Released: March 2024 Exchange Server Security Updates
Published Mar 12 2024 10:06 AM 218K Views

Update 4/23/2024: We have now released April 2024 Hotfix Updates which address known issues in March 2024 SU updates.

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

  • Exchange Server 2019
  • Exchange Server 2016

SUs are available for the following specific versions of Exchange Server:

  • Exchange Server 2019 CU13 and CU14
  • Exchange Server 2016 CU23

The March 2024 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

Security Advisory ADV24199947 information

After you install this security update, Exchange Server no longer uses Oracle Outside In Technology (also known as OutsideInModule or OIT). OIT performs text extraction operations when processing email messages that have attachments in Exchange Transport Rule (ETR) and Data Loss Prevention (DLP) scenarios.

For more information, see The OutsideInModule module is disabled after installing the March 2024 SU.

Update installation

The following update paths are available:

Mar2024SUs.jpg

Known issues with this release (please see April 2024 Hotfix Update for resolution):

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

Documentation may not be fully available at the time this post is published.

Blog post updates:

  • 4/23/2024: Added a banner and links to April 2024 Hotfix Updates which address known issues with March 2024 SU
  • 4/5/2024: Added a known issue with published calendars.
  • 3/28/2024: Added a known issue where some add-ins are not working properly.
  • 3/22/2024: Added a 'yellow envelope icon' issue to known issues.
  • 3/14/2024: Added a workaround for the Outlook Search issue that some environments (not all) can experience.

The Exchange Server Team

378 Comments
Iron Contributor

@The_Exchange_Team 

 

Microsoft chose to release this SU knowing that it breaks the ability to download attachments via OWA with the Microsoft-recommended DL domains ( CVE-2021-1730 ) ? Is that correct ?      Download domains not working after installing the March 2024 SU - Microsoft Support

Microsoft

@Sam_T That is correct. We are working on a fix for this and will release it when ready.

Steel Contributor

Hi @Nino Bilic , Do you think the fix will be release this week or at least this month? Should I wait until the issue is fixed to install this SU?

Thanks. 

Microsoft

@ceantuco I'm sorry I do not have a date of release to share. We want to release within weeks (not this week for sure), but this is not guaranteed.

Steel Contributor

@Nino Bilic thanks for the response. Should I wait until then to install the SU?

Microsoft

@ceantuco Are you impacted by known issues? If no, then you should not wait, as there is no point.

For others, we cannot answer this kind of question; it depends on impact and possible risk that is (or is not) acceptable in case that you use one of the workarounds for a known issue. We always recommend installing latest updates.

Steel Contributor

@Nino Bilic yes, our remote locations use OWA and not Outlook. I will discuss internally with upper management. 

 

Thanks! 

Copper Contributor

I believe we never configured Download Domains on our Exchange Server.  If that's the case then our OWA will still show inline images and be able to download attachments? 

Brass Contributor

@Nino Bilic I do not have DLP and ETR configured on Exchange servers, so we are not impacted by OracleoutsideinModuel update?

Download Domains as well not configured, so we are not impacted by this change as well?

 

Please confirm. 

Microsoft

@PankajNTT Sounds like you do not have anything to worry about then. Note that you will still see some probes failing as per the second KB article under Known Issues but this will not be visible unless you use some sort of monitoring software for your servers.

Microsoft

@jordanl17 Health Checker should confirm this for you https://aka.ms/ExchangeHealthChecker . But the bottom line is - if you do not have Download Domains configured, then there is no issue with OWA that we are aware of, correct.

Copper Contributor

@Nino Bilic  just so i'm clearer on the choices here

--> installing the March 2024 SU will address a RCE vis a CVSS score of 8.8 [CVE-2024-26198], but will break attachment functionality for OWA clients on environments with Download Domains configured.....and the hope is some future fix (at date TBD) will restore the attachment functionality for OWA clients?
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26198

--> disabling Download Domains allows OWA attachments to still work correctly even with March 2024 SU installed, but leaves the systems exposed to an older, but different RCE with a CVSS score of 5.4 [CVE-2021-1730]
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730

to me it seems like if full OWA functionality is important to an environment, the compromise is to install the March 2024 SU (fixing the higher scored CVE), but disable Download Domains until there is a later fix to restore functionality. that obviously opens the door to the apparently lower scored [CVE-2021-1730] but i can't see that its practical for OWA users to not have access to attachments.

am i thinking about this correctly?

