Exchange Updates – June 2018

Ex2013 LogoThe Exchange Team released the June updates for Exchange Server 2013 and 2016, and an additional Rollup 22 for Exchange Server 2010 Service Pack 3.

Apart from fixes and time zone changes, these updates contain the following important changes and notes:

  • As announced earlier, Exchange 2013 CU21 and Exchange 2016 CU10 require .NET Framework 4.7.1.
  • All three updates require the VC++ 2013 runtime library, because it is needed by a 3rd component in WebReady Document Viewing in Exchange 2010/2013 and Data Loss Prevention in Exchange 2013/2016. Exchange 2010 SP3 RU22 will force installation of this VC++ runtime.
  • Updates include a critical security patch for Oracle Outside In libraries. More about the issue in MSRC advisory ADV180010.
  • Exchange 2013 CU21 and Exchange 2016 CU10 introduce support for directly creating and enabling remote shared mailboxes, e.g.
    New-RemoteMailbox [-Shared] [-Name remoteMailboxName]
    Enable-RemoteMailbox [-Identity user] [-Shared] [-RemoteRoutingAddress user@domain]
    Set-RemoteMailbox [-Name user] [-Type Shared]

    You need to run setup /PrepareAD to see these changes. More information in KB4133605.

  • This is the last planned Cumulative Update for Exchange 2013 as it enters Extended Support.
  • Exchange 2010 SP3 RU22 adds support for Windows Server 2016 Domain Controllers.

 

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU10 15.1.1531.3 KB4099852 Download UMLP No
Exchange 2013 CU21 15.0.1395.4 KB4099855 Download UMLP No
Exchange 2010 SP3 RU22 14.3.411.0 KB4295699 Download

Exchange 2016 CU10 fixes:

  • 4056609 Event ID 4999 and mailbox transport delivery service won’t start with Exchange Server 2016 CU7 installed
  • 4133605 Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133620 “HTTP 500 due to ADReferralException” error when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4095974 “System.InvalidOperationException” occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4095973 Set-ServerComponentState cmdlet does not honor the write scope defined in the RBAC management scope in Exchange Server
  • 4095993 HTTP 500 error when an administrator tries to manage regional settings in ECP on Windows Server 2016
  • 4294209 Cannot clear the “Maximum message size” check box for Send messages or Receive messages in EAC in Exchange Server 2016
  • 4294208 “TooManyObjectsOpenedException” error when you run the “Get-PublicFolderMailboxDiagnostics” cmdlet in Exchange Server
  • 4294212 Cannot send VBScript-created messages in the Outlook 2016 client
  • 4294211 Cannot run “Set-CalendarProcessing” cmdlets after you apply CU8 or CU9 for Exchange Server 2016
  • 4294210 Cannot edit an email attachment in OWA in an Exchange Server 2016 environment
  • 4294204 Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment
  • 4092041 Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018

Exchange 2013 CU20 fixes:

  • 4133605 Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment
  • 4133604 User can’t log on to a POP/IMAP account by using NTLM authentication in Exchange Server 2013
  • 4133618 Unexpected error occurs when running the Get-DatabaseAvailabilityGroupNetwork cmdlet in Exchange Server 2013
  • 4133620 “HTTP 500 due to ADReferralException” when a user tries to view detail properties of mailboxes in a child domain in Exchange Server
  • 4058473 An Office 365 primary mailbox user cannot be assigned full access permissions for an on-premises mailbox in Exchange Server
  • 4094167 The MSExchangeRPC service crashes with a System.NullReferenceException exception in Exchange Server 2013
  • 4095974 “System.InvalidOperationException” occurs when the “Enable-MailPublicFolder” cmdlet is run against a public folder in Exchange Server
  • 4092041 Description of the security update for Microsoft Exchange Server 2013 and 2016: May 8, 2018
  • 4294205 POP3 services intermittently stop in an Exchange Server 2013 environment
  • 4294204 Changing “IsOutOfService” to “False” in an earlier Exchange Server version does not immediately update in a later Exchange Server environment

Exchange 2010 Rollup 22 fixes:

