Tag Archives: Exchange2019

Exchange Updates (and more) – H1 2023

Posted on by
Reply

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2023, or CU13. This is Exchange 2019 only; no Exchange 2016 CU.

Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following functionality enhancements:

Modern Authentication On-Premises Support
After dropping support for Basic Authentication in Exchange Online, organizations that remained on-premises for various reasons, and could not deploy Exchange Hybrid, were left out in doubt how to proceed. Last year, Microsoft gave them some perspective, following a roadmap announcement.

This CU is a first step, allowing organizations running AD FS 2019 to deploy Exchange 2019 CU13, and configure AD FS as their authentication provider. Be advised that this also requires clients to support this change in authentication logic. First, Outlook for Windows will contain support for this in build 16327.20200 and later. Support for other Outlook clients has an ETA of end of year. Outlook on the Web already supports claims-based authentication using AD FS, which is a form of Modern Authentication.

Finally, organization running Exchange 2016 can deploy Exchange 2019 CU13 in front of those Exchange 2016 servers, allowing then to handle clients request, and thus authenticate them using AD FS. After deployment, organizations can enable Modern Authentication on the organization or at the mailbox level, using Exchange’s Authentication Policies.

For more information about deploying Modern Authentication with Exchange on-premises, see Enabling Modern Auth in Exchange On-Premises. The page also includes an insightful diagram on the authentication flow.

Configuration Backup/Restore
Administrators might tweak configuration files belonging to their Exchange deployment, e.g. web.config. Deploying CUs meant that those files were overwritten, and administrators had to re-apply changes. With CU13, setup will now preserve a fixed set of elements in those configuration files. For more information, see Exchange Server custom configuration preservation.

TLS 1.3
Unfortunately, nothing yet about TLS 1.3 support.

Earlier Exchange Versions
Exchange 2013 reached end of life early April. No Cumulative Update for Exchange 2016 CU23, which is in extended support, and will only receive security updates until October, 2025. Exchange 2016 is supported when you run CU23 with the March 2023 Security Update applied.

Download
Link to the update as well as a description of changes and fixes are below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, in order to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1315.2.1258.12KB5020999Download NY

Exchange 2019 CU13 fixes:

  • 5027150 Enable Modern Auth for pure On-Premises Exchange users
  • 5026134 â€śInvalidRecipientsException” when you try to run MRM
  • 5026135 CertificateDeploymentServicelet failure in multiple domain forest Exchange deployments
  • 5026136 Microsoft Exchange Transport doesn’t re-encrypt IRM messages
  • 5026138 Users receive reminders although the meeting reminder is set to None
  • 5026139 You can’t move the public folder mailbox
  • 5026142 Journal message returns “ConversionFailedException”
  • 5026143 OAB shadow distribution threshold must be reduced or made configurable
  • 5026146 Expiry notification is sent to moderator and sender for approved and delivered messages
  • 5026147 BlockLegacyAuthentication fail Organization Policy because of BackendRehydrationModule implementation
  • 5026149 Group metrics generation doesn’t finish in multidomain environment
  • 5026150 Edge server Filtering Agent removes journal attachments
  • 5026151 Oab-Processing-Threshold is set to 0 for On-Premises
  • 5026152 Microsoft Exchange ActiveSync or Current Requests counter inaccurately counts requests
  • 5026153 Delivery Flow Control setting override is now available
  • 5026154 On-premises Exchange has 35MB file size limit for online archiving
  • 5026155 “No support for this operation” error on an Exchange 2019 DAG member server
  • 5026156 Outlook search fails in a shared On-Premises mailbox if the primary user mailbox is migrated to Exchange Online
  • 5026158 The body of recurring meeting is not clear if it has Chinese characters
  • 5026159 IconIndex returns Default value when Server Assisted Search is used in Outlook
  • 5026266 “Could not start MS Exchange Service Host service” error and Exchange stops responding
  • 5026267 OWA stops responding in an Exchange 2019 and 2016 coexistence topology
  • 5026268 Store Worker process crashes and returns “System.NullReferenceExceptions” multiple times per day
  • 5026269 Block deserialization error when using eDiscovery
  • 5026271 IIS URL Rewrite Module link is incorrect
  • 5026273 Outlook configuration fails in Android or iOS
  • 5026274 Hybrid Agent Validation fails after Extended Protection is enabled
  • 5026277 Mail configuration fails on iOS device after Extended Protection is enabled
  • 5026278 Mailbox migration fails after Extended Protection is enabled

Notes

  • If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to inability to validate script signatures.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2013-2019 (Mar2023)

Posted on by
Reply

The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.

