exchange Server 2016
  • 4515257 Hash mismatch is reported for Exchange DLLs in the bin directory of Exchange Server 2016
  • 4528696 Exchange PowerShell cmdlets take longer time to run in Exchange Server 2016
  • 4532747 Address list separation not working for a user without a mailbox in Exchange Server 2016
  • 4523171 Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 12, 2019

Notes:

  • These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2016 & 2019 (Sep2019)

Today, Microsoft published security fixes for Exchange Server 2016 and 2019. These fixes address the following vulnerabilities:

The CVE documents contain more details on the vulnerabilities. These exploits can be fixed by single security updates; you can download them here:

VersionLinksBuildKB
2019 CU2Download15.2.397.6KB4515832
2019 CU1Download15.2.330.10KB4515832
2016 CU13Download15.1.1779.5KB4515832
2016 CU12Download15.1.1713.9KB4515832

Note: KB4515832 supersedes KB4509409 and KB4509408.

Be advised that these Security Updates are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CU’s, and you cannot apply the same update for Exchange 2016 CU13 to Exchange 2016 CU12. I would suggest tagging the Cumulative Update in the file name when you store it, e.g. Exchange2016-KB4515832-x64-en_CU11.msp.

As with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Exchange Hybrid Agent GA

Ex2013 LogoIn February, Microsoft released the initial public preview version of the Hybrid Agent. The purpose of the Hybrid Agent, also branded as the “Exchange Modern Hybrid Topology”, is to simplify the process of setting up and deploying Microsoft Exchange Hybrid for Exchange 2010 and later deployments, where full “classic” Exchange Hybrid is not an option.

It can also address scenarios where deploying the Hybrid Agent would satisfy organizational migration requirements. For example, moving mailboxes between Exchange Online and Exchange on-premises while providing rich-coexistence features, but without requiring (re)configuration of the publishing of Exchange services. Other functionality the Hybrid Agent doesn’t offer is mail transport. Future builds of the Hybrid Agent might introduce cross-premises functionality, such as Send As delegations as demonstrated at Microsoft Ignite last year.

This week, the Hybrid Agent Public reached General Availability status. In the following article for ENow, I discuss the major changes in the agent since the initial Preview release.

Read the full article on the ENow Software blog.