SuperTekBoy

Practical Help for Exchange & Office 365

Exchange

Exchange Server Cumulative Updates (March 2020)

By Leave a Comment

9 Shares
Share
Tweet
Share
Reddit
Print
Exchange 2019 Cumulative Update 9

This week saw some critical cumulative updates for Exchange 2016 and Exchange 2019. These new updates contain the security patches previously released on March 2nd. Organizations that apply these cumulative updates don’t need to install the previous security patch.

The exception to this is those organizations on Exchange 2010 or Exchange 2013, where no update has superseded the March 2nd security patch. Those on Exchange 2010 and 2013 must ensure that they have the March 2nd patch applied as soon as possible.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 9 | KB4602570

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 20 | KB4602569 | UM Language Pack

Exchange 2013 Cumulative Update 9

Exchange 2013 Security Update | KB5000871 (March 2nd Security Patch)

Exchange 2010 Mini

Exchange 2010 SP3 Rollup 32 | KB5000978 (March 2nd Security Patch)

Tackling the March 2nd security exploits

It is imperative to protect yourself from the exploits published on March 2nd. HAFNIUM, a cyberespionage group with ties to the Chinese government, has leveraged these Exchange Server exploits to infiltrate victims’ networks to deliver malware and other malicious payloads with varying motives, primarily to exfiltrate confidential data.

First, patching is imperative.

  • Those on Exchange 2016 or 2019 should apply the latest cumulative update.
  • Those on Exchange 2013 will need to install Cumulative Update 23 (released June 2019), followed by the March 2nd, 2021 security patch.
  • Those on Exchange 2010 need to install rollup 32.

Note: On March 8th Microsoft updated the security patch allowing it to be installed on older cumulative updates. This aided organizations that could not yet upgrade to the latest cumulative update. Note that applying the security patch and then upgrading to an older CU (rather than the latest) will expose your organization to the exploits again.

Once you are fully patched, I recommend running the Microsoft Safety Scanner (also known as the Microsoft Emergency Response Tool), which detects and remediates all known malware. This is a self-executing program that can be downloaded here.

I recommend running a full system scan. Note that it takes a few hours to run a scan, and it may spike your CPU, so it’s best to do this during a maintenance window. If you have a database availability group, consider putting the server into maintenance mode so that you can run the scanner with zero user impact.

[Read more…] about Exchange Server Cumulative Updates (March 2020)

MSP Unplugged Podcast – Office 365 Tips

By Leave a Comment

9 Shares
Share
Tweet
Share
Reddit
Print
MSP Unplugged

On January 29th, I had the great pleasure of being a guest on MSP Unplugged. I joined host Jeff Halash to discuss several topics; including:

[Read more…] about MSP Unplugged Podcast – Office 365 Tips

Exchange Online Updates (December 2020)

By Leave a Comment

11 Shares
Share
Tweet
Share
Reddit
Print

Plus Addressing in Exchange Online

During Ignite 2020, Microsoft announced that plus addressing was coming to Exchange Online. Plus addressing allows users to create their own unique email addresses by leveraging a plus sign in their email address—for example, john.smith+newsletter@contoso.com. Anything after the plus sign is completely at the discretion of the user.

This becomes particularly useful when you want to target newsletters to a unique email address, especially when configuring inbox rules. It is also useful to determine who might have sold or leaked your email address.

To leverage this feature, an administrator must enable it globally (by default, it is disabled). To do this, log onto Exchange Online PowerShell. First, let’s verify if plus addressing is disabled. We do this with the following command.

 C:\> Get-OrganizationConfig | FL AllowPlusAddressInRecipients

AllowPlusAddressInRecipients : False

From our output, we can see that plus addressing is disabled in our tenant. To enable, run the following command.

 C:\> Set-OrganizationConfig -AllowPlusAddressInRecipients $true

To confirm the setting has taken effect, rerun Get-OrganizationConfig.

Users can then start leveraging plus addresses. Emails addressed to a plus address will appear in the user’s inbox without any further user intervention. From there, the user can build inbox rules for the plus addresses if they desire.