  • 4295751 EWS impersonation not working when accessing resource mailboxes in a different site in Exchange Server 2010 SP3

Notes:

  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they introduce RBAC changes in your environment. Use setup /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates – March 2018

Ex2013 LogoThe Exchange Team released the March updates for Exchange Server 2013 and 2016, and these Cumulative Updates contain a ton of fixes. Like the earlier Cumulative Updates for Exchange 2013 and Exchange 2016, and in addition to the fixes – see below – these Cumulative Updates contain the following important changes:

  • Support for .NET Framework 4.7.1. Be advised that .NET Framework 4.7.1 will be required for the next cycle of quarterly updates, which will be released in June 2018.
  • Full support for TLS 1.2. More information and guidance here.

On a smaller note, Exchange 2010 Service Pack 3 Rollup 20 was also released, which contains two security fixes CVE-2018-0924 and CVE-2018-0940, as well as DST changes.

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU9 15.1.1466.3 KB4055222 Download UMLP No
Exchange 2013 CU20 15.0.1367.3 KB4055221 Download UMLP No
Exchange 2010 SP3 RU20 14.3.389.1 KB4073537 Download

Exchange 2016 CU9 fixes:

  • 4054513 Mailbox usage status bar in OWA displays incorrect mailbox usage
  • 4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
  • 4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
  • 4058373 “A parameter cannot be found” error when you run Install-AntiSpamAgents.ps1 in Exchange Server 2016 CU7
  • 4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
  • 4058383 Exchange Control Panel (ECP) redirection fails in Exchange Server 2016
  • 4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
  • 4058399 Disabling a mailbox can’t remove legacyExchangeDN from user’s properties in Exchange Server 2016
  • 4073094 Emails outside a UID range are returned when you request for emails by using IMAP
  • 4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
  • 4073104 PIN can be reset on a Unified Messaging (UM)-enabled mailbox for a user outside a scoped OU
  • 4073103 The Enable-Mailbox cmdlet doesn’t block migrated users from provisioning in Exchange Server 2016
  • 4073107 Language can’t be changed when a user from a child domain tries to change language in OWA
  • 4073111 Can’t access a CAS website such as OWA/ECP/Autodiscover in Exchange Server 2016
  • 4073110 You can’t access OWA or ECP after you install Exchange Server 2016 CU8
  • 4073109 Search-MailboxAuditLog -ShowDetails not showing all messages in Exchange Server 2016
  • 4073114 “ADOperationException” error when OWA text verification fails in Exchange Server 2016
  • 4073214 Can’t enable OWA offline access in Exchange Server 2016
  • 4073531 CultureNotFoundException when selecting a LCID 4096 language in OWA for Exchange Server 2016
  • 4076520 MatchSubdomains isn’t usable for Set-AcceptedDomain in Exchange Server 2016
  • 4076741 Incorrect NDR when an administrator deletes a message from a queue in Exchange Server 2016
  • 4077655 Event ID 258 “Unable to determine the installed file” after you uninstall Windows PowerShell 2.0
  • 4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
  • 4058372 Blank page in Exchange Admin Center Audit Log in Exchange Server 2016
  • 4058382 Can’t retrieve time slot information about private calendar items as a delegate on another user’s account in Exchange Server 2016
  • 4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
  • 4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
  • 4073098 The ETS and EXS groups are incorrectly granted “SeDebugPrivilege” in Exchange Server 2016 on-premises
  • 4073108 “There was a problem loading your options” error when a user accesses OWA Voice Mail options in Exchange Server 2016
  • 4077924 Store Worker process crashes when you move, restore, or repair mailboxes that have issues with the logical index within the database in Exchange Server 2016
  • 4091453 Update improves linguistics features and CJK handling for search in Exchange Server 2016
  • 4073392 Description of the security update for Microsoft Exchange: March 13, 2018

Exchange 2013 CU20 fixes:

