Blog Post

Exchange Team Blog

4 MIN READ

Released: November 2023 Exchange Server Security Updates

The_Exchange_Team

Platinum Contributor

Nov 14, 2023

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

Exchange Server 2019
Exchange Server 2016

SUs are available for the following specific versions of Exchange Server:

Exchange Server 2019 CU12 and CU13
Exchange Server 2016 CU23

The November 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

Certificate signing of PowerShell serialization payload is now enabled by default

Starting with November 2023 SU, we are enabling certificate signing of PowerShell serialization payload by default (as a reminder, this is a feature that we released in January 2023 as an optional feature at the time). Once November 2023 (or later) SU is installed on a server, certificate signing will be automatically turned on (for that specific server only).

For more information on this, please see the feature documentation.

Make sure that the Exchange Auth Certificate is valid before installing the Security Update. You can use the MonitorExchangeAuthCertificate.ps1 script to perform a quick check.

The output of the MonitorExchangeAuthCertificate.ps1 script will look like this if no actions are required:

Update installation

The following update paths are available:

Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
Re-run the Health Checker after you install an SU to see if any further actions are needed.
If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

Known issues with this release

Certain piped cmdlets (for example, Get-MailboxDatabase | Get-Mailbox) might fail on Management Tools only machines. More details and a possible workarounds can be found in the Serialized Data Signing feature documentation.
Running the RedistributeActiveDatabases.ps1 or StartDagServerMaintenance.ps1 scripts might fail with a deserialization error after Nov SU is installed if the script is ran on a non-mailbox server. We will address this issue in the future update. As a workaround, please run the script on a mailbox server.
The queue viewer may crash with following error after installing November 2023 SU:
"Failed to enable constraints. One or more rows contain values violating non-null, unique, or foreign-key constraints"
The issue can occur if the Exchange server auth certificate is expired. The solution is to renew the Exchange server auth certificate using the MonitorExchangeAuthCertificate.ps1 script or manually.

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this document for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

Is it safe to disable Serialized Data Signing feature if we install November 2023 SU?
Disabling certificate signing of PowerShell serialization payloads will make your server vulnerable to known Exchange vulnerabilities and weakens protection against unknown threats. We recommend leaving this feature enabled.

Documentation may not be fully available at the time this post is published.

Blog post updates:

11/27: Updated the link for one of the FAQs.
11/23: Added a known issue with Queue Viewer crashing (happens if the Exchange Auth certificate is expired).
11/16: Added StartDagServerMaintenance.ps1 script to known issues too.
11/16: Added a known issue with RedistributeActiveDatabases.ps1 script if it is ran on non-mailbox server.

The Exchange Server Team

Updated Nov 27, 2023

Version 8.0

Platinum Contributor

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

89 Comments

JJuergen
Brass Contributor
Nov 15, 2023
LukasSMSFT on both. Same results for RedistributeActiveDatabases.ps1 on ManagementToolOnlyServer and/or MailboxServer...
As mentioned before, we didn`t configure/enable certificate signing of PowerShell serialization payloads before...
LukasSMSFT
Microsoft
Nov 15, 2023
JJuergen do you try to run the script on a mailbox server or is it a management tools only server?
JJuergen
Brass Contributor
Nov 15, 2023
Same here. Exchange Server 2016 (4 Node Dag) on Server 2016. All ExchangeServers are on CU23 and NovemberPatches. Worked before without any problems...
Microsoft Exchange Server Auth Certificate is valid until 4/30/2024, did not have to use MonitorExchangeAuthCertificate.ps1 to create a new Cert because of that.
SDS was not implemented before...

[PS] C:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\RedistributeActiveDatabases.ps1 -DagName dag1 -Balan
ceDbsByActivationPreference -Confirm:$false
Cannot process argument transformation on parameter 'Server'. Cannot convert the "EX8" value of type
"Deserialized.Microsoft.Exchange.Data.Directory.ADObjectId" to type
"Microsoft.Exchange.Configuration.Tasks.ServerIdParameter".
+ CategoryInfo : InvalidData: (:) [Get-MailboxDatabase], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MailboxDatabase
+ PSComputerName : ex9.domain.com

Regards
Juergen
Nino_Bilic
Microsoft
Nov 15, 2023
Gregory An additional question: were all members of the DAG already on the same SU (Nov) or was the DAG mixed with some members on Nov (with SDS enabled) and older (with no SDS)?
LukasSMSFT
Microsoft
Nov 15, 2023
Gregory can you tell me if Serialized Data Signing (SDS) was enabled in the environment in which you're running the Exchange 2016 October 2023 SU?

Also, what's the SDS configuration in the Exchange Server 2019 environment?
Gregory
Copper Contributor
Nov 15, 2023
Windows Server 2012R2, all updates unitl October 2023. Exchange 2016 CU23 Nov23SU installed on 3 of 5 servers. Found, that i can't run RedistributeDatabase script from $exscripts - get error below.
I tried run script from 3 of 5 servers which i install Nov23SU for Exchange 2016 - fails at 3 servers. And i successfully run script from other 2 servers which still not installed Nov23SU.

I have, in other site, Windows Server 2022 Novermber 2023 updates + Exchange 2019 CU13 Nov23SU installed at 1 of many servers and i successfully started RedistributeDatabase script from $exscripts and redistributed bases in problem site with no problems.

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\RedistributeActiveDatabases.ps1 -DagName dag -BalanceDbsByActivationPreference
Cannot convert value "dag" to type
"Microsoft.Exchange.Data.Directory.SystemConfiguration.DatabaseAvailabilityGroup". Error: "Cannot convert the "dag"
value of type "Deserialized.Microsoft.Exchange.Data.Directory.SystemConfiguration.DatabaseAvailabilityGroup" to type
"Microsoft.Exchange.Data.Directory.SystemConfiguration.DatabaseAvailabilityGroup"."
At C:\Program Files\Microsoft\Exchange Server\V15\scripts\RedistributeActiveDatabases.ps1:2815 char:3
+ $script:dag = Get-DatabaseAvailabilityGroup $DagName -Status
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException
+ FullyQualifiedErrorId : RuntimeException
Log-Error : [11:29:39.362 UTC] Could not find DAG matching 'dag'!
At C:\Program Files\Microsoft\Exchange Server\V15\scripts\RedistributeActiveDatabases.ps1:2820 char:3
+ Log-Error ($RedistributeActiveDatabases_LocalizedStrings.res_0089 -f $DagName) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Log-Error
Mohamedkaafar
Copper Contributor
Nov 15, 2023
Sam_T Nothing could go wrong with a surprise, right? 😛
Sam_T
Iron Contributor
Nov 15, 2023
The_Exchange_Team

Only six weeks left in CY 2023. Should we expect 2023 H2 CU for Exchange Server 2019 (CU14) before the end of the year or are we in for another unhappy surprise?
adixro
Brass Contributor
Nov 15, 2023
Hi,

I have renewed the cert end of October and while running below for all servers it gives the old cert for some reason that will expire in few days which is not possible (because it expired already) and that cert thumbprint is no longer applied to any Exchange services. The new cert even if present and assigned to IIS, SMTP etc doesnt even come up.
~~Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | .\HealthChecker.ps1; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html~~
~~If I run the Health checker against one server it gives the proper results. (Lifetime in days)~~

~~Anyone else encountered this?~~

Nevermind...deleted previous healthchecker history.