Does Microsoft still recommend the previous guidance to "Disable remote PowerShell access for non-admins" as a mitigation for CVE-2022-41082 ?  We have temporary scripts in place and are in the processes of updating our on-boarding procedures. Is that still necessary?

Thanks

@Ericwa999 Once November (or later) Cu is installed, you do not need this as a mitigation for the particular vulnerability (CVE-2022-41082). That being said - if you already disabled this and there is no need for regular users to have this access, then you could leave it disabled just as reducing the possible surface. But if you are asking if it is OK to re-enable users for PS access once this update is installed, then yes, you can.

@The_Exchange_Team @Nino Bilic 

Can you please confirm that this November patch supersedes the Octocber security update? Meaning if we have not yet installed the October SU, we can just install this one?

@Wess33 That’s correct. The update is cumulative and there is no need to install the October 22 SU first. You can directly install the November 2022 SU and you’re done.

Thanks @Lukas Sassl 

@Wess33 If updates are a bit confusing, please go through this post, it should help; our security updates are always cumulative. Why Exchange Server updates matter - Microsoft Community Hub 

Installed in test environment and 2 small production environments. No problems at all. Tomorrow scheduled for install on some larger environments.

PS, somehow we do have one environment stating that the prepare all domains functions have not run from the july updates, but they did succesfully and also regarding the setup log txt of Exchange it ran all succesfull. Of course, all maintained and up to date.

Methinks someone forgot to update the license agreement text...

Does Microsoft still recommend  to disable the remote PowerShell access for non-admins users after installing the November SU  for new created users?

@Clifford_Dsouza please see Nino's reply: https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-sec...

@christiaan-nl I guess the HealthChecker pointed it out that you must run preparealldomains, correct? Feel free to drop me a PM. I would like to get some more information.

@Deleted the blog post always has the direct links for each SU package at the top.  The KB, build number and release date can always be found here: https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019 . We publish the information together with the release of new security updates.

@Chris Murray Thanks for noticing and reporting the typo, it will be fixed in next releases.

Hi

My last Exchange update updates were on February.

So, what do I need to do is:

- Install November update

- Run the commands to update AD Schema 

Is that enought?

@The_Exchange_Team  @Lukas Sassl 

@rsm27 best would be to install the latest Cumulative Update (CU) if you're on Exchange 2016 or 2019 (released on April 20, 2022). Exchange Update Wizard (https://aka.ms/ExchangeUpdateWizard) can help you with. Next would be to install the most recent Security Update (SU) which is the one announced here. Finally, run the Exchange HealthChecker (https://aka.ms/ExchangeHealthChecker) and complete the remaining tasks (e.g., /PrepareAllDomains) as outlined by the script.

I applied the November patch to Exchange 2016 servers and the "Microsoft Exchange RPC Client Access" will not start. Anyone else having issues with the service not starting? I am opening a case with Microsoft. 

i have a problem with installaing the SU KB5019758 on my exchange server 2016 CU 23

When i run the setup i got there error message: the upgrade cannot be installed by the windows installer service because the program to be upgraded my be missing or the the upgrade patch may update a diferent version of the programs.

What can cause this problem???

I do not face that problem for november patch on my E2k19 Exchange servers.

Both versions are on latest CU and SU.

Can someone help me?

Hi, I've been searching the web and haven't come across anyone else seemingly having the same issue.  I have a single Exchange 2013 server on prem with users using a mix of Outlook 2013 and Outlook 2016 Standard.  Several Outlook 2013 users have been telling me about a minor issue they've been having that has been going on for around a month intermittently for them.  Outlook will randomly either go into a not responding state and then come back to normal, or it'll do that and then have to be closed and open to get out of it.

Their application logs always show an Event 1000 or Event 1002 citing Outlook.exe when these symptoms happen.  Looking at the dates, and I've checked 4 machines, these events do not happen prior to 10/8/22 when I applied the EOMTv2.ps1 script (successfully).  The events start at different dates after that mitigation was applied.    I also followed the guidance and removed all users Remote Powershell Access on 10/8.

Has there been any reports of those mitigations causing any Outlook crashes?  Or if not, do you think they could be caused by those mitigations?  I am planning on installing the new SU and then running script again with the switch to remove the mitigations as a test at some point.

@Chris1984 please validate that the SU update package is the correct one and that it's not corrupted. You can do this via PowerShell like this (should return true if file is the correct one and not corrupted):

((Get-FileHash .\Exchange2016-KB5019758-x64-en.exe).Hash -eq "9420BABAB5FD63BA84B5CD6DDC594A3483DBAA6731149061026A7790854B623F")

I manually applied the fix a couple of weeks ago and didn't remove the fix before upgrading.
After i upgraded the url rewrite "EEMS M1.1 PowerShell - inbound" is in place.
Do i need to keep it?

Is enabling Extended Protection for Exchange still relevant if we are using ADFS authentication for OWA and ECP (Exchange 2016)?

@hendrikrsng Please see the FAQ in the blog post; it will not be a problem leaving it there but if you have used EEMS, then please wait with removing this because otherwise it'll just get re-applied. We will update the EEMS mitigation to not apply to servers that have been updated to November (or later) SUs.

@James369 Extended Protection makes changes to many more virtual directories (see here) - our recommendation is to enable it.

