Hi Team,

does this update enable Power Shell serialization signing by default if we install directly the Exchange 2019 servers that doesn’t have Jan 2023 SU installed? If NOT

does it mandatory to have PS serialization signing enable on the Exchange servers after install Feb 2023 SU?

thanks, 

@maafraz No, this feature is not enabled by default at this time. It is not a mandatory feature, it is recommended.

Hi @Nino Bilic , 

Has the Queue Viewer issue after enabling the Serialized Data Signing feature been fixed? 

Please advise

Thanks!

@ceantuco Nope. Please see "Known issues" and "Issues resolved in this update" in the blog post above. I want to be clear that this (Queue Viewer) issue is related to certificate signing feature and not the SU.

Thanks Nino for prompt response

although it’s an optional feature, does it require to enable this feature to protect System from all listed vulnerabilities till date?

Thanks,

Thanks @Nino Bilic any idea when will it be fixed? 

@ceantuco Nothing to announce on that as of yet. Working on it...

@Nino Bilic Thanks! 

@maafraz No, there is not a specific CVE that requires turning this feature on to address a vulnerability. As of now, Serialized Data Signing of PowerShell payload is a "defense in depth" feature. BTW - when in doubt, always run Health Checker, it'll tell you if anything is needed to address any specific CVEs: https://aka.ms/ExchangeHealthChecker 

Is requiring SU's to be installed on mgmt tools only systems, new guidance?  I always thought CU's were needed for mgmt tools, but not SU's.

Hey @Nino Bilic , The Microsoft Update Catalog shows update KB5023038 for Ex2013 but when you click to download it, the file is KB5022188.

@doogie412 As we have been making changes to management tools also in SUs (for example, PowerShell payload certificate signing) - we have now spelled out the guidance that SUs should be installed on all machines. Otherwise, there could be incompatibilities between a (possibly much older) client and the server.

@jmiller345 Thank you - we are working on this... in the mean time - please use the download center packages.

@Nino Bilic How is it possible after 8 hours Microsoft still has the incorrect update package in the catalog?

In regards to mgmt tools is there a certain command to run. Only did it for CUs so might have missed SU procedure.

for CU I believe it is setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF

Hello Exchange Team

I know this is not directly related to Exchange server, but I just finished installing Security Update for Windows Server 2022 21H2 that Exchange 2019CU12 is installed on and

the February 14, 2023—KB5022842 (OS Build 20348.1547) security update also installs another patch KB5022947 for which there is no KB article available, would it be possible to notify Windows Team and let us know what that Security Update patch is as per following screen

Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
Computer1 Update KB5022507 NT AUTHORITY\SYSTEM 2/15/2023 12:00:00 AM
Computer1 Security Update KB5012170 2/5/2023 12:00:00 AM
Computer1 Security Update KB5022842 NT AUTHORITY\SYSTEM 2/15/2023 12:00:00 AM
Computer1 Update KB5020373 1/6/2023 12:00:00 AM
Computer1 Security Update KB5022947 Computer1\Administrator 2/15/2023 12:00:00 AM

thank you

Installed SU on EX2016 CU23 via Windows Update. After restart, update KB5023038 shows as installed.

Healthcheck script still tells me that I am not running the latest SU. Reports build number as 15.1.2507.18. 

https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchser... shows that build number should be 15.1.2507.21. Previous SU build number is 15.1.2507.17.

@ScottKnightsI have the same result. Healthchecker checks version 15.1.2507.21. There is a git checkin from Microsoft yesterday with this change.

Yesterday the version number was 15.1.2507.17, now 15.1.2507.18 on Microsoft Exchange 2016 CU23. Installed by Windows Update.

@adixro the procedure on management tools machine is the same as on a mailbox server. Just install the SU via Microsoft Update or by running the .exe package. That's it.

@ScottKnightsI have the same result. Yesterday the build number was 15.1.2507.17. Today the build number is 15.1.2507.18. Healthchecker checks on version 15.1.2507.21. There is a git repository checkin from Microsoft that changed the version number to 15.1.2507.21.

After applying Feb SU I see lots of ASP.NET (1325) and WAS (5011) errors. It started right after installation has finished. Tried to recycle AppPool, IISReset and even Server reboot. Nothing helps.

Event ID 1325, ASP.NET 4.0.30319.0

Still no fix for this issue:

Customers using a Retention Policy containing Retention Tags which perform Move to Archive actions should not configure Extended Protection, as enabling Extended Protection will cause automated archiving to stop working.

Regarding my previous post: Outlook Search is not working anymore. "something went wrong..." and "connection problem".

@nak_87 how did you install the February 2023 SU. Via Microsoft Update or by running the .exe update package?

@Lukas Sasslby running .exe package (Exchange2016-KB5023038-x64-de.exe).

I don't see the latest MSP file in the Microsoft Update catalog, can anyone advise the correct location?

@mvsamson yes, they are intentionally not available at the moment. You can use the download center .exe packages in the meantime.

@Lukas Sassl  please tell us whats going wrong with the build numbers!

Installed the update on four DAG members via WSUS; like the onetrillion times before. File Activemonitoringeventmsg.dll is dated from December 2022.

Healthchecker is not happy at all. Says that the update isn't installed.

Exchange Information
--------------------
        Name: $ExchangeServer$
        Generation Time: 02/15/2023 14:27:34
        Version: Exchange 2016 CU23
        Build Number: 15.01.2507.018
        Exchange IU or Security Hotfix Detected:
                Security Update for Exchange Server 2016 Cumulative Update 23 (KB5014261)
                Security Update for Exchange Server 2016 Cumulative Update 23 (KB5015322)
                Security Update for Exchange Server 2016 Cumulative Update 23 (KB5019077)
                Security Update for Exchange Server 2016 Cumulative Update 23 (KB5019758)
                Security Update for Exchange Server 2016 Cumulative Update 23 (KB5022143)
                Not on the latest SU. More Information: https://aka.ms/HC-ExBuilds

Windows says it has installed the update:

Installation erfolgreich: Das folgende Update wurde installiert. Security Update For Exchange Server 2016 CU23 (KB5023038)

Please advice @Lukas Sassl 

@DaSven The update catalog had the incorrect file uploaded, when you installed from WSUS it did not install KB5023038, it installed KB5022188. See Jmiller345's post above and Nino's response. 

On servers running Exchange Management Tools only the command "Get-ExchangeCertificate" still returns blank results. This is not listed under known issues. Are you working at that problem too or did you forget it?

@DaSven I added a note to the blog now on this but: Windows Update is currently delivering a later version of January 2023 update. This is going to be addressed shortly. Then later today, Windows Update will get the actual February 2023 update bits so there will be another February update for customers who are getting updates from Windows / Microsoft Update. Yes, mistakes were made, but your server is not in an unknown state and will get back on track once new builds are available and are installed (but this will be a new update installation, yes) and then Health Checker will show it all updated.

EDIT: this has now been resolved, please see updated note in the blog post above.

UPDATE: seems like i was able to fix this by toggling one of the add-ins disable/enable in EAC and that allowed users to display the manage add-in page in OWA

---
anybody else have their OWA add-ins disappear after this update?

add-ins in the outlook fat client seem to still work, but are no longer showing up in OWA

looking at manage add-ins just spins with a loading message

Updated manually 2 servers with Exchange 2016 CU23 + Jan23SU:

1. HealthChecker.ps1 shows version .21

2. EAC show .17 for 1 server and .18 for another. 2 reinstall didn't change anything.

3. Get-HealthReport shows only Monitoring Unhealthy

4. Application logs full of errors on both servers

An unhandled exception occurred and the process was terminated.

Application ID: /LM/W3SVC/2/ROOT/EWS

Process ID: 34516

Exception: Microsoft.Exchange.Diagnostics.BlockedDeserializeTypeException

Message: Deserialization of type System.MarshalByRefObject blocked due to InDeny at location ClientExtensionCollectionFormatter.

5. Server-side search in Outlook is broken.

6. Scheduling assistant "think" 20-30 seconds before display calendars (before update it was immediate, system is on SSD).

7. Edit add-ins in OWA broken too...

"Great" work, MS :(

How to fix this mess?

@Renat Matveevsame error as well and ews services constantly starting about twice per minute. (The Exchange Web Services started successfully.) OUtlook for mac might be affected

@Renat Matveev  same problems here.

It takes several seconds up to minutes to open an additional calendar in Outlook. Sometimes it fails completely.

Directly after installing the update, the event viewer logfiles starts filling with errors.

system-Log Warning; Source: WAS, ID: 5011
application-Log Error; Source: ASP.NET 4.0.30319.0, ID: 1325

Exchange 2016 CU 23 + Jan23SU; DAG; manually update in maintenance mode.

Yes, my macOS users also complains because of EWS broken after updates. Most of them can't send mails

@Renat Matveev @Nino Bilic Anything using EWS is affected (OUtlook MAC/Apple Mail disconnected, add-ons).

MSExchangeServicesAppPool is constantly crashing

The Exchange Web Services started successfully.

An unhandled exception occurred and the process was terminated.

Application ID: /LM/W3SVC/2/ROOT/EWS

Process ID: 36180

Exception: Microsoft.Exchange.Diagnostics.BlockedDeserializeTypeException

Message: Deserialization of type System.MarshalByRefObject blocked due to InDeny at location ClientExtensionCollectionFormatter.

A process serving application pool 'MSExchangeServicesAppPool' suffered a fatal communication error with the Windows Process Activation Service. The process id was '28172'. The data field contains the error number.

After installing the February 2023 SU on two of our four Exchange 2016 CU23 servers that were already running the January 2023 SU, we had problems with POP and IMAP that we were able to overcome.  Due to later reports of problems with Mac clients and search, however, we are now uninstalling the February 2023 SU.

@Robert_Blissitt1930Hi Robert, please keep us posted about the Feb SU uninstall. I assume you might have to apply the Jan SU since SUs are cumulative.

@adixro , According to Control Panel / Installed Updates, Exchange reverted to the January SU after I uninstalled the February SU.  I thought I would have to reinstall the January SU, but apparently not...

@Robert_Blissitt1930Thanks for the feedback. Did you just uninstalled it via Control Panel?

@adixro Yes, we're still running Exchange 2016 on Windows 2012 R2 and migrating the remainder of our mailboxes to M365 now.

@adixro and @Robert_Blissitt1930 We are not able to reproduce the crashes with EWS but have received a support ticket with it. The issue is being investigated. The bottom line is - definitely not every install will have this problem. It never cropped up in weeks of testing internally either. But obviously - something is going on. We will update when we know more, at this point I simply do not have anything more to share.

Should Monthly Security Updates be installed before or after the Exchange SU?

@nak_87 @Renat Matveev regarding the search: Can you please check if the Microsoft Exchange Search service is up and running?

Hi, we have the same problems with EWS on WinServer2016 (Patchlevel Jan2023) and latest CU for Exchange 2016. All clietns which uses EWS are broken, f.e. Teams, MacMail and Evolution. We rolled the update back as we need EWS. Is there any workaround already available? Regards Enno

Also have the issue with EWS... MACs are struggling, EWS dependent services are down. Errors 1325 in event viewer...

Exchange 2016 CU23 with Jan update (now with Feb update, obviously).

Really hope for a solution ASAP

I installed the latest Exchange CU23 update today via Windows Update and it broke my mail flow from external users.  

I uninstalled the Security Update and rebooted (took 1hr) and mail flow resumed.

It's showing me Version 15.1 ‎(Build 2507.18)‎.

Looks like CU23 got installed via Windows Update?  Last time I installed a CU manually was 5/12/2022.

Should I try to install the update again via the exe? 

Gawd, I can't wait to move this to the cloud! lol

@Lukas Sassl  Microsoft Exchange Search is up and running. I figured out that after IIS Reset the search works for a couple of minutes but once EWS crashes (ASP.NET 4.0.30319.0, ID: 1325; WAS, ID: 5011) it stops working. EWS crashing, along with ASP.NET error, happens every 1-2 minutes.

Yesterday I manually reinstalled FebSU (.exe Package) but nothing has changed.