Today we are announcing the availability of Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019. These CUs include fixes for customer reported issues along with all previously ...
Updated Apr 21, 2022
Version 9.0
Blog Post
The_Exchange_Team what's the reason that scripts / CU / setup contain scripts which need the execution policy unrestricted? Could they be code-signed?
Some customers have Group Policies that set the minimum to RemoteSigned, and those cannot be overruled by manual Set-ExecutionPolicy.
Some weeks ago there was a discussion about it that Microsoft should also sign their code to meet higher security demands.
Is this something you are working on? Is there other customer feedback? Reason is: WinRM is enabled by default so is PowerShell. Attackers often leverage PowerShell Remote sessions to infiltrate a system and gain privilege. Customer expectancy is that restricting the execution of PowerShell is a viable counter-measure. Some even restrict the launch of PowerShell 5/7 via Application Control in their scenarios.
I understand this would be impossible to run Exchange Setup / CU or SQL Setup, so we should at least focus on the execution policy scenario.