  • 4073392 Description of the security update for Microsoft Exchange: March 13, 2018
  • 4073094 Emails outside a UID range are returned when you request for emails by using IMAP
  • 4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016
  • 4057216 Health mailbox’s password is exposed in logs for a failed probe in Exchange Server 2016 and 2013
  • 4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013
  • 4057290 Incorrect user is returned in the ECP when one user’s display name matches another user’s alias
  • 4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync
  • 4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment
  • 4073095 “550 5.6.0 CAT.InvalidContent.Exception” and email isn’t delivered in Exchange Server 2016 and 2013
  • 4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013
  • 4073093 Save issues occur when you use the plain Text Editor in OWA of Exchange Server 2013
  • 4073096 Emails sent from a shared mailbox aren’t saved in Sent Items when MessageCopyForSentAsEnabled is True

Notes:

  • Exchange 2016 CU7 and later requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareSchema to manually update the schema, or use /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To see if you need to update the schema compared to your version or verify the update has been performed, consult the Exchange schema overview.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

 

Upgrade Paths for CU’s & .NET

Ex2013 LogoUpdate 2/13/2018: Revised Microsoft upgrade guidance added.
Update 2/15/2018: Added missing CU14.
Update 6/25/2018: Added latest Exchange 2016 & 2013 CU info.

Microsoft keeps track of the current supported combinations of .NET Framework and Exchange Cumulative Updates at the Exchange Server Supportability Matrix. However, as time progresses, support information on older Cumulative Updates might be removed from the information presented, and you may need to resort to cached versions of this page or other sources to find this information.

This might be problematic for organizations that are not current, and need to find out which upgrade path they are required to follow to stay within the boundaries of supported Exchange deployment configurations. For example, you may need to upgrade to a specific Cumulative Update first, that is supported with a newer release of the .NET Framework, in order to be able to upgrade to a later Cumulative Update.

For these situations, the following tables contains the supportability matrix, enhanced with information regarding earlier Cumulative Updates and .NET Framework versions. These will provide you the supported upgrade paths for older versions of Exchange.

Exchange 2016

.NET

RTM-CU1

CU2

CU3-CU4

CU5-CU7

CU8

CU9

CU10

4.5

4.5.1

4.5.2

X

X

X

4.6.11

X

X

4.6.2

X

X

X

X

4.7.1

X

X

X

4.7.2

Exchange 2013

.NET

RTM-CU3

CU4(SP1)-CU12

CU13-CU14

CU15

CU16-CU18

CU19

CU20

CU21

4.5

X

X

X

4.5.1

X

X

X

4.5.2

X

X

X

4.6.11

X

X

4.6.2

X

X

X

X

4.7.1

X

X

X

4.7.2

Notes

  1. When possible, bypass .NET Framework 4.6.1, as it not only requires updating the CU level prior to updating the .NET Framework, but also requires an additional hotfix: kb3146715 (ws2012r2), kb3146714 (ws2012) or kb3146716 (ws2008r2).

Usage
Suppose your organization loves procrastinating, and you are running Exchange 2013 CU6. Luckily, you run it on .NET Framework 4.5.1, which was already a supported configuration back in 2014 – yes, it’s been that long. Looking at the table, to get current with a minimal number of updates in mind, you can derive the following path:

image

The upgrade path to CU19 would therefor be:

  1. Upgrade to Exchange 2013 Cumulative Update 15
  2. Upgrade .NET Framework to 4.6.2
  3. Upgrade to Exchange 2013 Cumulative Update 19
  4. Optionally, upgrade .NET Framework to 4.7.1

Note that in addition to information being refreshed on Microsoft pages, availability of older Cumulative Updates or .NET Framework updates might also change, so archive those files accordingly, if not for recovery of existing Exchange servers, then for this exact purpose.

Of course, you should stay current as possible from a support and security perspective, making the above a non-issue. Reality is, there are customers who have reasons, legitimate or not, to be trailing with updates in their environment, and at some point may need guidance on how to proceed in order to get current. I hope this information helps in those situations.

Thoughts and feedback is welcomed in the comments.

Update: Per February 13th, Microsoft updated upgrade guidance on the Exchange Supportability Matrix page, stating:

“When upgrading Exchange from an unsupported CU to the current CU and no intermediate CUs are available, you should upgrade to the latest version of .NET that’s supported by Exchange first and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest, supported, CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services”.