The vulnerability addressed in these Security Updates for Exchange Server is:

VulnerabilityCategorySeverityRating
CVE-2022-21978Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.26KB5024296KB5023038
Exchange 2019 CU11Download15.2.986.42KB5024296KB5023038
Exchange 2016 CU23Download15.1.2507.23KB5024296KB5023038
Exchange 2013 CU23Download15.0.1497.48KB5024296KB5023038

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

IssueExchange 2013Exchange 2016Exchange 2019
You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigningYesYesYes
EEMS stops responding after TLS endpoint certificate updateYesYesYes
Get-App and GetAppManifests fail and return an exceptionYesYesYes
EWS does not respond and returns an exceptionYesYesYes
An exception is returned while opening a template in the Exchange ToolboxYesYesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Feb2023)

Posted on by
2

[20Feb] Added information regarding issues reported.

The Exchange product group released February updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

VulnerabilityCategorySeverityRating
CVE-2023-21529Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21706Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21707Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21710Remote Code ExecutionImportantCVSS:3.1 7.2 / 6.3

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.25KB5023038KB5022193
Exchange 2019 CU11Download15.2.986.41KB5023038KB5022193
Exchange 2016 CU23Download15.1.2507.21KB5023038KB5022143
Exchange 2013 CU23Download15.0.1497.47KB5023038KB5022188

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

IssueExchange 2013Exchange 2016Exchange 2019
Export-UMPrompt fails with InvalidResponseExceptionYesYesN/A
Edge Transport service returns an “EseNtOutOfSessions” ExceptionYesYesYes
Exchange services in automatic startup mode do not start automaticallyYesYesYes
Data source returns incorrect checkpoint depthYesYesYes
Serialization fails while tried accessing Mailbox Searches in ECPYesYesYes
Transport delivery service mishandles iCAL eventsYesYesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.

Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:

E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.

follow the instructions in the following KB article link:

  1. On each Exchange server, create a registry key
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name 'DisableBaseTypeCheckForDeserialization' -Value 1 -Type String
  2. Create a global override setting
    New-SettingOverride -Name 'Adding learning location ClientExtensionCollectionFormatter' -Component Data -Section DeserializationBinderSettings -Parameters @('LearningLocations=ClientExtensionCollectionFormatter') -Reason 'Deserialization failed'
  3. If you cannot wait until the override configuration kicks in (may take an one hour), refresh it manually:
    • Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
    • Restart IIS and the Windows Activation Proces on each server
      Restart-Service -Name W3SVC, WAS -Force

Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.

Security Updates Exchange 2013-2019 (Jan2023)

Posted on by
2

The Exchange product group released January updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

VulnerabilityCategorySeverityRating
CVE-2023-21764Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-21763Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-21745SpoofingImportantCVSS:3.1 8.8 / 7.9
CVE-2023-21762SpoofingImportantCVSS:3.1 8.0 / 7.0
CVE-2023-21761Information DisclosureImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each Exchange Server version are linked below. Note that only CVE-2023-21762 applies to Exchange Server 2013:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.21KB5022193KB5019758
Exchange 2019 CU11Download15.2.986.37KB5022193KB5019758
Exchange 2016 CU23Download15.1.2507.17KB5022143KB5019758
Exchange 2013 CU23Download15.0.1497.45KB5022188KB5019758

In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.

Payload Serialization Signing
Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue Ex2013Ex2016Ex2019
Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per dayYesYes
Can’t record or play in Exchange Unified MessagingYesYes
Exchange Application log is flooded with Event ID 6010Yes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Nov2022)

Posted on by
Reply

The Exchange product group released November updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that were reported end of September. More on those in an earlier post.

Note: You can keep the current URLScan mitigations in-place, and remove them after installing these security updates at your convenience. The recommendation to disable Remote PowerShell for non-admins is upheld, but this is best practice regardless.