Plus Addressing in Exchange Online
[Read more…] about Exchange Online Updates (December 2020)

Exchange Server Cumulative Updates (December 2020)

By Leave a Comment

8 Shares
Share
Tweet
Share
Reddit
Print
Exchange 2019 Cumulative Update 8

Last week was a big week for Exchange. Microsoft released its eighth cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. Security updates have been released for Exchange 2010 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 8 | KB4588885

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 19 | KB4588884 | UM Language Pack

Exchange 2013 Cumulative Update 9

Exchange 2013 December Security Patch | KB4593466

Exchange 2010 Mini

Exchange 2010 SP3 Rollup 31 | KB4593467

Exchange 2016 entered extended support on October 14th

Back in October, Exchange 2016 entered extended support. The March 2021 cumulative update (CU20) is the last planned feature update for Exchange 2016. Any cumulative update after 20 is at Microsoft’s discretion.

Security patches will continue to be available in extended support until October 14th, 2025, delivered primarily through the Security Update Guide.

[Read more…] about Exchange Server Cumulative Updates (December 2020)

RunAs Radio #745 – Exchange Server vNext announced

By Leave a Comment

9 Shares
Share
Tweet
Share
Reddit
Print

On September 14th, I had the great pleasure of being a guest on RunAs Radio. I joined host Richard Campbell to discuss several hot topics for Exchange and Office 365; including:

Gareth on RunAs Radio Episode 745 Exchange vNext
[Read more…] about RunAs Radio #745 – Exchange Server vNext announced

15 Ignite sessions every Exchange admin should see (2020 Edition)

By 4 Comments

50 Shares
Share
Tweet
Share
Reddit
Print

Microsoft hosted its annual conference this September. However, unlike prior Ignite conferences, this one was impacted by COVID-19. As a result, Microsoft took its massive conference, typically attended by tens of thousands of individuals, and converted it into a digital online experience.

This digital Ignite was by no means a shadow of its former self. With 812 scheduled sessions and another 410 on-demand sessions via the Video Hub, this digital experience was massive.

At 1,222 sessions, here are the top 15 sessions I think every Exchange admin should watch.

Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes.”