This means you will be supported when upgrading in the revised upgrade path, but the risk is still there. In the example above, when going from Exchange 2013 CU6 with .NET 4.5.1 to CU19, the support statement indicates you can upgrade to .NET Framework  4.7.1, when install CU19. However, things might break and you may need to contact support to get back in a supported, working situation. Therefor, I repeat my recommendation to download and archive CU’s and .NET Framework files, even when you are not planning on installing them (yet).

Exchange Updates – December 2017

Ex2013 LogoThe Exchange Team released the December updates for Exchange Server 2013 and 2016. Apart from the usual set of fixes, these Cumulative Updates also have the following enhancements:

  • Like announced earlier, these quartely updates introduce support for .NET Framework 4.7.1. Be advised that .NET Framework 4.7.1 will be required for the quarterly updates to be released in June 2018.
  • Upgrading an existing Exchange deployment with these Cumulative Updates will preserve TLS cryptography settings.
  • Support for Hybrid Modern Authentication (Info).
Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU8 15.1.1415.2 KB4035145 Download UMLP Yes
Exchange 2013 CU19 15.0.1365.1 KB4037224 Download UMLP No

Exchange 2016 CU8 fixes:

  • 4056329 Can’t access EWS from Outlook/OWA add-ins via makeEwsRequestAsync in Exchange Server 2016 and Exchange Server 2013
  • 4054516 “Your request can’t” error when accessing an archive mailbox via OWA in Exchange Server 2016
  • 4055953 The recipient scope setting doesn’t work for sibling domains in Exchange Server 2016
  • 4055435 No MAPI network interface is found after you install Exchange Server 2016 CU7
  • 4056609 Event ID 4999 and mailbox transport delivery service does not start after you install Exchange Server 2016 CU7
  • 4045655 Description of the security update for Microsoft Exchange: December 12, 2017
  • 4057248 Many Watson reports for StoragePermanentException in Exchange Server 2016

Exchange 2013 CU19 fixes:

  • 4046316 MAPI over HTTP can’t remove client sessions timely if using OAuth and the resource has a master account in Exchange Server 2013
  • 4046205 W3wp high CPU usage in Exchange Server 2013
  • 4046182 Event ID 4999 or 1007 if diagnostics service crashes repeatedly in Exchange Server 2013
  • 4056329 Can’t access EWS from Outlook/OWA add-ins via makeEwsRequestAsync in Exchange Server 2016 and Exchange Server 2013
  • 4045655 Description of the security update for Microsoft Exchange: December 12, 2017

Exchange 2010
In addition the Cumulative Updates, Exchange Server 2010 SP3 also received an important update, which fixes the issue described in KB4054456. You can download Rollup 19 here, which will raise the version number to 14.3.382.0. The related KB article is KB4035162.

Notes:
  • Exchange 2016 CU7 and later requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU8 and Exchange 2013 CU18 do not contain schema changes compared to their previous Cumulative Update. However, they may introduce RBAC changes in your environment. Use setup /PrepareSchema to manually update the schema, or use /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To see if you need to update the schema compared to your version or verify the update has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates for Exchange 2013 & 2016

Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.

This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.

You can download the security updates here:

Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.

Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.

Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

 

Exchange Updates – September 2017

Ex2013 LogoHoneymoon caused some backlog, and one of the things to post was that the Exchange Team released the September updates for Exchange Server 2013 and 2016. Like the previous Cumulative Updates for these Exchange versions, Exchange 2013 CU18 and Exchange 2016 CU7 require .NET Framework 4.6.2; NET Framework 4.7.1 is currently being tested (4.7 will be skipped), and support for 4.7.1 is expected for the December updates.