The vulnerabilities addressed in these Security Updates are:

VulnerabilityCategorySeverityRating
CVE-2022-41040Elevation of PrivilegeCriticalCVSS:3.1 8.8 / 7.9
CVE-2022-41082Elevation of PrivilegeImportantCVSS:3.1 8.8 / 8.3
CVE-2022-41078Elevation of PrivilegeImportantCVSS:3.1 8.0 / 7.0
CVE-2022-41123Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2022-41079Elevation of PrivilegeImportantCVSS:3.1 8.0 / 7.0
CVE-2022-41080Elevation of PrivilegeCriticalCVSS:3.1 8.8 / 7.7

The following Security Updates address these vulnerability for the Exchange builds mentioned, with the exception of CVE-2022-41123 which does not apply to Exchange Server 2013:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.20KB5019758KB5019077
Exchange 2019 CU11Download15.2.986.36KB5019758KB5019077
Exchange 2016 CU23Download15.1.2507.16KB5019758KB5019077
Exchange 2016 CU22Download15.1.2375.37KB5019758KB5019077
Exchange 2013 CU23Download15.0.1497.44KB5019758KB5019076

In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Oct2022)

Posted on by
4

The Exchange product group released October updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates do NOT address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that have been reported on since end of September. For now, mitigate those by follow the instructions mentioned an earlier post here.

The vulnerabilities addressed in these Security Updates are mostly the same as the ones addressed by the Security Updates of August, with the exception of CVE-2022-34692. Also, the CVSS rating of CVE-2022-30134 has been adjusted:

VulnerabilityCategorySeverityRating
CVE-2022-21979Information DisclosureImportantCVSS:3.1 4.8 / 4.2
CVE-2022-21980Elevation of PrivilegeCriticalCVSS:3.1 8.0 / 7.0
CVE-2022-24477Elevation of PrivilegeCriticalCVSS:3.1 8.0 / 7.0
CVE-2022-24516Elevation of PrivilegeCriticalCVSS:3.1 8.0 / 7.0
CVE-2022-30134Elevation of PrivilegeImportantCVSS:3.1 6.5 / 5.7
(was CVSS:3.1 7.6 / 6.6)

The following Security Updates address these vulnerability for the Exchange builds mentioned:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.15KB5019077KB5015322
Exchange 2019 CU11Download15.2.986.30KB5019077KB5015322
Exchange 2016 CU23Download15.1.2507.13KB5019077KB5015322
Exchange 2016 CU22Download15.1.2375.32KB5019077KB5015322
Exchange 2013 CU23Download15.0.1497.42KB5019076KB5015321

In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Aug2022)

Posted on by
4

The Exchange product group released Augustus updates for Exchange Server 2013, 2016 and 2019.

Note that per the previous May cycle, Security Updates will be packaged in an executable wrapper. This should trigger the running elevated prompt, thus preventing any potential issues when admins simply double-click the .MSP file. More about the new package format, options for logging and command-line switches are mentioned in an article dedicated to the change of distribution method here.

Windows Extended Protection
Special attention in this cycle for Windows Extended Protection, which needs to be enabled to address certain vulnerabilities. WEP is ONLY supported for specific versions of Exchange server – see the documentation for details regarding requirements and known issues. TLDR; – list might change over time, consult the pages linked earlier:

  • Requirements
    • Supported on Exchange 2013 CU23, Exchange 2016 CU22 and Exchange Server 2019 CU11 or later, with the August 2022 Security Updates installed.
    • Cannot be enabled on Exchange Server 2013 servers hosting Public Folders in co-existence with Exchange 2016/2019.
    • Cannot be enabled on Exchange 2016 CU22 or Exchange 2019 CU11 or older hosting a Public Folder Hierarchy.
    • Does not work with hybrid servers using Modern Hybrid configuration.
    • SSL Offloading scenarios are currently not supported.
    • Consistent TLS configuration is required across all Exchange servers.
  • Known Issues
    • Retention Policies using action Move to Archive stops working.
    • In Exchange 2013, the MAPI over HTTP probe OutlookMapiHttpCtpProbe might show FAILED.

