SuperTekBoy

Practical Help for Exchange & Office 365

Exchange News

RunAs Radio #745 – Exchange Server vNext announced

By Leave a Comment

1 Shares
Share
Tweet
Share
Reddit
Print

On September 14th, I had the great pleasure of being a guest on RunAs Radio. I joined host Richard Campbell to discuss several hot topics for Exchange and Office 365; including:

Gareth on RunAs Radio Episode 745 Exchange vNext
[Read more…] about RunAs Radio #745 – Exchange Server vNext announced

15 Ignite sessions every Exchange admin should see (2020 Edition)

By 4 Comments

50 Shares
Share
Tweet
Share
Reddit
Print

Microsoft hosted its annual conference this September. However, unlike prior Ignite conferences, this one was impacted by COVID-19. As a result, Microsoft took its massive conference, typically attended by tens of thousands of individuals, and converted it into a digital online experience.

This digital Ignite was by no means a shadow of its former self. With 812 scheduled sessions and another 410 on-demand sessions via the Video Hub, this digital experience was massive.

At 1,222 sessions, here are the top 15 sessions I think every Exchange admin should watch.

Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes.”

Exchange – Here, There and Everywhere (watch video)
Exchange – Here, There and Everywhere
In this session, Greg Taylor discusses the roadmap for Exchange on-prem and Exchange Online. Topics include:
  • Exchange Calculator will now be a separate download, outside of the ISO (0:30 mins)
  • Exchange 2016/2019 will support multiple tenants with the HCW (2:15 mins)
    • Up to 5 tenants at GA
    • Have to rerun the HCW against each tenant
    • HMA will be restricted to only 1 of those 5 tenants
    • It won’t configure free/busy between the tenants
  • New Exchange Admin Center will be GA Q1 2021 (4:40 mins)
  • New Exchange Admin Center Home (6:25 mins)
  • New Exchange Admin Center Reports (7:25 mins)
    • Auto-Forwarded Message Report
    • Outbound Message Report
  • Exchange PowerShell Module v2 (8:40 mins)
    • General availability of certificate-based authentication for unattended scripts
    • PowerShell Core support in preview
    • Linux PowerShell support in preview
  • Plus, Addressing in Exchange Online is GA (11:15 mins)
    • Full rollout expected by October
    • Administrators need to enable it at the tenant-level
  • A new version of on-premises Exchange Server (13:40 mins)
    • Released H2 2021
    • Only available via subscription purchase
    • SharePoint and Skype for Business will follow suit
    • Can install into an existing org with Exchange 2013, Exchange 2016, and Exchange 2019
    • One more backward-compatible version than normal
    • Exchange 2019 users can do an in-place upgrade to vNext (like applying a CU)
    • Only for 2 years after vNext release
    • Exchange 2019 and vNext can be in the same DAG and load balancer VIP
    • No more major Exchange upgrades
  • Exchange 2016 end of mainstream support – October 14th (20:00 mins)
    • If using the free hybrid key, keep using it during extended support
    • If you have on-prem mailboxes, migrate to Exchange 2019
  • Removing the last Exchange server (22:30 mins)
    • Nothing to announce, but work is still in progress
  • Basic Authentication still being retired (23:30 mins)
    • Deadline extended to H2 2021
    • Easy on/off controls in M365 Admin Center
    • OAuth support added for POP, IMAP, and SMTP AUTH
    • PowerShell Module v2 uses modern auth
    • Outlook 2013 and newer uses modern auth
    • Use the Azure AD Sign-Ins report
    • Basic auth will be turned off in new tenants by default with security defaults
    • Basic auth will be turned off in tenants not using it
  • Additional Exchange Online training resources
    •  (26:55 mins)
Show more session notes
Show less session notes
Exchange Online Transport - New Email Management, Optics and End-user experiences (watch video)
Exchange Online Transport – New Email Management, Optics and End-user experiences
In this session, Kevin Shaughnessy discusses all the advancements coming to Exchange transport. Topics include:
  • Support for Plus Addresses (4:55 mins)
    • E.g., amypond+newsletter@supertekboy.com
    • Now rolling out
    • Great way to see who may have sold/leaked your data
    • Can target inbox roles to use the new plus address (move to a folder, etc.)