Exchange – Here, There and Everywhere (watch video)
Exchange – Here, There and Everywhere
In this session, Greg Taylor discusses the roadmap for Exchange on-prem and Exchange Online. Topics include:
  • Exchange Calculator will now be a separate download, outside of the ISO (0:30 mins)
  • Exchange 2016/2019 will support multiple tenants with the HCW (2:15 mins)
    • Up to 5 tenants at GA
    • Have to rerun the HCW against each tenant
    • HMA will be restricted to only 1 of those 5 tenants
    • It won’t configure free/busy between the tenants
  • New Exchange Admin Center will be GA Q1 2021 (4:40 mins)
  • New Exchange Admin Center Home (6:25 mins)
  • New Exchange Admin Center Reports (7:25 mins)
    • Auto-Forwarded Message Report
    • Outbound Message Report
  • Exchange PowerShell Module v2 (8:40 mins)
    • General availability of certificate-based authentication for unattended scripts
    • PowerShell Core support in preview
    • Linux PowerShell support in preview
  • Plus, Addressing in Exchange Online is GA (11:15 mins)
    • Full rollout expected by October
    • Administrators need to enable it at the tenant-level
  • A new version of on-premises Exchange Server (13:40 mins)
    • Released H2 2021
    • Only available via subscription purchase
    • SharePoint and Skype for Business will follow suit
    • Can install into an existing org with Exchange 2013, Exchange 2016, and Exchange 2019
    • One more backward-compatible version than normal
    • Exchange 2019 users can do an in-place upgrade to vNext (like applying a CU)
    • Only for 2 years after vNext release
    • Exchange 2019 and vNext can be in the same DAG and load balancer VIP
    • No more major Exchange upgrades
  • Exchange 2016 end of mainstream support – October 14th (20:00 mins)
    • If using the free hybrid key, keep using it during extended support
    • If you have on-prem mailboxes, migrate to Exchange 2019
  • Removing the last Exchange server (22:30 mins)
    • Nothing to announce, but work is still in progress
  • Basic Authentication still being retired (23:30 mins)
    • Deadline extended to H2 2021
    • Easy on/off controls in M365 Admin Center
    • OAuth support added for POP, IMAP, and SMTP AUTH
    • PowerShell Module v2 uses modern auth
    • Outlook 2013 and newer uses modern auth
    • Use the Azure AD Sign-Ins report
    • Basic auth will be turned off in new tenants by default with security defaults
    • Basic auth will be turned off in tenants not using it
  • Additional Exchange Online training resources
    •  (26:55 mins)
Show more session notes
Show less session notes
Exchange Online Transport - New Email Management, Optics and End-user experiences (watch video)
Exchange Online Transport – New Email Management, Optics and End-user experiences
In this session, Kevin Shaughnessy discusses all the advancements coming to Exchange transport. Topics include:
  • Support for Plus Addresses (4:55 mins)
    • E.g., amypond+newsletter@supertekboy.com
    • Now rolling out
    • Great way to see who may have sold/leaked your data
    • Can target inbox roles to use the new plus address (move to a folder, etc.)
    • Could use it to track marketing/sales campaigns you initiate
  • Block users from blind carbon copying (BCC) a group (9:00 mins)
    • Problem: Inbox rules were ignoring a group added to the BCC line in an email
    • Solution: Generate an NDR if a group is added to the BCC line in an email. It can be enabled per group by either the group owner or administrator.
    • Rolling out Q4 2020
  • New Exchange Admin Center (12:53 mins)
    • All mail flow items and insights (e.g., message trace and mail flow reports) are moving from the Security & Compliance Center to the new Exchange Admin Center
    • New Exchange Admin Center is an opt-in experience
  • DEMO: New Exchange Center mail flow group (14:15 mins)
  • New Mail Flow Insights, Notifications, and Reports (16:10 mins)
    • Expired / soon to expire certificates report (Q4 2020)
    • Expired / soon to expire domains report (Q4 2020)
    • Misconfigured connectors report (TBD)
    • New Settings
      • Message expiration for email delivery issues (Q4 2020)
        • Default is 24 hours to generate NDR
        • Will be able to configure expiration and NDR value of 8-24 hours
      • Expiration for queued due to TLS failures (TBD)
        • Default is 24 hours to generate NDR
        • Under consideration
  • Reply-All Storm Protection (21:20 mins)
    • V1 is currently deployed
      • 10 reply-all to emails with 5,000 recipients within 1 hour
      • Blocks replies with an NDR for up to 4 hours
    • V2 planned
      • Customize the number of recipients on the email (new default will be 2,500)
      • Customize the number of reply-all messages detected in 1 hour (default will still be 10)
      • Customize block replies (default will still be 4 hours)
      • Reply-All Storm insights/reports coming to EAC
  • Message Recall for Exchange Online (26:15 mins)
    • Previously message recall is client-based and only works when the client is Outlook (not web or mobile)
    • New message recall is client agnostic and will remove the message from the mailbox
    • User will see a report of message recall success/failure
    • Available by Q4 2020
Show more session notes
Show less session notes
Exchange Online Transport – Email Security Updates (watch video)
Exchange Online Transport – Email Security Updates
In this session, Sean Stevenson discusses new security features coming to Exchange transport. Topics include:
  • Existing mail flow scenarios and susceptibility for attack (3:04 mins)
  • TLS 1.0 deprecation underway (6:55 mins)
    • TLS 1.0 already disabled for DoD/GCC High tenants
    • 2% of all mail to/from Office 365 with other mail exchangers using TLS 1.0
    • Even with TLS 1.0 disabled man-in-the-middle attacks are still a problem
  • DEMO: New Exchange Admin Center insights and reports identify mail sending with TLS 1.0 to/from your tenant (10:30 mins)
  • New cipher requirements to send/receive mail to Exchange Online (11:40 mins)
  • SMTP MTA Strict Transport Security support (RFC 8461) (12:55 mins)
    • Office 365 outbound now supports MTA-STS
    • DNS TXT record added to external DNS which identify location (and presence) of an MTA-STS policy (TEXT file hosted on a web server)
  • DEMO: Example of an MTA-STS policy (TEXT file) (17:50 mins)
  • Support for DANE / DNSSEC (18:25 mins)
    • DANE for SMTP identifies what TLS protocols the recipient domain supports prior to handshake/TLS negotiation
    • Protects against man-in-the-middle or downgrade attacks
    • DANE TSLA records protected with DNSSEC to prevent tampering with the DANE records
    • Outbound protection will be added before inbound protection
  • SMTP Auth Clients (20:52 mins)
    • Deprecation of TLS 1.0 for SMTP Auth Clients is still coming
    • If your SMTP Auth Clients can’t be easily upgraded to use TLS 1.2, leverage Exchange on-premises for mail relay.
  • DEMO: SMTP Auth Client report (23:00 mins)
  • SMTP Auth Clients (24:10 mins)
    • No plans to deprecate basic authentication for SMTP Auth Clients at this time.
    • Modern Auth (OAuth) is available for SMTP Auth Clients (recommended)
    • Recommended: Disable SMTP Auth for any mailbox that does not require it
    • SMTP Auth being globally disabled on all new tenants (can be re-enabled by the admin)
Show more session notes
Show less session notes
[Read more…] about 15 Ignite sessions every Exchange admin should see (2020 Edition)