Version Build KB Article Download UMLP Schema Changes
Exchange 2016 CU7 15.1.1261.35 KB4018115 Download UMLP Yes
Exchange 2013 CU18 15.0.1347.2 KB4022631 Download UMLP No
  • KB 4040754 “Update UseDatabaseQuotaDefaults to false” error occurs when you change settings of user mailbox in Exchange Server 2016
  • KB 4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
  • KB4036108 Security update for Microsoft Exchange: September 12, 2017

Exchange 2013 CU18 fixes:

  • KB4040755 New health monitoring mailbox for databases is created when Health Manager Service is restarted in Exchange Server 2013
  • KB4040121 You receive a corrupted attachment if email is sent from Outlook that connects to Exchange Server in cache mode
  • KB4040120 Synchronization may fail when you use the OAuth protocol for authorization through EAS in Exchange Server 2013
  • KB4036108 Security update for Microsoft Exchange: September 12, 2017

Notes:

  • Exchange 2016 CU7 requires Forest Functionality Level 2008R2 or later.
  • Exchange 2016 CU7 includes schema changes, but Exchange 2013 CU18 does not. However, Exchange 2013 CU17 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • Using Windows Management Framework (WMF)/PowerShell version 5 or later on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • NET Framework 4.7.1 is being tested by the Exchange Team, but .NET Framework 4.7.1 nor .NET Framework 4.7 are supported.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay at most one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order in which you upgrade servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange 2010-2016 Security Fixes

Ex2013 LogoMicrosoft released security updates to fix a remote code execution vulnerability in Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Exchange and .NET Framework 4.7

Ex2013 Logo A quick heads-up on that .NET Framework 4.7 has recently been released and will be made available through Windows Update channels. The current versions of Exchange Server are not supported with this version of the .NET Framework, and you should not install or update to this version.

Similar to the situation with .NET Framework 4.61 around a year ago, you can prevent  (accidental) upgrades of the .NET Framework by creating the following registry key on your Exchange servers:

HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU\BlockNetFramework47 = 1 (REG_DWORD)

To report on the currently installed .NET Framework version on one or more computers, you can use this PowerShell script, Get-DotNetVersion.ps1. It will not only report the .NET Framework version information, but also if those registry entries to block .NET Framework 4.6.1 or .NET Framework 4.7 upgrades are present.

[PS] C:\> .\get-DotNetVersion.ps1 -ComputerName ex1,ex2 | ft -a

Computer Release NetFramework Net461Block Net47Block
-------- ------- ------------ ----------- ----------
ex1      461268  4.7          False       True
ex2      461268  4.7          False       False

The related article by the Exchange Team on this topic contains steps on how to recover the situation, in case you did upgrade. Of course, with all the dependencies on the .NET Framework by Exchange Server, you may prefer migrating contents to a new Exchange servers with a supported .NET Framework, and decommission servers where you had to remove the unsupported .NET Framework from.

More information can be found in KB4024204.

PS: The updated Unattended Exchange 2013 & 2016 Installation script will now also set the .NET Framework 4.7 blockade registry key.

Exchange Updates – December 2016

Ex2013 LogoToday, the Exchange Team released the December updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007.

Changes introduced in Exchange Server 2016 CU4 are an updated OWA composition window, and on Windows Server 2016, KB3206632 needs to be present before CU4 can be deployed. This KB fixes – among other things – the problem with DAG members experiencing crashing IIS application pools. Be advised that the KB3206632 update for Windows Server 2016 is a whopping 1 GB. You can download this update here.

The biggest change for Exchange Server 2013 is support for .NET 4.6.2. Be advised organizations running Exchange 2016 or 2013 on .NET 4.6.1 should start testing with and planning to deploy .NET 4.6.2, as the March updates will require .NET 4.6.2, which is currently still optional.