    • Could use it to track marketing/sales campaigns you initiate
  • Block users from blind carbon copying (BCC) a group (9:00 mins)
    • Problem: Inbox rules were ignoring a group added to the BCC line in an email
    • Solution: Generate an NDR if a group is added to the BCC line in an email. It can be enabled per group by either the group owner or administrator.
    • Rolling out Q4 2020
  • New Exchange Admin Center (12:53 mins)
    • All mail flow items and insights (e.g., message trace and mail flow reports) are moving from the Security & Compliance Center to the new Exchange Admin Center
    • New Exchange Admin Center is an opt-in experience
  • DEMO: New Exchange Center mail flow group (14:15 mins)
  • New Mail Flow Insights, Notifications, and Reports (16:10 mins)
    • Expired / soon to expire certificates report (Q4 2020)
    • Expired / soon to expire domains report (Q4 2020)
    • Misconfigured connectors report (TBD)
    • New Settings
      • Message expiration for email delivery issues (Q4 2020)
        • Default is 24 hours to generate NDR
        • Will be able to configure expiration and NDR value of 8-24 hours
      • Expiration for queued due to TLS failures (TBD)
        • Default is 24 hours to generate NDR
        • Under consideration
  • Reply-All Storm Protection (21:20 mins)
    • V1 is currently deployed
      • 10 reply-all to emails with 5,000 recipients within 1 hour
      • Blocks replies with an NDR for up to 4 hours
    • V2 planned
      • Customize the number of recipients on the email (new default will be 2,500)
      • Customize the number of reply-all messages detected in 1 hour (default will still be 10)
      • Customize block replies (default will still be 4 hours)
      • Reply-All Storm insights/reports coming to EAC
  • Message Recall for Exchange Online (26:15 mins)
    • Previously message recall is client-based and only works when the client is Outlook (not web or mobile)
    • New message recall is client agnostic and will remove the message from the mailbox
    • User will see a report of message recall success/failure
    • Available by Q4 2020
Show more session notes
Show less session notes
Exchange Online Transport – Email Security Updates (watch video)
Exchange Online Transport – Email Security Updates
In this session, Sean Stevenson discusses new security features coming to Exchange transport. Topics include:
  • Existing mail flow scenarios and susceptibility for attack (3:04 mins)
  • TLS 1.0 deprecation underway (6:55 mins)
    • TLS 1.0 already disabled for DoD/GCC High tenants
    • 2% of all mail to/from Office 365 with other mail exchangers using TLS 1.0
    • Even with TLS 1.0 disabled man-in-the-middle attacks are still a problem
  • DEMO: New Exchange Admin Center insights and reports identify mail sending with TLS 1.0 to/from your tenant (10:30 mins)
  • New cipher requirements to send/receive mail to Exchange Online (11:40 mins)
  • SMTP MTA Strict Transport Security support (RFC 8461) (12:55 mins)
    • Office 365 outbound now supports MTA-STS
    • DNS TXT record added to external DNS which identify location (and presence) of an MTA-STS policy (TEXT file hosted on a web server)
  • DEMO: Example of an MTA-STS policy (TEXT file) (17:50 mins)
  • Support for DANE / DNSSEC (18:25 mins)
    • DANE for SMTP identifies what TLS protocols the recipient domain supports prior to handshake/TLS negotiation
    • Protects against man-in-the-middle or downgrade attacks
    • DANE TSLA records protected with DNSSEC to prevent tampering with the DANE records
    • Outbound protection will be added before inbound protection
  • SMTP Auth Clients (20:52 mins)
    • Deprecation of TLS 1.0 for SMTP Auth Clients is still coming
    • If your SMTP Auth Clients can’t be easily upgraded to use TLS 1.2, leverage Exchange on-premises for mail relay.
  • DEMO: SMTP Auth Client report (23:00 mins)
  • SMTP Auth Clients (24:10 mins)
    • No plans to deprecate basic authentication for SMTP Auth Clients at this time.
    • Modern Auth (OAuth) is available for SMTP Auth Clients (recommended)
    • Recommended: Disable SMTP Auth for any mailbox that does not require it
    • SMTP Auth being globally disabled on all new tenants (can be re-enabled by the admin)
Show more session notes
Show less session notes
[Read more…] about 15 Ignite sessions every Exchange admin should see (2020 Edition)

