The update replaces the update from May. In that one a PrepareAllDomains was necessary. Can I do the August update and then the PrepareAllDomains or do I have to do the May update first ?

@Lux550 You do not need to go via the May update; August update contains all the things from May.

What if we can't enable Windows Extended Protection because of one of the limitation mentioned in the documentation like SSL offloading.  Are we just out of luck?

@Todd J Vanscoter Please keep checking the GitHub documentation page; we will be providing additional guidance related to SSL scenarios. We made it so GitHub documentation pages show the date of last update.

Hello @Nino Bilic 

I am into this Extented Protection (EP) thing also, because we have had a lot of issues with it with ADFS in multi-forest environments (but worked it out with MS support).  We run Netscalers and NSX load balancers in our environments, so have to work things out first regarding EP.

Question I have:

If we install the update now, but can't enable the EP at this time the infrastructure is update, but not fully mitigated against all the august CVE's right. So we can install the update for now. There are no components that require EP to be enabled to function. Correct? In other words: We can split the EP enabling action so it will be enabled later and go-on with updating the servers with the patch.

I will check EP topic regularly for updates, as well as this topic.

Thanks for your reply.

@christiaan-nl That is correct; enablement of EP is a separate action that needs to be taken AFTER August 2022 SUs are installed (and all of the other prereqs are met) but there is no specific time when it needs to be taken after SUs are installed.

*** Update: Answered questions on my own :)***

*** Update2: Tested different scenarios***

Hi.

My Ex2019 CU12 with AUG patch has build:

Version: Exchange 2019 CU12
Build Number: 15.02.1118.010

Question 1: I can`t apply script for EP because revision is not 11 or 12 but 10
https://github.com/microsoft/CSS-Exchange/blob/main/Security/src/ExchangeExtendedProtectionManagemen...   --> Line: 244

Is this error? All other checks show: ConfigSupported: TRUE

MS re-uploaded correct EXE so now it`s OK

Question 2: We know about ssl offloading issue, what about ssl bridging?

SSL bridging works OK after I copied Letsencrypt cert from loadbalancer to Exchange. Got myself few scripts to automate this. After that enabled EP all fine.
EP excludes AutoDiscover virtual directories, so you can have different certs for autodiscover on loadbalancer and exchange:

autodiscover.domain.com and mail.domain.com on exchange and autodiscover.domain.com AND autodiscover.otherdomain.com on loadbalancer.

Tested and working with: OWA, different mobile devices, Outlook 2019/2021 on Windows 10.

Question 3: We have TLS 1.3 on load balancer and connect to backend DAG via SSL but use TLS 1.2, will this be issue?

Short answer: NO! It will work just fine as long as exchange and loadbalancer certs match.
CLIENT HTTPS TLS1.3 --> Loadbalancer --> EXCHANGE HTTPS TLS 1.2  == OK

Thanks!

I hope it helps someone :)

Forgive me, but with all the limitations here this seems not ready for prime time. It seems likely that most customers will hit at least one of these limitations which will prevent application.

Some of the issues that are preventing me from implementing...

Customers using a Retention Policy containing Retention Tags which perform Move to Archive actions should not configure Extended Protection, as enabling Extended Protection will cause automated archiving to stop working. We are actively working to resolve this issue.

If Public Folders exist on Exchange 2013 servers and Extended Protection is enabled, they will no longer appear and end users will be unable to access them

If you are using Modern Hybrid or the Hybrid Agent enabling Extended Protection will cause Hybrid features like Free/Busy and mailbox migration to stop working.

Extended Protection is not supported in environments that use SSL offloading. SSL termination during SSL offloading causes Extended Protection to fail

Hi Nino, 

When I click on the security update download link for my version of Exchange on the page below, it brings me to the May 2022 SU.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24477

https://www.microsoft.com/en-us/download/details.aspx?id=104205

is this the SU I have to install? Why does it have a release date of 05/10/22?

Please advise

Thank you

Hi @ceantuco,

please find the correct Updates here.

These SUs are available for the following specific builds of Exchange Server:

• Exchange Server 2013 CU23
• Exchange Server 2016 CU22 and CU23
• Exchange Server 2019 CU11 and CU12

Microsoft please fix the wrong links.