Both Cumulative Updates introduce an important fix for indexing of Public Folder when they were in the process of being migrated. To ensure proper indexing, it is recommended to move public folder mailboxes to a different database so they will get indexed properly.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU4 15.1.669.32 KB3177106 Download UMLP
Exchange 2013 CU15 15.0.1263.5 KB3197044 Download UMLP
Exchange 2010 SP3 Rollup 16 14.3.339.0 KB3184730 Download
Exchange 2007 SP3 Rollup 22 8.3.502.0 KB3184712 Download
  • KB 3202691 Public folders indexing doesn’t work correctly after you apply latest cumulative updates for Exchange Server
  • KB 3201358 Set-Mailbox and New-Mailbox cmdlets prevent the use of the -Office parameter in Exchange Server 2016
  • KB 3202998 FIX: MSExchangeOWAAppPool application pool consumes memory when it recycles and is marked as unresponsive by Health Manager
  • KB 3208840 Messages for the health mailboxes are stuck in queue on Exchange Server 2016
  • KB 3186620 Mailbox search from Exchange Management Shell fails with invalid sort value in Exchange Server 2016
  • KB 3199270 You can’t restore items to original folders from Recoverable Items folder in Exchange Server 2016
  • KB 3199353 You can’t select the receive connector role when you create a new receive connector in Exchange Server 2016
  • KB 3193138 Update to apply MessageCopyForSentAsEnabled to any type of mailbox in Exchange Server 2016
  • KB 3201350 IMAP “unread” read notifications aren’t suppressed in Exchange Server 2016
  • KB 3209036 FIX: “Logs will not be generated until the problem is corrected” is logged in an Exchange Server 2016 environment
  • KB 3212580 Editing virtual directory URLs by using EAC clears all forms of authentication in Exchange Server 2016

Exchange 2013 CU15 fixes:

  • KB 3198092 Update optimizes how HTML tags in an email message are evaluated in an Exchange Server 2013 environment
  • KB 3189547 FIX: Event ID 4999 for a System.FormatException error is logged in an Exchange Server 2013 environment
  • KB 3198046 FIX: The UM mailbox policy is not honored when UM call answering rules setting is set to False in an Exchange Server 2013 environment
  • KB 3195995 FIX: Event ID 4999 with MSExchangerepl.exe crash in Exchange Server 2013
  • KB 3208886 Send As permission of a linked mailbox is granted to a user in the wrong forest in Exchange Server 2013
  • KB 3188315 Messages are stuck in outbox when additional mailboxes are configured in Outlook on Exchange Server 2013
  • KB 3202691 Public folders indexing doesn’t work correctly after you apply latest cumulative updates for Exchange Server
  • KB 3203039 PostalAddressIndex property isn’t returning the correct value in Exchange Server 2013
  • KB 3198043 Shadow OAB downloads don’t complete in Exchange Server 2013
  • KB 3208885 Microsoft.Exchange.Store.Worker.exe process crashes after mailbox is disabled in Exchange Server 2013
  • KB 3201966 MSExchangeOWAAppPool application pool consumes excessive memory on restart in Exchange Server 2013
  • KB 3209041 FIX: An ActiveSync device becomes unresponsive until the sync process is complete in an Exchange Server environment
  • KB 3209013 FIX: The LegacyDN of a user is displayed incorrectly in the From field in the Sent Items folder on an ActiveSync device
  • KB 3209018 FIX: Results exported through the eDiscovery PST Export Tool never finishes in an Exchange Server environment
  • KB 3199519 Inconsistent search results when email body contains both English and non-English characters in Exchange Server 2013
  • KB 3211326 “ConversionFailedException” error when emails are sent on the hour in Exchange Server 2013

Notes:

  • Exchange 2016 CU4 doesn’t incldue schema changes compared to CU4, however, Exchange 2016 CU4 as well as Exchange 2013 CU15 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
  • When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.
  • Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or TechNet forum for any issues.

Exchange Server Role Requirements Calculator 8.3

Exchange 2010 Mailbox Role Sizing Calculator 16.4The Exchange team published an update for the Exchange Server Role Requirements Calculator, the tool to aid you in properly sizing your Exchange Server 2013 or Exchange Server 2016 deployment.

The new version number is 8.3, and it contains two major enhancements compared to version 7.9:

  • Added ability for the calculator to automatically determine the number of Mailbox servers and DAGs that need to be deployed to meet the chosen input requirements
  • Added Read from Passive support for Exchange 2016 deployments which results in decreased bandwidth utilization for HA copies

You can download the calculator here. For more information, please consult the list of changes here or Read Me here.