Exchange Online Updates (September 2020)

By 1 Comment

3 Shares
Share
Tweet
Share
Reddit
Print

Block Outlook for Android on wearables and smartwatches

Microsoft has added a policy to Intune that grants an administrator the ability to block Outlook for Android on wearable devices (for example, a Samsung Galaxy Watch). This block prevents any Outlook data from being shared with the wearable device. This includes emails, calendar items, and more.

To configure this block, log into Endpoint Manager and select the Apps > App Configuration Policy tabs. From here, click Add and choose Managed Apps (you can also modify an existing Outlook app policy).

Give the policy a name and click Select public apps. Search for, and add Microsoft Outlook. Click Next.

Block Outlook to wearable devices and smartwatches

On the Settings tab, expand Outlook configuration settings, and next to the field Org Data on Wearables select No. From here select any other settings to go into your App Configuration Policy and click Next. On the next screen pick which users or groups of users will get this settings. Click Next and Create.

Block Outlook to wearable devices and smartwatches B

For those who do not have an Intune subscription, a new feature is being added to mobile device policies in Exchange Online (which anyone with an Exchange license can leverage) to disable Bluetooth on the device. You can do this via PowerShell. In the example below, we are disabling Bluetooth for the policy named, Company Mobile Policy.

 C:\> Set-MobileDeviceMailboxPolicy -Identity "Company Mobile Policy" -AllowBluetooth Disable

Global recipient limits

Earlier in the year, Microsoft announced a change to recipient limits in Office 365. Recipient limits dictate how many recipients someone can add to a single email message (this includes all recipients added to the To, Cc, and Bcc lines). This limit was previously hardcoded to 500 recipients. With the February announcement, administrators were allowed to configure this limit per mailbox, with a value of 1 to 1,000 recipients per message.

Starting in August Microsoft extended this functionality by allowing a global recipient limit to be set via PowerShell using the Set-TransportConfig command.

To see the current configuration, connect to Exchange Online PowerShell and run the following command.

 C:\> Get-TransportConfig | Format-List MaxRecipientEnvelopeLimit

MaxRecipientEnvelopeLimit : Unlimited

A value of Unlimited denotes the Office 365 published limits, which at the time of writing is 1,000 recipients per message.

You can modify this value with the following command. In the example below we are setting the max recipients per message to 500.

 C:\> Set-TransportConfig -MaxRecipientEnvelopeLimit 500

In most cases, when this setting is configured on both the mailbox and globally, the mailbox will win. The exception to this is when the mailbox is set to Unlimited, then the global parameter wins. Another way to think of Unlimited at the mailbox and global level is null or not set.

[Read more…] about Exchange Online Updates (September 2020)

Exchange Cumulative Update (September 2020)

By Leave a Comment

7 Shares
Share
Tweet
Share
Reddit
Print
Exchange 2019 Cumulative Update 7

This week was a big week for Exchange. Microsoft released its seventh cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 7 (VLSC)| KB4571787

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 18 | KB4571788 | UM Language Pack

So, what’s new in this Cumulative Update?

Microsoft has resolved a number of issues with the Exchange 2019 Sizing Calculator. I actually ran into one of these myself where the transport database size estimate (under the Role Requirements tab) always reported a 0 GB size per server. This issue has now been fixed in version 10.5 of the calculator (included with the Exchange 2019 CU7 ISO in the Support folder). Be sure to ditch v10.4.

Exchange Server Sizing Caculator 9.1 error in Transport Calc

These series of cumulative updates also resolves an issue where Surface Hub would connect to meetings with the wrong communications client (Skype or Teams) if both clients were installed on the device.

A couple of other items of note is that this cumulative update will fix an issue where the MAPI App Pool could become locked and drive CPU to 100% for over an hour and resolves the security issue CVE-2020-16875, which addresses a remote code execution vulnerability.

[Read more…] about Exchange Cumulative Update (September 2020)

Sysadmin Today #78: Talking Tech with Gareth Gudger

By Leave a Comment

8 Shares
Share
Tweet
Share
Reddit
Print

On July 19th, I had the great pleasure of being a guest on SysAdmin Today. I joined host Paul Joyner to discuss several hot topics for Exchange and Office 365; including:

  • Introductions
  • Overview of Microsoft MVP Program
  • Getting out of the patching and server management business
  • Updated Hybrid Configuration Wizard (v17)
  • Keeping an Exchange server on-prem for secure mail relay
  • GUI for restoring deleted mail for users
  • Reply-all storm protection
  • Support for DANE / DNSSEC
  • New defaults for SMTP Auth
  • Deprecation and deadline extension for basic auth
  • Getting all users to multi-factor authentication
Sysadmin Today #78 - Talking Tech with Gareth Gudger
[Read more…] about Sysadmin Today #78: Talking Tech with Gareth Gudger

Exchange Cumulative Updates (June 2020)

By 3 Comments

6 Shares
Share
Tweet
Share
Reddit
Print
Exchange 2019 CU6

This week was a big week for Exchange. Microsoft released its sixth cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 6 (VLSC)| KB4556415

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 17 | KB4556414 | UM Language Pack

So, what’s new in these Cumulative Updates?

In this series of cumulative updates, Microsoft added thirteen new blocked file types for use with the OWA Mailbox Policy. The additions included several scripting extensions, including many python file types such as .py, .pyc, and .pyo. For a full list of the new extensions, check the following article.

These cumulative updates also correct an issue when using the Restore-RecoverableItems command in a pipe. We covered the cloud-exclusive GUI version of this command in an article earlier this week. Be sure to check it out.

Companies leveraging Hybrid Modern Authentication will also want to take note of these updates as they fix unexpected authentication prompts during certificate rollovers.

Customers leveraging Edge Transport will also want to take note as these updates resolve a situation where Edge Transport servers may become unresponsive due to deadlock in the shadow redundancy manager.

For a full list of all fixes, be sure to check out the KBs KB4556415 and KB4556414.

[Read more…] about Exchange Cumulative Updates (June 2020)

Exchange Online Updates (June 2020)

By Leave a Comment

6 Shares
Share
Tweet
Share
Reddit
Print

Recover deleted mail using the new Exchange Admin Center in Office 365

In the last quarterly update, we covered the new Exchange Admin Center in Office 365. Exclusive to the new admin center is the ability to recover deleted items back into a user’s mailbox. This process has been available using PowerShell for some time.

Recover deleted email items for a user in Office 365 B

Keep in mind you can only recover up to the limit of your single item recovery policy. By default, this is 14 days in Office 365, but can be increased to 30 days (although you will need to set this ahead of time).

You can read more about how to recover deleted items in the following article.

Preventing Reply-All Storms in Exchange Online

Microsoft has added a new feature to combat reply-all storms. These storms are particularly prevalent when numerous people execute a reply-all to a massive distribution list.

Reply-All Storm Protection in Exchange Online

Microsoft’s initial reply-all protection will block replies to an email thread for 4 hours if it detects more than ten reply-all messages within 60 minutes to a thread with over 5,000 recipients.

The eleventh sender will receive a non-delivery report titled Reply-All Storm Protection with the reason the message was blocked.

[Read more…] about Exchange Online Updates (June 2020)

RunAs Radio #684 – Exchange in 2020 with Gareth Gudger

By Leave a Comment

26 Shares
Share
Tweet
Share
Reddit
Print

On February 29th I had the great pleasure of being a guest on the RunAs Radio podcast. I joined host Richard Campbell to discuss all the new security requirements coming to Exchange Online, specifically around the new modern authentication requirement and the deprecation of TLS 1.0 and 1.1.

Gareth on Runas Radio #684 - Exchange in 2020 with Gareth Gudger
[Read more…] about RunAs Radio #684 – Exchange in 2020 with Gareth Gudger