To perform prerequisite checks and implement WEP, a supporting script ExchangeExtendedProtectionManagement.ps1 has been published. Since enabling WEP impacts how clients and Exchange server communicates, it is highly recommended to test this first on your specific configuration, especially with 3rd party products, before enabling it in production.

Security Updates
So, on with the security updates. The vulnerabilities addressed in the Security Updates for August are:

VulnerabilityCategorySeverityRating
CVE-2022-21979Information DisclosureImportantCVSS:3.1 4.8 / 4.2
CVE-2022-21980Elevation of PrivilegeCriticalCVSS:3.1 8.0 / 7.0
CVE-2022-24477Elevation of PrivilegeCriticalCVSS:3.1 8.0 / 7.0
CVE-2022-24516Elevation of PrivilegeCriticalCVSS:3.1 8.0 / 7.0
CVE-2022-30134Elevation of PrivilegeImportantCVSS:3.1 7.6 / 6.6
CVE-2022-34692Information DisclosureImportantCVSS:3.1 5.3 / 4.6

The following Security Updates address this vulnerability:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.12KB5015322KB5014261
Exchange 2019 CU11Download15.2.986.29KB5015322KB5014261
Exchange 2016 CU23Download15.1.2507.12KB5015322KB5014261
Exchange 2016 CU22Download15.1.2375.31KB5015322KB5014261
Exchange 2013 CU23Download15.0.1497.40KB5015321KB5014260

These Security Updates also fix the following issues:

  • KB5017261 Start-DatabaseAvailabilityGroup fails with BlockedDeserializeTypeException
  • KB5017430 E-Discovery search fails in Exchange Online

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Exchange Announcements

Posted on by
Reply

Few days ago, the Exchange Product made several announcements related to Exchange Server and its future. The overall message throughout these announcements can be interpreted as that Microsoft is publicly declaring to be committed to developing and supporting the Exchange Server product. This is especially of interest to those customers running it as part of their on-premises infrastructure. It is also assuring those that believe the road ahead was a dead end, eventually forcing them to move to Exchange Online, or look for alternatives.

The announcements made were in the area of:

  • Lifecycle policies remain intact for current versions of Exchange Server.
  • The next version of Exchange Server, also known as Exchange vNext, will move to a continuous support model, but comes with requirements.
  • Upgrade path for Exchange vNext.
  • Modern Authentication support for non-hybrid Exchange 2019 deployments.
  • Exchange 2019 support for TLS 1.3.
  • Possibility to receive pre-release builds of Exchange server through Microsoft’s TAP program.
  • Exchange Admin Center will receive overview section for Exchange servers update status in Exchange hybrid deployments.
  • HCW will allow admins to skip configuration steps.
  • Script to remove obsolete mitigations from EEMS.
  • Microsoft Exchange Conference Community Virtual Airlift (MEC) for September 13-14! (register)
  • Feedback forums for Exchange Online and Exchange Server.

More details on these announcements can be found in the full article on the announcements, and can be found here at the ENow Solutions blog.

Exchange Updates (and more) – H1 2022

Posted on by
4

20220423: Added TLS 1.3 note.

The Exchange Team released the quarterly half-yearly Cumulative Updates for Exchange Server 2019 and Exchange 2016. You read that right, half-yearly updates are replacing the cadence of quarterly update servicing model for Exchange Server. Effectively, this will be Exchange 2019 only, as Exchange 2016 will be out of mainstream support in H2 of 2022, and will therefor only receive Security Updates after this round. Note that this change also alters the effective ‘current’ state (n-1 or later) of your Exchange Server environment from half year to one year.

And that’s not the only good news that comes with these sets of updates. In short:

  • If you run Exchange 2019 in Hybrid only for the purpose of managing recipients, you can now use Exchange 2019 CU12’s Exchange Management Tools to accomplish this; no more need to have an Exchange server running just for this. More details here.
  • Exchange 2019 CU12 will reintroduce the Hybrid Key option. Its Hybrid Configuration Wizard supports this licensing method.
  • Exchange 2019 CU12 support managing the Hybrid Agent with MFA-enabled accounts.
  • Exchange 2019 CU12 adds support for Windows Server 2022, both for its underlying operating system, as well as deployment in environments running Windows Server 2022 Domain Controllers.
  • Note that while Windows Server 2022 supports TLS 1.3, Exchange 2019 CU12 on WS2022 does not yet support it. Adding support is scheduled for somewhere next year.
  • The supportability matrix has been updated for the supported Windows Server 2022 scenarios.
  • Exchange Server is now also part of Microsoft’s Bounty Program, which is an indication of continued focus for customers still running Exchange Servers on-premises.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1215.2.1118.7KB5011156Download NY
Exchange 2016 CU2315.1.2507.6KB5011155DownloadUMLPNY

Apart from DST changes and the fixes mentioned below, these Cumulative Updates also contain a change which will not allow using UNC paths with several cmdlets. More information about this change and cmdlets affected can be found here: KB5014278.

Exchange 2019 CU12 fixes:

  • 5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
  • 5012758 Start-MailboxAssistant is not available in Exchange Server 2019
  • 5012760 You can’t access OWA or ECP after installing the July 2021 security update
  • 5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
  • 5012762 PST creation is unexpectedly triggered again during multiple mailbox export
  • 5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
  • 5012766 Transport Services fail repeatedly because of * Accepted Domain
  • 5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
  • 5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
  • 5012770 No response from public folder for users migrating to Microsoft Exchange 2019
  • 5012772 Items are skipped at the start of a new search page request
  • 5012773 OWAMailboxPolicy is bypassed and high resolution profile images can be uploaded
  • 5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
  • 5012775 No additional global catalog column in the address book service logs
  • 5012776 Exchange Server 2019 help link in OWA redirects users to online help for Exchange Server 2016
  • 5012777 Can’t find forwarded messages that contain attachments in Exchange Server 2019
  • 5012778 Exchange Server stops responding when processing PDF files with set transport rule
  • 5012779 Invalid new auth certificate for servers that are not on UTC time zone
  • 5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
  • 5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
  • 5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
  • 5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
  • 5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
  • 5012785 Read Only Domain Controllers (RODCs) in other domains do not get desired permissions
  • 5012786 Forwarded meeting appointments are blocked or considered spam
  • 5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
  • 5012789 Can’t use Copy Search Results after eDiscovery & Hold search
  • 5012790 OWA doesn’t remove the “loading” image when a message is opened in Chrome and Edge browsers
  • 5012791 MailboxAuditLog doesn’t work in localized (non-English) environments

Exchange 2016 CU23 fixes:

  • 5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
  • 5012760 You can’t access OWA or ECP after installing the July 2021 security update
  • 5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
  • 5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
  • 5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
  • 5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
  • 5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
  • 5012779 Invalid new auth certificate for servers that are not on UTC time zone
  • 5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
  • 5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
  • 5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
  • 5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
  • 5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
  • 5012786 Forwarded meeting appointments are blocked or considered spam
  • 5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
  • 5012789 Can’t use Copy Search Results after eDiscovery & Hold search
  • 5012791 MailboxAuditLog doesn’t work in localized (non-English) environments
  • 5012829 Group metrics generation fails in multidomain environment

Notes:

  • If these Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2013-2019 (Mar2022)

Posted on by
4

The Exchange PG released March updates for Exchange Server 2013, 2016 and 2019. More detailed information on patching and how to get current when running an earlier CU of Exchange, can be found at the original blog post here.

The vulnerabilities addressed in these security updates are:

VulnerabilityCategorySeverityRating
CVE-2022-23277Remote Code ExecutionCriticalCVSS:3.1 8.8 / 7.7
CVE-2022-24463SpoofingImportantCVSS:3.1 6.5 / 5.7

These vulnerabilities are addressed in the following security updates below. The exception is KB5010324 which does not fix CVE-2022-24463 for Exchange 2013. If this is because of the severity classification or the problem being non-existent for Exchange 2013, has not been not disclosed.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU11Download15.2.986.22KB5012698KB5008631
Exchange 2019 CU10Download15.2.922.27KB5012698KB5008631
Exchange 2016 CU22Download15.1.2375.24KB5012698KB5008631
Exchange 2016 CU21Download15.1.2308.27KB5012698KB5008631
Exchange 2013 CU23Download15.0.1497.33KB5010324KB5008631

Finally, KB5010324 also contains the following additional fix for Exchange 2013:

  • 5012925 RFC certificate timestamp validation in Exchange Server 2013

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.