Today we are announcing the availability of quarterly Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019. These CUs include fixes for customer reported issues, all previously released security updates, and a new security feature.
A full list of fixes is contained in the KB article for each CU, but we wanted to highlight the new security feature.
Exchange Server AMSI Integration
As mentioned in our recent blog post, the June 2021 CUs include new Exchange Server integration with AMSI (Antimalware Scan Interface). AMSI exists in Windows Server 2016 and Windows Server 2019, and the new integration is available in Exchange 2016 and Exchange 2019 when running on either of those operating systems. For Exchange 2016, AMSI integration is available only when running on Windows Server 2016. It is not available for Exchange 2016 running on Windows Server 2012 or Windows Server 2012 R2.
AMSI integration in Exchange Server provides the ability for an AMSI-capable antivirus/antimalware solution to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is handled by Exchange Server. The scan is performed in real-time by any AMSI-capable antivirus/antimalware solution that runs on the Exchange server as the server begins to process the request. This provides automatic mitigation and protection that compliments the existing antimalware protection in Exchange Server to help make your Exchange servers more secure.
Because we know that some of our customers modify the web.config file on their Exchange Server, we wanted to let you know that installation of the June 2021 CUs will add a new section in the web.config of every HTTP service under <Modules>. The entry will be called "HttpRequestFilteringModule" and it must be present for AMSI integration to work.
The KB articles that describe the fixes in each release and product downloads are as follows:
Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment.
These updates contain schema and directory changes and so require you prepare Active Directory (AD) and all domains. You can find more information on that process here. Schema changes can be tracked here. For best practices for successful installation, please see this document.
Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to Unrestricted on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use these resolution steps to adjust the settings.
If you plan to install the update with the unattended install option using either PowerShell or a command prompt, make sure you specify either the full path to the setup.exe file or use a “.” in front of the command if you are running it directly from the folder containing the update. If you do not, Exchange Setup may indicate that it completed successfully when it did not. Read more here.
Note: Customers in Exchange hybrid deployments and those using Exchange Online Archiving with an on-premises Exchange deployment are required to deploy a supported CU for the product version in use.