Last week was a big week for Exchange updates. Not only did we get Cumulative Update 8 for Exchange 2016, but we also got Cumulative Update 19 for Exchange 2013. Exchange 2010 also receives a critical security update in rollup 19.
As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.
The updates are as follows:
Critical security update for Exchange 2010
Rollup 19 for Exchange 2010 fixes a massive security issue for EWS connections proxied from an Exchange 2016 server. To quote Microsoft Support.
That is a significant security hole. For those on Exchange 2010, I highly recommend testing and upgrading to this roll-up as soon as possible.
So, what’s new in these Cumulative Updates?
The December updates introduced Hybrid Modern Authentication (HMA) for Exchange 2013 and 2016. Effectively, by connecting Exchange on-prem to Office 365 via hybrid, modern authentication (“OAuth”) is extended to your on-prem users. This introduces some exciting new things. First, your Office 365 and on-prem users now share the same authentication path. Authentication shifts from Exchange to the identity provider common to both Office 365 and on-prem users. What this means is that if your identity provider is delivering multi-factor authentication (MFA) or conditional access to your Office 365 users, these capabilities now extend to your on-prem users. Second, and to loosely quote Greg Taylor, even if your identity provider only supports username and password authentication this is still more secure as Exchange is no longer in the business of authenticating users.
To read Greg’s full article on Hybrid Modern Authentication, which details the requirements and steps needed to make this work, click here. Be sure to check out Greg’s Ignite session on Hybrid Modern Authentication as well.
Video: HMA for Exchange
For Exchange 2013 and 2016 we also get a change in their behavior regarding TLS and cryptographic settings. When prior cumulative updates were installed, the setup process would reset these technologies to Exchange’s preferred settings. Going forward the setup process will retain any customization made by the customer. TLS and cryptographic settings will only be changed in a new installation of Exchange.
Exchange 2013 and 2016 now supports .NET Framework 4.7.1. While optional now, 4.7.1 will become a mandatory requirement in the June 2018 updates. This can make your upgrade path a little tricky if you typically stay behind on cumulative updates. We saw similar cases with previous cumulative updates, where CU15 added supported for .NET 4.6.2 but then CU16+ mandated the installation of .4.6.2. The challenge was that you needed CU15 before you could install 4.6.2 and, you needed 4.6.2 before you could install CU16 or later. The problem is that at the time of writing CU15 is no longer publicly available. The good news is that you can still get this download by opening a case with support. I highly recommend this article by Michel de Rooij titled Upgrade Paths for CU’s & .NET. It succinctly illustrates how each cumulative update and .NET release fits together.
As a reminder, the previous cumulative update had introduced a forest functional requirement of Server 2008 R2. This means that if you are upgrading to CU8 from CU6 or earlier all domain controllers in the forest must be running Server 2008 R2 and higher. Exchange 2013 CU19 can still be installed in a forest functional level of Server 2003.
These updates also contain bug fixes and feature tweaks. Check the appropriate KB article above for a list of issues each update resolves.
If you can’t get to these cumulative updates right away you will want to apply a security update to your older CU in the interim. This security update fixes a vulnerability in Outlook Web App. Where an elevation in privilege could occur if an attacker sends a specially crafted attachment. For more information on this vulnerability and to download these security updates check: Security update for Microsoft Exchange: December 12, 2017
A couple of issues were discovered right before this release cycle. These issues will not be resolved in this release and will be addressed in a future cumulative update.
A couple of issues revolve around functionality in Outlook Web App (OWA). Users who receive a calendar sharing invite in OWA may not be able to see the accept button. As a workaround, users can accept this invite in the full Outlook client. Also, when configuring the offline settings in OWA the user’s session may become disconnected.
One other issue persists from the last update cycle and that is the translation of hyperlink text for information protected messages. The hyperlink text may not translate correctly into the user’s local language.
Schema Updates Needed
Exchange 2016 Cumulative Update 8 does not include schema updates. If upgrading from Cumulative Update 6 or earlier a schema update will be performed as part of CU7.
Exchange 2013 Cumulative Update 19 does not include any schema updates. If upgrading from Cumulative Update 7-18 then there are no schema changes. However, if migrating from CU6 or earlier update you will need to perform a schema update.
The setup itself will check and perform the schema extension if necessary. However, you can apply these beforehand by running SETUP /PrepareSchema from the command line. This is necessary when the Exchange administrator may not have the permissions required to perform the schema update. To extend the schema you must be both a Schema Admin and an Enterprise Admin.
You will also want to run SETUP /PrepareAD to get the latest RBAC definitions for both Exchange 2013 and 2016. Note that the graphical setup also performs this update.
For more information on how to extend and verify the schema check our guide here.
For a quick reference on schema and build versions check here.
More Awesome News
Microsoft announced it is adding support for Email Address Internationalization (EAI) in Office 365. This support allows users in Office 365 to send messages to and receive messages from email addresses with internationalized characters sets. Previously support only existed for Latin characters sets. This support would add Greek, Chinese, Japanese, Cyrillic and Hindi alphabets. While this advance adds support for the transmission of email to and from internationalized addresses it does not permit internationalized domains to be registered for use within Office 365. Nor does it permit Office 365 mailboxes to have internationalized characters in their email address. This support will likely come later.
Ross Smith IV published an article on how Enterprise Mobility and Security (EMS) functionality was currently being extended to on-prem mailboxes via hybrid. This feature is currently being tested in the TAP program. For more details on this preview and how to become part of the TAP program check his article: Outlook mobile support for Exchange on-premises with Microsoft Enterprise Mobility + Security.
Protocol Agnostic Workflow, or PAW for short, was announced some time ago. However, Microsoft released an awesome article going over all the specifics of PAW and how they benefit you. Essentially PAW improves the experience of migrating mailboxes to Office 365. For example, PAW allows administrators to remove individual users from a batch, or if a batch fails it will retry the batch from the failure and not from the very beginning. You can also start and stop individual users within the batch and schedule when the batch should complete. Be sure to check the article PAW your way into Office 365 Migrations.
The Exchange Team briefly announced Exchange 2019 in an article succinctly titled Exchange Server 2019. Microsoft expects a preview of Exchange 2019 to ship mid-2018, with a final release to ship second half 2018. Woot! 🙂
We also saw a change in Exchange 2016 guidance around RAM. Starting September 26th, Microsoft now supports up to 192 GB of RAM in Exchange 2016. The RAM guidance for Exchange 2010 or 2013 remains unchanged. Also, the guidance around sizing your pagefile remains the same. Be sure to get the latest version of the sizing calculator which includes this new guidance.
The Exchange team announced back in July that it will no longer support the use of Session Border Controllers (SBCs) to connect to Exchange Online Unified Messaging. This blog post from the Exchange Team identifies who is affected by this change, deadlines and, four potential migration options.
Lastly, if you were unable to attend Ignite I recommend checking out my post, 15 Microsoft Ignite sessions every Exchange admin should see. I have included notes for each session and the time each topic starts. Alternatively, the Exchange Team also has a list of all Exchange and Outlook related sessions cataloged here.
One final word on Exchange 2007
It’s time to update. Exchange 2007 went end of life as of April 11th, 2017. You will receive no further patches and will be unable to acquire telephone support. Published back in March 2017, Rollup 23 is the final update for Exchange 2007.
If the lack of security updates from Microsoft isn’t convincing enough, check this article for a list of cool things Exchange 2013 can do. (P.S. Like the fact Exchange 2013 uses fewer IOPS per mailbox than 2007…say whaaat)
So what do you think is coming next? What would you like to see? Drop a comment below or come join the conversation on Twitter @SuperTekBoy.