@ceantuco Yeah that seems broken, I'll get this fixed. Download links are in our blog post here too (and they are version specific). EDIT: should be fixed now.

Thanks Alexander and Nino!

Hello, if Extension Protection need ticked "Require SSL", is still compatible with HTTP to HTPPS redirect for Exchange? 

In this guide (Configure http to https redirection for Outlook on the web in Exchange Server) in Exchange docs need to remove "Require SSL" from default website

Thanks for clarification. 

Hi Nino, perhaps clarify non-necessity to install on Exchange 2019 CU12 Management Tools (recipient management) only deployments.

Hi @Nino Bilic,

can you please tell us regarding CVE-2022-30134 if User Interaction is required or not.

The Metric says no User Interaction is required, but FAQ says it is required.

Thank you,
Alexander

@Alexander_Hossdorf Thanks, I reported to the security team.

@Michel de Rooij This is in the FAQ on this blog post. :)

@Alexander_Hossdorf  @Nino Bilic 

The link for Exchange 2019 CU 12 has a publication date of 08/05/22 instead of 08/09/22. is this okay? I want to make sure this isn't a testing/beta version of the update. 

https://www.microsoft.com/en-us/download/details.aspx?id=104478

Thank you!

Cesar

@ceantuco and @Alexander_Hossdorf EDIT: yes in fact we are uploading a newer version of CU12 SU. Sigh; I apologize, this was a slightly older build.

Hi @ceantuco,

edit.

@Nino Bilic already answered.

Thank you.

Thank you @Nino Bilic  and  @Alexander_Hossdorf 

I did not think it was the European date format... I just thought it was weird an update released today had an older date.

Cheers! 

@ceantuco You are correct; upon additional inspection, this WAS a wrong package; we are taking it offline and will upload the right one shortly. Sorry about that!

Hi Nino I have already installing this older build "yes i was guick" :) i hope it will not broke my Exchange19  CU 12 

Hi @Nino Bilic,

in my opinion, this combination of Exchange vulnerabilities has the potential to do major damage again.

It would therefore be very helpful to learn more about the possible attack scenarios.

In my opinion, the current description is not sufficient for Defenders to initiate countermeasures.

As already described here, there will be some scenarios in which immediate protection will not be possible due to the prerequisites. For this reason, additional information would certainly be helpful.

Thank you,
Alexander

@Nino Bilic thanks for the quick response. I will delete the file downloaded. 

Also, is it mandatory to enable Extended Protection?

Please advise

Thank you

@ceantuco The issue is now resolved; due to caching, you might see an older update package but the new one will (and I just checked) have the date of publication from 8/9/2022.

And it is not mandatory to enable Extended Protection, but we recommend that you work to do so. The CVEs that refer to it will not be addressed until EP is enabled. But there is no "time requirement" here.

I have Public Folders, only like 2, on my single Exchange 2016 CU22.   I don't care about the Public Folders, no one uses them anymore.   Can I install the Aug SU safely and then run EP script?  (I think it's a yes to Aug SU for sure, but EP mentions CU22 and Public Folders...)

@Nino Bilic thanks for the quick update! I will probably download it tomorrow. 

Okay. I will look into enabling Extended protection. 

@jordanl17 Yes it is totally "safe" to do; it's just that access to PFs might be impacted unless you are on the latest CU but it sounds like this is a good opportunity to do some house cleaning so...

@osozu You can safely uninstall the SU package and install the updated one; unlike CUs, SUs are easily uninstalled.

@Alexander_Hossdorf We are not aware of active exportation of any of this, hence we (or our MSRC team) do not have anything to provide as far as IOCs etc. at this time. And that is a good thing. Extended Protection is to counter potential for MitM style attacks.

@Nino Bilic  I was install newer build over first files published and it seems that Exchange is working fine, i have not uninstall former patch

Hi @a7n8x in the guide (Configure http to https redirection for Outlook on the web in Exchange Server) we only clear the Require SSL check box on the Default Website not the virtual directories. Extended Protection is applied to the virtual directories and not to the default website. We have validated that this work before and after configuring Extended Protection. The Extended Protection document on GitHub shows which vDir setting the script modifies. Hope that helps!

Hi!

