Exchange

This week was a big week for Exchange. Microsoft released its third cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 3 (VLSC)| KB4514141

Exchange 2016 Cumulative Update 14 | KB4514140 | UM Language Pack

Exchange 2010 SP3 Rollup 29 | KB4509410 (Released in July)

Exchange 2010 support extended

In a recent blog post, the Exchange Team announced that is was extending support for Exchange 2010 by nine months. Exchange 2010 now shares the same end-of-life date as Office 2010 and SharePoint 2010, which is October 13th, 2020.

While this extension allows for a little more breathing room, it does not extend support for Windows Server 2008 R2, which is the underlying operating system for many Exchange 2010 installations. Server 2008 R2 will still go end of life on January 14th, 2020.

The Exchange Team has provided this extension to allow companies more time to migrate to a newer email platform, such as Office 365, or, Exchange 2016.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem, you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019.

For more information on migrating from Exchange 2010 to 2016, check out this recent blog article from the Exchange Team: Exchange On-Premises Best Practices for Migrations from 2010 to 2016

So, what’s new in these Cumulative Updates?

In this series of cumulative updates, Microsoft has resolved a number of security and non-security issues. You can read more about those in KBs 4514141 and 4514140. In addition, this set of cumulative updates addresses changes to daylight savings.

This week was a big week for Exchange. Microsoft released its second cumulative update for Exchange 2019 as well as cumulative updates for Exchange 2016 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 2 (VLSC)| KB4488401

Exchange 2016 Cumulative Update 13 | KB4488406 | UM Language Pack

Exchange 2013 Cumulative Update 23 | KB4489622 | UM Language Pack

Exchange 2010 SP3 Rollup 27 | KB4491413

The final countdown – 208 days left for Exchange 2010

Here is a quick reminder that extended support for Exchange 2010 is coming to an end. After January 14th, 2020, no further technical support or updates will be available. This includes security, bug and time zone updates.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019. Alternatively, you can migrate to Office 365.

For more information about the Exchange 2010 life-cycle check out the Exchange Team blog.

So, what’s new in these Cumulative Updates?

In the last set of cumulative updates, Microsoft reduced the number of permissions Exchange had in Active Directory. In an ongoing effort to further tighten the security posture of Exchange, Microsoft has further reduced Exchange’s permissions in Active Directory.

This includes two notable changes. The first is that Exchange can no longer assign service principal names (SPN). Second, a deny attribute has been added to the DNS Admins group. The Exchange Team determined neither of these rights was necessary for the operation of Exchange.

In the previous Exchange 2019 cumulative update, you could disable legacy protocols on a per-user basis. In cumulative update 2, you can now globally disable legacy authentication at the organization level.

This series of updates also introduces support for .NET Framework 4.8. While optional now, 4.8 will be mandatory as part of the December 2019 updates.

Last week was a big week for Exchange. Microsoft released its first cumulative update for Exchange 2019 as well as cumulative updates for Exchange 2016 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 1 (VLSC)| KB4471391

Exchange 2016 Cumulative Update 12 | KB4471392 | UM Language Pack

Exchange 2013 Cumulative Update 22 | KB4345836 | UM Language Pack

Exchange 2010 SP3 Rollup 26 | KB4487052 (released February)

Exchange 2010 SP3 Rollup 25 | KB4468742 (released January)

Only 325 days left for Exchange 2010

Here is a quick reminder that extended support for Exchange 2010 is coming to an end. After January 14th, 2020, no further technical support or updates will be available. This includes security, bug and time zone updates.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019. Alternatively, you can migrate to Office 365.

For more information about the Exchange 2010 life-cycle check out the Exchange Team blog.

So, what’s new in these Cumulative Updates?

Push notifications are one type of notification a developer can leverage in their application to add value. An example of a push notification might be the notification of new mail on a mobile device.

In this series of cumulative updates, the Exchange Team has changed the way it initiates push notifications through Exchange Web Services. This is in direct response to a security flaw where an attacker could intercept push notifications to gain access to credentials streamed via NTLM. These cumulative updates mitigate this attack by removing these credentials from the stream. Microsoft documents this resolution in KB4490060.

After applying this cumulative update, Microsoft recommends forcing the computer account to change its password by using either the Reset-ComputerMachinePassword cmdlet or, NETDOM. In addition, Microsoft recommends every organization review its user password expiration policies.

In further response to the security flaw, Microsoft is reducing the number of rights Exchange has in Active Directory when operating in a shared permission model.

In a shared permission model, Exchange administrators have the ability to create security principals in Active Directory and mail-enable those security principals. This includes the ability to create a new user as you are creating a mailbox, or, the ability to remove a user when you remove a mailbox. This also extends to tasks such as being able to create a distribution group, or, modify distribution group members.

In a split permission model, the Exchange administrator is restricted from these tasks and can only mail-enable, or, mail-disable existing objects (e.g. users, groups or contacts) that were created by an administrator with Active Directory rights.

Going forward the shared permission model will have fewer Active Directory rights, but that does not mean reduced functionality for Exchange administrators.

It’s amazing to believe that Microsoft Ignite was over a month ago. With 1,610 sessions Microsoft gave us a massive amount of announcements and demonstrations of new product features. This included Exchange 2019.

If not already, I highly recommend checking out 15 Ignite sessions every Exchange admin should see.  Each session in this article includes extensive notes on what each session contained. In addition, those notes contain timers so you can jump to the section that interests you the most. Hopefully, it will also serve as a reference if you need to search for a certain announcement or feature weeks (or even months) down the road.

Here is what Ignite taught us about Exchange 2019.

Changes to Exchange development

The tagline for Exchange 2016 was that it was “forged in the cloud”. This was a result of Exchange Online and Exchange on-prem sharing a common code base. The greatest benefit of this common code was that it ran in the cloud for a number of months before shipping on-prem as a cumulative update. By the time the code was released on-prem, it had been more than validated as stable and able to run at scale.

Going forward Microsoft has separated Exchange on-prem into its own code branch. This means that Exchange online is no longer driving cumulative updates for on-prem. What will drive updates are security patches and feature requests from customers. So, be sure to make your voice heard on UserVoice, at conferences, and in the various TAP programs.

While Microsoft currently plans to keep cumulative updates quarterly, they have opened up the conversation on whether updates should occur less frequently. Common feedback is that the current release cadence of quarterly cumulative updates is too aggressive for some customers. The product group also believes this could result in more stable releases.