Microsoft

@boogieshafer Your understanding is correct. We are working on that fix and will release it when available.

Brass Contributor

@Nino Bilic Are you referring "

We do not host any mailboxes on Exchange server and all using Exchange online? Do you think we still see failure in monitoring tool? 

we are using True Sight monitoring. 

 

and if that is still occur then we should apply Workaround, correct?

 

 

Microsoft

@PankajNTT You might not see the failures if there are no mailboxes. I am not certain of this, to be sure. Maybe the EAC probe would still fail even if OWA one would not. But either way, yes, you can disable the probes for limited time as per the KB article if that is the case and you start seeing issues in your monitoring solution. The issue, if it manifests, would be only on your on-prem server. Nothing to do with Exchange Online.

Brass Contributor

If we currently have download domains in place is it simply just disabling and re-enabling with the below command or is their additional actions needed?

 

Set-OrganizationConfig -EnableDownloadDomains $false or $true

Microsoft

@NickG_ENV Please see the KB as it links to exact documentation on this: Download domains not working after installing the March 2024 SU - Microsoft Support 

Copper Contributor

Now Remote scripts working after install SU?

Steel Contributor
In Healthchecker i receive a new Warning (Red):
"Default Website/PowerShell has authentication set, which is unsupported" 
 
Exchange Emergency Mitigation Script only shows 1 (Default Rule)
."C:\Program Files\Microsoft\Exchange Server\V15\scripts\Get-Mitigations.ps1"
 
Even there are two
Deleted
Not applicable

Just a question on CU SU install order.

 

We are on Exchange 2019 CU13 (we have EP enabled!).  If we install this SU now, would we need to install it again after we install CU14, or is this SU integrated into the CU14 iso?

Copper Contributor

@Deleted You have to reinstall the March 2024 SU after installing the CU14 since March 2024 SU released after CU14 and it does not contain the any SU that released afterwards. 

Thank you

Brass Contributor
In Healthchecker i receive a new Warning (Red):
"Default Website/PowerShell has authentication set, which is unsupported" 


Same here

Brass Contributor

@Andres Bohren 

Hi Andres,

I am not getting this message.

Brass Contributor

Is anyone else having issues with Outlook search not returning results? Local search works fine but Outlook 365 hitting the Exchange 2019 (fully patched with this new SU) doesn't seem to be working. Search was working fine for us before applying this March 2024 SU. No issues indicated on the health checker report, all services are running, IIS websites and application pools are also running.

Microsoft

@Andres Bohren and @Johnny_Yao_Taiwan Please check your "Default Web Site/PowerShell" in IIS. "Windows Authentication" should not be enabled on it ("Enabled" is not a default setting). For Health Checker issues, please reach out to the Health Checker team (the script provides an email).

@Vlad1310 I don't understand the question; can you please explain what you mean by remote scripts working?

@cvanoort I am not aware of any systemic Search issues after the SU installation. I will look, though.

Copper Contributor

@Nino Bilic @cvanoort 

We are having the exact same search issues Outlook365 to Exchange2019

Also on new e-mails coming in today - the unread Envelope is not going away.

We upgraded last nigh and had the problems since staff came back in this morning

Copper Contributor

@Mark-69 @Nino Bilic 

the same issues also

Microsoft

@cvanoort @Mark-69 @martinla135 Can you please verify if all Exchange services are running? Also - is Search working in OWA?

Copper Contributor

@Nino Bilic @cvanoort @Mark-69

 

Same issue.

 

Search not working

 

e-mails coming in today - the unread Envelope is not going away.

 

Microsoft

@DJI99 @cvanoort @Mark-69 @martinla135 Can you please check the following:

  • Are all Exchange services running?
  • Is search working via OWA?
  • What is the version of Outlook client where Search is not working?
Copper Contributor

After updating to SU March 2024 Exchange 2019 Server CU14, documents in Office Online in OWA stopped opening. How to fix it? Or will it be fixed with the next update?

