Update 11/27/2024: We have re-released November 2024 SUs. Please see this post for more information.

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

• Exchange Server 2019
• Exchange Server 2016

SUs are available for the following specific versions of Exchange Server:

• Exchange Server 2019 CU13 and CU14
• Exchange Server 2016 CU23

The November 2024 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Server Software under Product Family).

Improvements in Exchange Server AMSI integration

Starting with November 2024 SU release, we have extended the ability of products that use the Exchange Server AMSI integration to perform additional tasks on message bodies. The feature is disabled by default and can be enabled on a per protocol base. We recommend starting to enable this feature for a subset of services first, as it is possible that it could lead to performance issues. Additionally, we ask that you reach out to us if you experience any issues after enabling Exchange Server AMSI body scanning. Please see the documentation for more information on how this feature works and how it can be controlled.

Non-compliant RFC 5322 P2 FROM header detection

To address vulnerability CVE-2024-49040, a new feature was implemented to detect non-RFC 5322 compliant P2 FROM headers in incoming email messages. The P2 FROM header in an email is part of the message header that is displayed to the recipient's email client (for example, Outlook). It's the sender's email address or name (if the sender is internal) that appears in the From field when you view an email in your inbox. Please see the documentation for more information.

ECC certificate support improvements

November 2024 SU improves support for ECC certificates. ECC certificates can now be used on Edge Transport servers and can be bound to POP and IMAP service. Note that there is a change in how ECC Certificate support can be enabled. In the previous implementation, a New-SettingOverride was needed to enable the feature. Starting with the November 2024 SU, you need to create a registry value instead of the override. Please see the documentation for more information.

Known issues with this update

A known issue exists in both versions of the November 2024 Security Update. A Knowledge Base (KB) article has been published to describe the workaround for mitigating this issue. Please see the Time zone exception occurs after installing Exchange Server November 2024 SU (Version 1 or Version 2) KB for additional details.

Update installation

The following update paths are available:

• Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
• Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
• Re-run the Health Checker after you install an SU to see if any further actions are needed.
• If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU/HU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs or HUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

Documentation may not be fully available at the time this post is published.

This post might receive future updates; they will be listed here (if available).

Updates to this blog post:

• 11/28/2024: Added a new known issue
• 11/27/2024: Re-release of SUs to address known issues is now complete. Re-added download links.
• 11/14/2024: Added Known issues; removed the downloads temporarily.

The Exchange Server Team