cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
News About the June 2021 Cumulative Update for Exchange Server
By
The_Exchange_Team
Published Jun 11 2021 08:40 AM 36.4K Views
The_Exchange_Team
Microsoft
‎Jun 11 2021 08:40 AM

News About the June 2021 Cumulative Update for Exchange Server

‎Jun 11 2021 08:40 AM

We typically release our quarterly Cumulative Updates (CUs) for Exchange Server on the third Tuesday of a month. In June 2021, that would be June 15th. Today we want to let you know that the June CUs for Exchange Server will be released two weeks later, on June 29th instead (EDIT: now released, please see the announcement here). In addition to bug fixes and incorporating previous Security Updates (SUs) for Exchange Server, we are taking a little bit of extra time to finish adding a new security feature to Exchange Server.

Today's Security Landscape

Security is a top priority for Microsoft and our customers, especially as cyberattacks increase in frequency and level of sophistication. The cybersecurity landscape has fundamentally changed, as evidenced by large-scale, complex attacks, and signals that phishing and human-operated ransomware are on the rise. Microsoft is now actively tracking more than 40 nation-state actors and over 140 threat groups across 20 countries—a number that used to be a handful. More than ever, it is critical to keep your on-premises infrastructure secure and up-to-date, including all your Exchange servers. This is a continuous process in which you:

  1. Use the Exchange Server Health Checker script to inventory your Exchange servers.
  2. Use the Exchange Update Wizard to get steps for installing the latest updates on your Exchange server(s).

This past March, we released SUs for critical vulnerabilities in Exchange Server, and we actively worked through our customer support teams, third-party hosters, and our partner network to help customers secure their environments and respond to associated threats from the attacks occurring against on-premises Exchange Server. In addition to releasing the one-click Exchange On-Premises Mitigation Tool (EOMT) last March, we also released automatic mitigation for Exchange Server in Microsoft Defender Antivirus and System Center Endpoint Protection. As with EOMT, these were interim mitigations designed to help protect customers who needed extra time to install the available SU.

When the June CU is released on June 29th, only the March and June CUs will be supported for any future Exchange Server SUs. If you are not yet running the March CU, now is a great time to get current.

Introducing Exchange Server integration with AMSI

In response to the fast-changing threat landscape, in the June CUs for Exchange 2016 and Exchange 2019, we are introducing integration between Exchange Server and the Windows Antimalware Scan Interface (AMSI). AMSI exists in Windows Server 2016 and Windows Server 2019, and the new integration is available in Exchange 2016 and Exchange 2019 when running on either of those operating systems. For Exchange 2016, AMSI integration is available only when running on Windows Server 2016. It is not available for Exchange 2016 running on Windows Server 2012 or Windows Server 2012 R2.

AMSI integration in Exchange Server provides the ability for an AMSI-capable antivirus/antimalware solution to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is handled by Exchange Server. The scan is performed in real-time by any AMSI-capable antivirus/antimalware solution that runs on the Exchange server as the server begins to process the request. This provides automatic mitigation and protection which compliments the existing antimalware protection in Exchange Server to make your Exchange servers more secure than ever.

The AMSI integration in Exchange Server works with any AMSI-capable anti-virus/antimalware solution. By default, Microsoft Defender Antivirus (MDAV), an AMSI-capable solution, is automatically enabled and installed on endpoints and devices that are running Windows 10 and Windows Server 2016 and later. If you haven’t installed an antivirus/antimalware application, Exchange Server AMSI integration will work with MDAV. If you install and enable another antivirus/antimalware app, MDAV will automatically turn off. And if that other app is AMSI-capable, the Exchange Server integration will work with that app. If you uninstall the other app, MDAV will automatically turn back on, and the Exchange Server integration will work with MDAV.

There are specific benefits when using MDAV on Exchange Server:

  • MDAV dynamically fetches signatures that match malicious content. If Microsoft learns about an exploit that can be blocked, a new MDAV signature can be deployed to block the exploit from affecting Exchange.
  • Leveraging existing technology to add signatures for malicious content;
  • Leveraging the expertise of Microsoft's malware research team for adding signatures;
  • Applying best practices that Defender already applies for adding other signatures.

We are working hard and are excited to deliver this new AMSI integration to you later this month on June 29th. Thank you for your patience!

The Exchange Team

11 Comments
Satyajit321
Brass Contributor
‎Jun 15 2021 01:56 AM
‎Jun 15 2021 01:56 AM

AMSI is interesting, however it brings this question. If malware scanning is disabled on the Exchange 2016 servers. Does it still work or does it force itself "ON" even if while installing the patch we keep it off explicitly. Windows Antimalware would be ON by default and isn't turned off in this case. 

 

Identity                                           Enabled         Priority
--------                                           -------         --------
Malware Agent                                      False           5

 

Scott Schnoll
Microsoft
‎Jun 15 2021 08:53 AM
‎Jun 15 2021 08:53 AM

@Satyajit321, installing the CU will not re-enable Defender AV if it has been disabled.