Copper Contributor

@Nino Bilic this is described in the comments and known issues in November SU Released: November 2023 Exchange Server Security Updates - Microsoft Community Hub 

 

Vlad1310_1-1710340798927.png

 

Vlad1310_0-1710340733149.png

 

 

Copper Contributor

Hi All services appear to be running

OWA is currently disabled for all users - so cant test right now

Outlook Version is 2401 17231.20290

Copper Contributor
 
Microsoft
 

@DJI99 @cvanoort @Mark-69 @martinla135 

 

All services are running
Outlook 365

OWA disabled so cannot try straight away

Outlook 365 without local cache - Same issue
New outlook profile - same issue
New OS install and Outlook - same issue

 

This is the issue:

image.png

Copper Contributor

Should have added search on delegate boxes is fine.

 

We also tried Cached and non Cached

Microsoft

@Vlad1310 EDIT2: The remote scripts issue should be fixed for E2016 CU23 + March 2024 SU and E2019 CU14 + March SU. But it seems like it could still be broken on E2019 CU13 + March SU (with the workaround of running the scripts locally on the server).

Copper Contributor

@DJI99 @cvanoort @Mark-69 @martinla135 

 

OWA search works!

Brass Contributor

Same Outlook search issue here.

Search in Online mode works, also in OWA.

But searching in Cache mode leads to the mentioned error message. When clicking "Let´s look on your computer instead" then the local search delivers results. But without this click it´s stuck in "We´re having trouble..."

 

Exchange 2019 CU13 with March SU, affected Outlook is LTSC with current patches.

Brass Contributor

additional info: Same Outlook with today´s patch level against Exchange 2019 CU13 without March SU does not show the issue. So it´s not an Outlook or Windows Update causing it.

Copper Contributor

Hi,

last year we had the same error message in the Outlook (2019) client after an Exchange update.
These entries on the client solved the problem at the time.

 

AndreasMueller_0-1710343010703.png

 


Maybe it helps.

Copper Contributor

 @DJI99 @cvanoort @Mark-69

@Nino Bilic 

 

-all services are running

-OWA search works

-version Microsoft® Outlook® 2021 MSO (Version 2402 Build 16.0.17328.20124) 64-bit

Copper Contributor

I have the same problem with the search in Outlook 2019 16.010407.20032, on a terminal server, but not for all users. Exchange Cu14 Su March2024.

 

Forceafn_0-1710343177445.png

 

Brass Contributor

@Andreas-Mueller 

That´s true, last year we also had the same issue and these registry keys fixed it as a workaround.

 

This time it is effective again.

 

Microsoft

Folks with a search issue - please someone open a support ticket; I do not think that we have a repro in house (still investigating).

Brass Contributor

Sorry for this barbed remark - but the support team never seems to have a repro in house. Several tickets in the past which were closed with "we cannot reproduce". But I always could even with a brand new installation from scratch. :\

 

... and then after months "my issue" is suddenly fixed by an update, sometimes in fact mentioned in the "resolved issues" section ...

 

 

Copper Contributor

Q - is it ok to install KB5036401 on Exchange 2019 CU14 that does NOT have ExtendedProtection enabled? or is it a must to have EP first?

Copper Contributor

I am having the same issue that search does not work on outlook only OWA.   What's going on microsoft why was this not tested correctly.   You are killing us lately not doing proper testing in the lab.

 

When can this be fix.   everyone is the office of 250 has this issue....  

 

 

Copper Contributor

Does this update fix the issues reported in November 2023 Exchange Server Security Updates "Certain piped cmdlets (for example, Get-MailboxDatabase | Get-Mailbox) might fail on Management Tools only machines." ?

Microsoft

@ryaron This is OK, yes. Extended Protection is not a requirement for the update to install.

Microsoft

@DJI99 @cvanoort @Mark-69 @Forceafn @stefandechert @embert2165 If you choose to go to search options and choose "Include Older Results" does that fix the search for Outlook? It should be under "..." menu once search is attempted, possibly under Search Tools.

@Stephen_Barton this issue is NOT fixed ONLY for Exchange 2019 CU13 + March SU (and still requires a workaround to run scripts on the server). It is fixed for E2019 CU14 and E2016 CU23 + March SU and remote scripts should work.

Co-Authors
Version history
Last update:
‎Apr 23 2024 10:22 AM
Updated by: