Today we are announcing the availability of quarterly servicing cumulative updates for Exchange Server 2013, 2016 and 2019. These updates include fixes for customer reported issues as well as all previously released security updates. In our ongoing effort to evaluate Exchange permissions, the updates released today include an Active Directory permission change which will lower Exchange Server permissions. Additional details and recommended customer actions follow.
Decreasing Exchange Rights in the Active Directory
The Exchange Team has made two changes to the rights Exchange has in the Active Directory. We have placed a Deny ACE on the DNS Admins group and removed the ability for Exchange to assign Service Principal Names (SPN’s). We have determined these rights are not required by Exchange. Before upgrading to one of the updates released today, we recommend administrators apply the permissions change to their environment.
In order to apply these changes, a directory admin will need to run the cumulative update setup program we are releasing today with the /PrepareAD parameter. When multiple Exchange versions co-exist in a single Active Directory forest, the cumulative update matching the latest version of Exchange deployed should be used. Setup will automatically run /PrepareDomain in the domain where /PrepareAD is executed. Environments with multiple domains in the forest will need to run the cumulative update setup program using the /PrepareDomain parameter in all domains in the forest. These steps will update the rights granted to Exchange Servers in the Active Directory to meet the new permissions scope. More information on /PrepareAD and /PrepareDomain is available at this link.
The directory updates released today are fully compatible with all versions of Exchange Server regardless of cumulative update or update rollup version deployed and so these changes can be applied to any existing Exchange deployment by following the steps above.
Support for .NET Framework 4.8
The updates released today add support for .NET Framework 4.8. The minimum .NET requirement remains 4.7.2 on Exchange Servers. .NET 4.8 will be required with all updates released in December 2019 and later.
Authentication Policies Update
With the first cumulative update (CU1) for Exchange 2019 we shipped our initial implementation of disabling legacy authentication protocols on a per user basis.
In today’s second cumulative update we have now enhanced the feature to provide the ability to specify it as default authentication policy at Organization level.
We will be releasing an updated blog very soon providing more information about the feature and instructions on how to use it.
Future support of Modern Authentication in on-premises Exchange
Over the past couple of years, you have seen us deliver Modern Authentication to Exchange when running a hybrid organization. The usual follow-on question from a handful of customers has been, “When will modern authentication be supported in non-hybrid environments?” Our response was typically something along the lines of, “We’re looking into it.” While that statement was true and accurate, after much deliberation we have come to the decision that this capability in on-premises Exchange server will no longer be pursued. Our investments in Modern Authentication will be restricted to those with hybrid deployments. We know this will be a disappointment for some customers but we wanted to make certain you were aware of this change in strategy.
Controlled Connections to Public Folders in Outlook
As we announced towards the end of last year, we added support to Exchange Online to help admins have control over which users would see public folders in their Outlook clients.
We are including this functionality in Exchange Server 2019 Cumulative Update 2 and Exchange Server 2016 Cumulative Update 13, both released today.
Release Details
The KB articles that describe the fixes in each release and product downloads are available as follows:
Additional Information
Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate documentation.
Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.
Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the currently supported cumulative update for the product version in use, e.g., 2013 Cumulative Update 23; 2016 Cumulative Update 13 or 12; 2019 Cumulative Update 2 or 1.
For the latest information on Exchange Server and product announcements please see What's New in Exchange Server and Exchange Server Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on Docs.
Important: To avoid a setup failure, it is necessary to install the Visual C++ 2012 runtime before installing the updates released today on Edge role if not already present.
Note: Documentation may not be fully available at the time this post is published.
The Exchange Team