0 Likes
Like
JoshGardner
Copper Contributor
‎Jun 22 2021 11:21 AM
‎Jun 22 2021 11:21 AM

@Scott Schnoll@The_Exchange_Team 

@Satyajit321 has a good point. He is referring to the Transport Agent that is disabled by DEFAULT when installing Exchange 2016. I don't believe he is referring to Windows Defender in his question. Defender (MDAV per the article) being OS only - originally not interactive with Exchange.

 

Excluding the MDAV side of the house - we are talking Exchange only. What happens after the install of CU 21 if the Malware Agent is not enabled (again, it is disabled by default - oddly enough, we even have security requirements to keep it disabled*)? Will the AMSI function/feature still work? Does the Malware Agent Transport Agent in Exchange need to be enabled in order for AMSI to integrate with MDAV?

*if the Malware Agent is required to be enabled for AMSI to work, maybe with this new feature we no longer will be required to have it disabled.

A follow up question, and I apologize if this flew over my head - but does this new feature remove the need for 3rd party SMTP mail scanning as well? I recognize that this AMSI article is talking HTTP requests, but will it scan incoming mail items? For example, lets say an email comes into the environment with a trojan attached. Does this new marriage of ASMI and MDAV catch this mail item and pull it out of the mail item to quarantine it? If so, how does this new feature access the database in order to manipulate the mail data (either stripping the attachment, or other action) and where would it put the offending item?

Or are we talking HTTP requests only?

Thanks for your time.

Scott Schnoll
Microsoft
‎Jun 23 2021 11:37 AM
‎Jun 23 2021 11:37 AM

@JoshGardner AMSI integration in Exchange is complementary to the antimalware transport agent, but unrelated to it.  So if antimalware is disabled, it will not be re-enabled when the CU is installed.  The transport agent does not need to be enabled for AMSI integration to work.  AMSI integration does not eliminate the need for SMTP scanning, as it does not perform any SMTP scanning.  This is protection for HTTP only.

DavidH38
Copper Contributor
‎Jun 24 2021 03:21 AM
‎Jun 24 2021 03:21 AM

Do you know what the over head on the server will be? 

 

Also will there be any impact to exchange hybrid ?

0 Likes
Like
Jpanski
Brass Contributor
‎Jun 25 2021 06:10 AM
‎Jun 25 2021 06:10 AM

@Scott Schnoll@The_Exchange_Team 

 

What is your advice for someone running Exchange 2016 CU19 with the March and April Security Updates?  You mention "If you are not yet running the March CU, now is a great time to get current."  The reason we have been holding off is because the April security updates would need to be applied again after CU20 is installed leaving you vulnerable for a short period between patching.  The plan we had from a security perspective was to go from CU19 to CU21 when it was released this Tuesday.  Will that be an issue?  We are running hybrid by the way.  Thank you.

0 Likes
Like
Scott Schnoll
Microsoft
‎Jun 25 2021 09:56 AM
‎Jun 25 2021 09:56 AM

@Jpanski, CUs contain all previously released SUs, so you don't need to reapply them after installing the latest CU.  Our recommendation is to always apply the latest CU, and then apply any SUs that come out in between CUs. 

0 Likes
Like
yorkesteven
Copper Contributor
‎Jul 03 2021 12:00 AM
‎Jul 03 2021 12:00 AM

Have applied the CU21 to a system (2016) that had CU19. Having issues with client connectivity now. Is there any way of disabling AMSI for troubleshooting to ensure this isn't the cause of the issues?

0 Likes
Like
Tom B
Copper Contributor
‎Jul 12 2021 08:05 AM
‎Jul 12 2021 08:05 AM

@Scott Schnoll, @The_Exchange_Team Several issues with AMSI after CU21 / CU10 and active AMSI on the virus software settings.

Outlook clients getting massiv slow down. Can be fixed when AMSI is disabled on the virus software settings.

0 Likes
Like
bretzeli
Brass Contributor
‎Jul 15 2021 04:43 AM
‎Jul 15 2021 04:43 AM

Could anyone please comment on following questions from a MS Partner:

 

Exchange 2010:

* Is Exchange 2010 Affected be the Leak? Some customers are still in migrations scenario.

 

For the AMSI (Mcafee/Sophos)

Do we talk about a problem with?

 

* Client Plattform - Outlook.exe and AV-protection with AMSI-Support

* Server Plattform - Exchange 2016 CU21 and AV-protection  with AMSI-Support

* Both of them to watch (Client + Server side)

 

Is it correct that only Exchange Setup where the Cache mode is DISABLED are afftected then (VDI/CITRIX)?

 

Schema Update for CU20/21:

Both command or just the first one with prepareschema

 

Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD

 

Thankfull for any help and i am sure it will help a lot of MS-customers

 

Sam Erde
Iron Contributor
‎Jul 18 2021 07:24 AM
‎Jul 18 2021 07:24 AM

I’m curious about this last comment with regards to Citrix VDIs having Exchange Cached Mode disabled in the Outlook client. Is the implication that there might be potential issues with AMSI or that it should be disabled on those?

0 Likes
Like
Co-Authors
Version history
Last update:
‎Jun 29 2021 10:04 AM
Updated by: