March 2023 Exchange Server Security Updates

Microsoft Exchange Servers security updates have been released for March 2023.

These updates are available for the following specific versions of Exchange Server:

Exchange Server 2013 CU23 SU21 (Microsoft Exchange Server 2013 will reach its end of support on April 11, 2023)
Exchange Server 2016 CU23 SU7
Exchange Server 2019 CU11 SU11 & CU12 SU7

The recommendation is to install these updates immediately to protect your environment.
In the scenario where you do a Cumulative Update(CU), you need to make security updates. Otherwise, remember that you have to do the Cumulative Update(CU) first and then the Security Update(SU).

Inventory your Exchange Servers to determine which updates –> “Exchange Server Health Checker
Choose your current CU and your target CU to get directions –>  “Exchange Update Wizard
If you encounter errors during or after installation of Exchange Server –> “Exchange Setup Assist

Note: Don't double-click the 'MSP file' to run it. Run Command Prompt (not Powershell) as an Administrator.

Issues resolved with this update:

  • EWS web application pool stops after the February 2023 Security Update is installed .
    ⇒If you have applied a workaround for this issue, you should roll it back after the March security update.
  • Exchange Server 2016 or 2019 who have non-default applications installed through ECP add-ins, the ECP add-ins page might be broken after the February 2023 Security Update is installed
    ⇒The issue is expected to be resolved with the March security update.
  • The Get-App and GetAppManifests applications fail and return an exception, “MSExchangeServicesAppPool” application pool to repeat in the same order after the February 2023 Security Update is installed .
    ⇒The issue has been resolved with the March security update.
  • Exchange Toolbox and Queue Viewer fails after Certificate Signing of PowerShell Serialization Payload is enabled after the Janurary 2023 or the February 2023 Security Update is installed.
    ⇒The issue has been resolved with the March security update for servers running the Mailbox Role, but this issue persists on other servers with management console installed.

Have a nice day!

February 2023 Exchange Server Security Updates

Microsoft Exchange Servers security updates have been released for February 2023.

These updates are available for the following specific versions of Exchange Server:

Exchange Server 2013 CU23 SU20 (Microsoft Exchange Server 2013 will reach its end of support on April 11, 2023)
Exchange Server 2016 CU23 SU6
Exchange Server 2019 CU11 SU10 & CU12 SU6

The recommendation is to install these updates immediately to protect your environment.
In the scenario where you do a Cumulative Update(CU), you need to make security updates. Otherwise, remember that you have to do the Cumulative Update(CU) first and then the Security Update(SU).

Inventory your Exchange Servers to determine which updates –> “Exchange Server Health Checker
Choose your current CU and your target CU to get directions –>  “Exchange Update Wizard
If you encounter errors during or after installation of Exchange Server –> “Exchange Setup Assist

 

Note: Don't double-click the 'MSP file' to run it. Run Command Prompt (not Powershell) as an Administrator.

 

Have a nice day!

How to Fix TLS “SchUseStrongCryptoValue: Null

If you are getting “StrongCrypto” error as below after configuring TLS on your Microsoft Exchange Servers;

v4.0.30319 SchUseStrongCryptoValue: NULL --- Error: Value should be defined in registry for consistent results.
v4.0.30319 WowSchUseStrongCryptoValue: NULL --- Error: Value should be defined in registry for consistent results.

The values you need to define for “StrongCrypto” are as follows:

Set “Strong Cryptography” on 32-bit .Net Framework

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

 

Set “Strong Cryptography” on 64-bit .Net Framework

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

 

Have a nice day!

October 2022 Exchange Server Security Updates

Microsoft Exchange Servers security updates have been released for October 2022.

These updates are available for the following specific versions of Exchange Server:

Exchange Server 2013 CU23
Exchange Server 2016 CU22 and CU23
Exchange Server 2019 CU11 and CU12

The recommendation is to install these updates immediately to protect your environment.
In the scenario where you do a Cumulative Update(CU), you need to make security updates. Otherwise, remember that you have to do the Cumulative Update(CU) first and then the Security Update(SU).

The following update paths are available:

 

These vulnerabilities only affect Exchange Server.
Exchange Online customers are already protected from the vulnerabilities addressed.

Note: Don't double-click the 'MSP file' to run it. Run Command Prompt (not Powershell) as an Administrator.

 

Additional Action Require!

As you know, we were doing /PrepareSchema and /PrepareAD operations before CU operations.
There is a new difference in the updates released in May.

The following actions should be taken in addition to the application of May 2022 security updates:

After doing cumulative update and security update then run the following Command Prompt command once using Setup.exe in your Exchange Server installation path "\Program Files\Microsoft\Exchange Server\v15\Bin"

"Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /P"

Microsoft says that the step is necessary “because of additional security hardening work for CVE-2022-21978,” which is one of the vulnerabilities addressed by the updates.

When running a Database Availability Group, do not forget to put the Exchange Server Cluster(DAG) in maintenance mode.

 

Have a nice day!

Exchange Server 2019 ECP/OWA Not Working

Study this article if you can’t access Exchange Server 2019 ECP(Exchange Control Panel) or OWA(Outlook Web Access).

In your Exchange Server Infrastructure, if your ECP/OWA console doesn’t open and you encounter EventID:1309 in the Application Log, the root cause of the problem is the missing SharedWebConfig file.
You can see this in the “Application Virtual Path” – “Application Path” in Event ID 1309.

ECP Not Working

To resolve this issue follow these steps:

  • Access the server with the problem.
  • Generate the missing file:
    • Run cd %ExchangeInstallPath%\bin to change the current directory to the bin folder that’s under the Exchange installation path.
    • Use the DependentAssemblyGenerator.exe tool
    • If the file is missing from C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy, run the following command:
      • DependentAssemblyGenerator.exe -exchangePath "%ExchangeInstallPath%\bin" -exchangePath "%ExchangeInstallPath%\FrontEnd\HttpProxy" -configFile "%ExchangeInstallPath%\FrontEnd\HttpProxy\SharedWebConfig.config"

 

  • IISReset

 

You can now access ECP!

P.S: If you encounter EventID:1309, carefully check its contents.
Because in the problem I mentioned above, the issue was related to the ECP.
EventID contents; “Application Virtual Path: /ecp” and “Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp

If these contents are as follows;

  • Application Virtual Path: /owa
  • Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\

To resolve this issue follow these steps:

  • Access the server with the problem.
  • Generate the missing file:
    • Run cd %ExchangeInstallPath%\bin to change the current directory to the bin folder that’s under the Exchange installation path.
    • Use the DependentAssemblyGenerator.exe tool
    • If the file is missing from C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess, run the following command:
      • DependentAssemblyGenerator.exe -exchangePath "%ExchangeInstallPath%\bin" -exchangePath "%ExchangeInstallPath%\ClientAccess" -configFile "%ExchangeInstallPath%\ClientAccess\SharedWebConfig.config"
  • IISReset

 

You can now access OWA!

Have a nice day !

How to Fix Exchange Server “421 4.3.2 Service not available”

When I examined the receive connector logs to identify the problem with the mail traffic I was experiencing on one of my Exchange servers, I saw that the error “421 4.3.2 Service not available” was constantly repeated.

When I followed the mail flow in the log, I observed that the steps continued successfully, but at the last stage it gave the error “421 4.3.2 Service not available“.

auth login,
334 authentication response,
SMTPSubmit SMTAccept,
235 2.7.0 Authentication Successful,
Mail From : <…@…>,
421 4.3.2 Service not available,
Remote(SocketError)

I checked the ServerComponentState of the server, and saw that the HubTransport was Draining.

Get-ServerComponentState (hostname)

To fix this situation, we need to use the following command.

Set-ServerComponentState ExchServerName -Component HubTransport -State Active -Requester Maintenance

Check again Get-ServerComponentState (hostname)

Have a nice day !

2022 H1 Cumulative Updates for Exchange Server

In the previous post, I shared that Microsoft has changed the update service for exchange servers.

It has been announced that the updates will now be released as H1 and H2, at which point the updates for the first 2021 H1 have been released.

It is reported that the new released cumulative updates(CUs) include previous security updates(SUs) and fixes for customer reported.

These updates are available for the following specific builds of Exchange Server:

Exchange Server 2019 CU12
Exchange Server 2016 CU23 (The latest cumulative update package of Exchange 2016 won’t be H2 ! )

Please check knowledge base articles for known issues via CU12 or CU23

Further Information and Guidance
Exchange Team Blog
Upgrade Exchange to the latest Cumulative Update
Exchange Updates Step-by-Step Guide
How to Find Exchange Version and Build Number

Have a nice day !

Exchange Server Update Servicing Model Changed !

Microsoft announced in the bulletin it shared yesterday that it has changed the update model for the Exchange Server.

Updates published quarterly (March, June, September, and December) were changed after feedback from customers. And they announced that they have commissioned a new update service.

In the announcement, two CU’s per year – will releasing in H1 and H2 of each calendar year, with general target release dates of March and September (these dates may change).

Next CU will be released in H2 of 2022 only for Exchange 2019, has ended CU’s for Exchange Server 2013 and Exchange Server 2016, only SUs will be released.

Have a nice day !

Exchange Server Cluster(DAG) Maintenance

If you are planning to make cumulative updates to your Exchange Servers, you must first put the server on which you will install the update into maintenance mode.
To perform maintenance on Exchange Servers, follow these steps:

  • First of all, if you are using a load-balancer, make sure that there is no mail traffic to the server you will maintain.
  • Pre-Check 1 – Get-ServerComponentState ExchServerName | ft Component,State -Autosize
  • Pre-Check 2 – Get-MailboxServer ExchServerName | ft DatabaseCopy* -Autosize
  • Pre-Check 3 – Get-ClusterNode ExchServerName| fl
  • Pre-Check 4 – Get-Queue
  • Maintenance 1 – Set-ServerComponentState ExchServerName -Component HubTransport -State Draining -Requester Maintenance
  • Maintenance 2 – Restart-Service MSExchangeTransport
  • Maintenance 3 – Get-Queue
  • Maintenance 4 – CD $ExScripts
    .\StartDagServerMaintenance.ps1 -serverName ExchServerName -MoveComment Maintenance -PauseClusterNode
  • Maintenance 5 – Redirect-Message -Server ExchServerName -Target OtherServerName
  • Maintenance 6 – Suspend-ClusterNode ExchServerName
  • Maintenance 7 – Set-MailboxServer ExchServerName -DatabaseCopyActivationDisabledAndMoveNow $True
  • Maintenance 8 – Set-MailboxServer ExchServerName -DatabaseCopyAutoActivationPolicy Blocked
  • Maintenance 9 – Set-ServerComponentState ExchServerName -Component ServerWideOffline -State Inactive -Requester Maintenance
  • Control 1 – Get-ServerComponentState ExchServerName | ft Component,State -Autosize
  • Control 2 – Get-MailboxServer ExchServerName | ft DatabaseCopy* -Autosize
    Get-ClusterNode ExchServerName | fl
    Get-Queue

By the way, if you have made changes to the configuration files (Web.config,Edgetransport.exe.config etc) before starting the update process, it is recommended to backup them, because the changes you made after the update will return to their default settings.

You can now update the server.

After completing the update process we need to take the server out of maintenance mode.

  • After 1 – Set-ServerComponentState ExchServerName -Component ServerWideOffline -State Active -Requester Maintenance
  • After 2 – CD $ExScripts
    .\StopDagServerMaintenance.ps1 -serverName ExchServerName
  • After 3 – Set-ServerComponentState ExchServerName -Component HubTransport -State Active -Requester Maintenance
  • After 4 – Restart-Service MSExchangeTransport
  • After 5 – Get-ServerComponentState ExchServerName | ft Component,State -Autosize

 

If you have specific configuration backups, you can compare them with your backups and rearrange them. (Don’t forget to restart the server)

Now you can add your server to the load-balancer again and include it in the mail traffic.

 

Have a nice day !

Issue fix “MicrosoftExchangeServiceHost” Crash : March 2022 Security Update

Some Exchange systems after installing the March 2022 Security Update, you may receive errors related to the “Microsoft Exchange Service Host” service may crash repeatedly.

Event ID 4999 (Application Log)
Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-dumptidset, 15.01.2375.024.

Root Cause; If there are any expired certificates or certificates nearing expiration on the Exchange Server.
Workaroud; Replace any expired certificates and, if you are on Exchange Server 2016 or Exchange Server 2019, follow these steps:

  • Must have temporary full access to the arbitration mailbox
    Get-Mailbox -Arbitration "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | Add-MailboxPermission -User AdminAccount -AccessRights FullAccess
  • Run the Remove Expiry Notification script from Exchange Management Shell (user with full permission assigned to arbitration mailbox)
    Remove-CertExpiryNotifications.ps1 -Server ExchangeServer -Confirm:$false
  • Check all the messages are deleted , again run script it should report that there are no messages present in the folder
    Remove-CertExpiryNotifications.ps1 -Server ExchangeServer -WhatIf
  • Start the MSExchangeServiceHost service and confirm that it is not crashing
  • Revoke the full access permission
    Get-Mailbox -Arbitration "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | Remove-MailboxPermission -User AdminAccount -AccessRights FullAccess
  • Renew any certificates that expire

Have a nice day !