Exchange Online Updates (September 2020)

By 1 Comment

3 Shares
Share
Tweet
Share
Reddit
Print

Block Outlook for Android on wearables and smartwatches

Microsoft has added a policy to Intune that grants an administrator the ability to block Outlook for Android on wearable devices (for example, a Samsung Galaxy Watch). This block prevents any Outlook data from being shared with the wearable device. This includes emails, calendar items, and more.

To configure this block, log into Endpoint Manager and select the Apps > App Configuration Policy tabs. From here, click Add and choose Managed Apps (you can also modify an existing Outlook app policy).

Give the policy a name and click Select public apps. Search for, and add Microsoft Outlook. Click Next.

Block Outlook to wearable devices and smartwatches

On the Settings tab, expand Outlook configuration settings, and next to the field Org Data on Wearables select No. From here select any other settings to go into your App Configuration Policy and click Next. On the next screen pick which users or groups of users will get this settings. Click Next and Create.

Block Outlook to wearable devices and smartwatches B

For those who do not have an Intune subscription, a new feature is being added to mobile device policies in Exchange Online (which anyone with an Exchange license can leverage) to disable Bluetooth on the device. You can do this via PowerShell. In the example below, we are disabling Bluetooth for the policy named, Company Mobile Policy.

 C:\> Set-MobileDeviceMailboxPolicy -Identity "Company Mobile Policy" -AllowBluetooth Disable

Global recipient limits

Earlier in the year, Microsoft announced a change to recipient limits in Office 365. Recipient limits dictate how many recipients someone can add to a single email message (this includes all recipients added to the To, Cc, and Bcc lines). This limit was previously hardcoded to 500 recipients. With the February announcement, administrators were allowed to configure this limit per mailbox, with a value of 1 to 1,000 recipients per message.

Starting in August Microsoft extended this functionality by allowing a global recipient limit to be set via PowerShell using the Set-TransportConfig command.

To see the current configuration, connect to Exchange Online PowerShell and run the following command.

 C:\> Get-TransportConfig | Format-List MaxRecipientEnvelopeLimit

MaxRecipientEnvelopeLimit : Unlimited

A value of Unlimited denotes the Office 365 published limits, which at the time of writing is 1,000 recipients per message.

You can modify this value with the following command. In the example below we are setting the max recipients per message to 500.

 C:\> Set-TransportConfig -MaxRecipientEnvelopeLimit 500

In most cases, when this setting is configured on both the mailbox and globally, the mailbox will win. The exception to this is when the mailbox is set to Unlimited, then the global parameter wins. Another way to think of Unlimited at the mailbox and global level is null or not set.

[Read more…] about Exchange Online Updates (September 2020)

Exchange Cumulative Update (September 2020)

By Leave a Comment

7 Shares
Share
Tweet
Share
Reddit
Print
Exchange 2019 Cumulative Update 7

This week was a big week for Exchange. Microsoft released its seventh cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 7 (VLSC)| KB4571787

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 18 | KB4571788 | UM Language Pack

So, what’s new in this Cumulative Update?

Microsoft has resolved a number of issues with the Exchange 2019 Sizing Calculator. I actually ran into one of these myself where the transport database size estimate (under the Role Requirements tab) always reported a 0 GB size per server. This issue has now been fixed in version 10.5 of the calculator (included with the Exchange 2019 CU7 ISO in the Support folder). Be sure to ditch v10.4.

Exchange Server Sizing Caculator 9.1 error in Transport Calc

These series of cumulative updates also resolves an issue where Surface Hub would connect to meetings with the wrong communications client (Skype or Teams) if both clients were installed on the device.

A couple of other items of note is that this cumulative update will fix an issue where the MAPI App Pool could become locked and drive CPU to 100% for over an hour and resolves the security issue CVE-2020-16875, which addresses a remote code execution vulnerability.

[Read more…] about Exchange Cumulative Update (September 2020)