Windows Extended Protection is a really big change, I bet this will break most currently deployed load balancing scenarios that uses layer 7 features.

I know that Microsoft will release more info on SSL offloading scenarios later but is it possible to get more info on the actual CVEs corrected by the Windows Extended Protection?

The Extended Protection documentation https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/ is a little confusing.

It states To enable Extended Protection on Exchange Server 2013, ensure you do not have any Public Folders on Exchange Server 2013. But that is under the heading Extended Protection cannot be enabled on Exchange Server 2013 servers with Public Folders in a coexistence environment (my emphasis).

So if you only have Exchange 2013 (yes I know, hopefully we are upgrading this year) will EP still affect Public Folders?

UPDATE: Thanks to @Lukas Sassl below for answering my query!  We don't have a newer version of Exchange (yet!) so will either hold off enabling EP or see if we actually need any of the Public Folders we currently have.

How do we test if enabling the Extended Protection has broken anything?

Just update to August updates and Extended Protection. So far so good. Although it's single Exchange server with no load balancer.

The Exchange Security patching process seems to be getting more complex in terms requirements, especially for larger environments! May required PrepareDomain and now EP.

Hi @Nino Bilic ,
just a hint. In the Install instruction you refer to the msp file.

@The_Exchange_Team Where can we find the MSP install file for this SU?

@Wess33 you can download the .msp file from the Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Home.aspx .

Just search for the KB.

@whatwaht the Public Folders are no longer visible to the end users once Extended Protection is enabled on Exchange server 2013 (if the Public Folder mailboxes are hosted on Exchange 2013). Therefore, we strongly recommend moving the mailboxes to an Exchange 2016 or 2019 server before enabling Extended Protection on Exchange server 2013. 

The HealthChecker.ps1 say:

Security Vulnerability: CVE-2022-21978
Install the May 2022 SU and run /PrepareDomain or /PrepareAllDomains - See: https://aka.ms/HC-May22SU

But i have install the KB5015321 (what replaces the May update) and run PrepareAllDomains without problems.

Please let us know what are the actual CVEs are being corrected by the Windows Extended Protection?

@Nino Bilic @Lukas Sassl

You do not need to go via the May update; August update contains all the things from May.

Are you 100% positive that when updating from 2016 CU23 to August SU (thus skipping May SU) you do not need to run PrepareAllDomain? I see contradictory information regarding this. 

The FAQ/Install instructions should state clearly if it is needed or not.

@Lukas Sassl 

One more question.

We have 2019 on prem and Teams calendar integration. Will EP affect this scenario?

Thanks!

There's a known issue with Extended Protection and Retention Policies / Archiving right now, which you are actively working on per the article. Is only Archiving to the Cloud affected or also if the Archives are hosted on Premises?

Hi

I have read the all the information about the the SU and Extended Protection - Microsoft - CSS-Exchange but it not clear if EP can be enabled with Exchange classic Hybrid Topology or am i missing something

Does enabling Extended Protection apply to the Exchange Transport role? The  script fails on AD check, obviously for now. Was it intended?

@mykel1982 Please check the Security Update Guide; CVEs that require Extended Protection will be marked with that in the FAQ. MSRC team documents this in CVEs.

@ex887 Our SUs are cumulative. But in May, you needed to run /preparealldomains manually after installation. This (and any other manual action) still needs to be done after August 2022 SU installation if it was not done after May 2022 SU. If /preparealldomains was run after May 2022 SU, you do not need to re-run it after August 2022 SU. I have addd a FAQ to the blog post now on this.

@Martin_Aigner EDIT: only on-prem.

@DavidH38 Modern Hybrid only, as per this.

@piwex69 It depends on what you mean by "Exchange Transport role". Assuming you mean the Edge role (as opposed to transport on any mailbox server) then no, EP does not apply to Edge servers as per this.

@Tonibert Ah yes, thanks for calling that out; will work with the team to get this download page wording updated.

The FAQ for the security update mentions that it is not required for the Exchange Management Tools Only role, but does not mention whether this update is required for Exchange Edge Transport role.  I realize EP doesn't apply to the Edge role, but should the security update itself still be installed on Edge servers?

@AdamBKing Seeing that not all the CVEs are related to EP, yes, the SU itself does apply to Edge also.