Today was a big day for Exchange updates. Not only did we get Cumulative Update 10 for Exchange 2016, but we also got Cumulative Update 21 for Exchange 2013. Exchange 2010 also receives a critical update in rollup 22.
As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.
The updates are as follows:
Exchange 2016 Cumulative Update 10 | KB4099852 | UM Language Pack
Exchange 2013 Cumulative Update 21 | KB4099855 | UM Language Pack
Exchange 2010 SP3 Rollup 22 | KB4295699
Exchange 2013 enters extended support
In case you missed it Exchange 2013 entered into extended support on April 10th. Cumulative Update 21 is the last planned update for Exchange 2013 and no further product development is expected. Any cumulative update after 21 is at Microsoft’s discretion. However, security and timezone updates will continue to be available until April 11th, 2023, delivered primarily through the Windows Update Catalog.
As a reminder, Exchange 2010 has less than 18 months of extended support remaining. After January 10th, 2020, no further technical support or updates will be available. This includes security, bug, and time zone updates. If you are still on 2010, I would recommend planning a migration to Exchange 2016 or Office 365 as soon as possible.
So, what’s new in these Cumulative Updates?
One prerequisite change is the need to install Visual C++ 2013. This is required for a third party software component–that manages WebReady document viewing and data loss prevention–which ships in these updates. Visual C++ 2012 was the previous requirement for older cumulative updates. However, Visual C++ 2012 was installed automatically by the Unified Communication Management Agent (another Exchange prerequisite), so it never required administrator intervention. This means Visual C++ 2013 will also be a requirement for new server installations.
Exchange 2010 received a significant update in this release, which is the ability to leverage Windows 2016 domain controllers and global catalog servers. While 2016 DCs could exist in an Exchange 2010 environment, Exchange 2010 would simply not use them. With this update, 2010 will now leverage 2016 domain controllers and allow for the domain and forest functional levels to be raised to Windows Server 2016. This will allow you to eliminate all older domain controllers.
These updates contain a lot of security and bug fixes. Aside from the May 8th security update each cumulative update includes time zone updates and a dozen bug fixes. Check the appropriate KB article above for a list of issues each update resolves.
Upgrade considerations
Visual C++ 2013 Redistributable is now a requirement for installing Exchange 2013 CU21 and Exchange 2016 CU10. You will need to install this before running the setup. If this package is missing, setup will not continue.
The December updates added .NET 4.7.1 support. In the June updates .NET 4.7.1 is now a mandatory requirement. This can make your upgrade path a little tricky if you typically stay behind on cumulative updates. The challenge is that you need CU8 before you can install 4.7.1 and, you need 4.7.1 before you can install CU10. The problem is that CU8 is no longer publicly available. Microsoft only keeps the current and prior CUs publicly available for download. The good news is that you can still get this download by opening a case with support.
Alternatively, Microsoft added this statement to the Exchange supportability matrix.
This doesn’t exactly make me feel warm and fuzzy. Especially as certain combinations of .NET and Exchange have been reported to quarantine mailboxes. The only recommendation I can make is that if you can’t stay up to date on updates is to at least download and store the bits as they become available.
To navigate the cumulative update path I recommend the article Upgrade Paths for CU’s & .NET by Michel de Rooij.
As a reminder, the September 2017 cumulative update had introduced a forest functional requirement of Server 2008 R2. This means that if you are upgrading from CU6 or earlier all domain controllers in the forest must be running Server 2008 R2 and higher. Exchange 2013 CU21 can still be installed in a forest functional level of Server 2003.
Exchange 2016 Cumulative Update 10 does not include schema updates. If upgrading from CU 7-9 then there are no schema changes. However, if migrating from CU 6 or earlier you will need to perform a schema update.
Exchange 2013 Cumulative Update 21 does not include any schema updates. If upgrading from CU 7-20 then there are no schema changes. However, if migrating from CU 6 or earlier you will need to perform a schema update.
To learn how to extend and verify the schema check this guide. For a quick reference on schema and build numbers check here.
In addition to the schema, you will want to run SETUP /PrepareAD to get the latest RBAC definitions. The graphical setup performs this step automatically assuming you have permissions.
More Awesome News
Microsoft has officially entered Office 2019 into a commercial preview. You can sign up for commercial preview–and learn more about the program–by checking the following article.
It is worth noting that Office 2019 will only be available as click-to-run. Traditional MSI packages will no longer be available for Office 2019. You can read more about this decision and the benefits of moving solely to click-to-run in the article titled, Office 2019 volume license products available as click-to-run. This does not mean everyone will be required to maintain an Office subscription. Quite the opposite. The click-to-run delivery can still be used with a perpetual volume license.
You can read more about the new Office 2019 features in this Tech Community article.
In our last quarterly review, we announced Microsoft would be ending support for TLS 1.0 and 1.1 protocols in Office 365 on October 31st, 2018. In preparation for this date, Microsoft had previously released the first of a three-part series on TLS guidance for Exchange and Exchange Online. Microsoft has since released all three parts of this series. While Microsoft will not block these older protocols they do intend to deprecate these older protocols in the future. I highly recommend acting on the information in the following articles before the 31st so you can remain in a supported state.
- Exchange Server TLS guidance: Getting Ready for TLS 1.2 – Part one acts as both an introduction and lists the minimum updates needed by both Exchange and Windows Server. At a minimum, it is important to get your environment to this level.
- Exchange Server TLS guidance: Enabling TLS 1.2 and Identifying Clients Not Using It – Part two provides guidance on how to enable TLS 1.2. It provides guidance on the various protocols, such as HTTPS, SMTP, POP & IMAP. Last, it provides instructions on how to validate the version of the TLS protocol in use.
- Exchange Server TLS guidance: Turning Off TLS 1.0/1.1 – Part three identifies how to use the registry to disable TLS 1.0 and 1.1.
In the article titled, New architecture for Exchange hybrid customers enables Outlook mobile and security, Ross Smith discusses how you can leverage Enterprise Management and Security with an on-prem mailbox. This allows you to enable security features such as conditional access and device management policies to control which devices can connect to on-prem mailboxes. This is especially useful for an organization that needs to maintain some of their mailboxes on-prem while maintaining the need to have a consistent security policy between both cloud and on-prem mailboxes. The requirement for this is hybrid modern authentication, which is discussed at depth in this article.
The Microsoft Office Configuration Analyzer Tool (“OffCat”) has been deprecated. Most of OffCat’s features have been transitioned to its successor, the Support and Recovery Assistant (“SaRA”). OffCat was unavailable to download as of May 31st, 2018.
Microsoft also announced that it has increased support for the number of public folders in Office 365 to 500,000. Previously this limit was 250,000. However, migrations of public folders to Office 365 are still limited to 100,000 folders.
In our September 2017 quarterly review, we discussed how Microsoft was dropping Session Border Controllers in Office 365. Session Border Controllers (“SBCs”) are used to connect third-party on-prem PBX systems to Exchange Online Unified Messaging for voicemail. This configuration option was originally slated to go away next month. However, Microsoft has extended this deadline to April 30th, 2019 to allow customers more time to prepare. For migration options, check this article.
Lastly, if you were unable to attend Ignite I recommend checking out my post, 15 Microsoft Ignite sessions every Exchange admin should see. I have included notes for each session and the time each topic starts, so you can quickly skip to the content that interests you most. It’s also a great primer for Ignite 2018, which is only 3 months away.
We need your help – Universal Signatures
Earlier this year fellow MVP, Jeff Guillet, spearheaded an initiative for universal signatures. The outcome of this initiative was two-fold.
- When a user sets a signature on one device that signature should be synchronized across all devices (desktop, mobile, web app)
- A signature should be stored in the mailbox so it is not lost if a device is wiped or an Outlook profile is recreated
The support on Twitter and UserVoice has been overwhelming. At the time of writing, we have 5,741 votes and 707 comments on UserVoice. This puts our feature request at first place in the Outlook for Windows forum, beating second place by 4,248 votes.
But we still need your help. We need to keep this momentum going! If you think this is an awesome feature please vote for it on UserVoice. It only takes a few seconds. If you have already voted, please spread the word on all your social networks. Let’s get this request over 10,000 votes! Please vote here.
You can read more about Jeff’s initiative on his blog.
So what do you think is coming next? What would you like to see? Drop a comment below or join the conversation on Twitter @SuperTekBoy.
Leave a Reply