Hello @The_Exchange_Team ,

Will this problem also be fixed with this SU?

Customers using a Retention Policy containing Retention Tags which perform Move to Archive actions should not configure Extended Protection, as enabling Extended Protection will cause automated archiving to stop working. We are actively working to resolve this issue.

Hi there,

as you were talking about correct or corrupted SU-files:

We are using - may be reasonable or not - the german install files and it would be highly appreciated if ms would place the matching hash-information on the kb, e.g. https://support.microsoft.com/de-de/topic/description-of-the-security-update-for-microsoft-exchange-...

Without the hash information it's quite difficult to point out the file is valid. Or did I miss out any other place this hash code for the Exchange2016-KB5019758-x64-de.exe can be found?

Edit/Addition: The files names in the bottom table of the kb-website posted above cannot be the correct ones - it's always "Exchange2019-KB5019758-x64-en.exe" for each Exchange server version/edition from 2013 to 2019.

Hey,

I've installed the SU yesterday (with the EXE file) and rebooted the server. Today I've removed the mitigation. Only a few minutes After the removal, the Windows Defender detected an Exploit attempt

Microsoft Defender Antivirus has detected malware or other potentially unwanted software.

 For more information please see the following:

https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Script/ExchgProxyRequest.A!gen&threatid=2147834423&enterprise=0

 	Name: Exploit:Script/ExchgProxyRequest.A!gen

 	ID: 2147834423

 	Severity: Severe

 	Category: Exploit

 	Path: amsi:_\Device\HarddiskVolume5\Windows\System32\inetsrv\w3wp.exe

 	Detection Origin: Unknown

 	Detection Type: Concrete

 	Detection Source: AMSI

 	User: NT AUTHORITY\SYSTEM

 	Process Name: C:\Windows\System32\inetsrv\w3wp.exe

 	Security intelligence Version: AV: 1.379.114.0, AS: 1.379.114.0, NIS: 1.379.114.0

 	Engine Version: AM: 1.1.19800.4, NIS: 1.1.19800.4

Should I be worried that the SU don't fully fix the issue?

Hey,

I've installed the update yesterday (With the EXE file) and rebooted the servers. Today I removed the mitigation and after a few minutes I got a Windows Defender warning regarding an exploit (Exploit:Script/ExchgProxyRequest.A!gen). Should I be worried that the SU don't fully fix the issue?

November SU installed on Exchange 2013. Everything went fine. Haven't removed the mitigations yet.

@Lennart-Live As of right now, we are still not calling this "resolved" - we have worked on it but it does not seem to be a complete solution so we are not calling it resolved yet, no.

Installed on QA Exchange 2016 CU23 servers that already had the Oct 2022 SU installed, no issues.  We did not implement any of the mitigations that were documented when this first came out, and we do not use Extended Protection (can't use it due to reasons)

@wolfgang-frey thanks for your feedback. I will inform the team responsible for getting the typos fixed. Regarding the hash you're right - there is only the hash for the en-US update package. I will put this up for discussion. 

@MarcelWie Can you please run Health Checker? I'd like to make really sure that the November 2022 SU was installed.

@Nino Bilic I've already run the Health Checker and the SU is installed. Also the Outlook Connection Status dialog reports the version number 15.1.2507.16.

@MarcelWie Thank you; I am reaching out to Defender team to understand the detection process.

Hi All,

We have installed the update, and all went well, all services started fine mail flow is fine. However, when we use the Queue Viewer we can see the mail queues but when trying to view the messages we get the Snap-in not available error.

The behavior was confirmed on a different environment as well. 

We are running Exchange 2013 CU23 with Dot Net 4.8

Hello team,

I installed November SU on two Exc 2013CU23 (Framework: 4.7.2, January SU), however HealthChecker still says:

Security Vulnerability: CVE-2022-24516, CVE-2022-21979, CVE-2022-21980, CVE-2022-24477, CVE-2022-30134

I'm confused, shouldn't those CVEs resolved with October SU?  

I don't use extended protection as I have Modern Hybrid configuration in place. Could you advise what am I supposed to do please? 

@MarcelWie As of right now, it seems like the Defender detection will fire if your server gets scanned for a particular vulnerability even if you have the November CU installed (and therefore server is not vulnerable anymore). This scanning could happen by either some sort of internally run security software that looks for vulnerabilities or possibly it is an externally initiated scan. But the bottom line is - it does not indicate compromise, rather the scan for vulnerability. Defender team is looking at how to address this. As you can see here, this particular detection is associated with "Initial access". The mitigation was blocking that traffic before so that's why it was not getting detected.

@MicPluton it’s required to enable Extended Protection to address these vulnerabilities. Without Extended Protection turned on, the server is still vulnerable. 

@MicPluton Those particular CVEs are only addressed with enabling Extended Protection on your Exchange Servers. Installation of October (or later) SUs enables you to do this in code, but configuration of Extended Protection still has to be done separately. Note, the presence of Modern Hybrid does not mean that you cannot enable Extended Protection in your environment (I do not know your environment or if you have additional servers). This is covered here in the Exchange Server Extended Protection script documentation.

@JacoEst Thanks for letting us know; I will see if I can get a repro of this, did not hear of this problem before.

@Nino Bilic @Lukas Sassl As per @JacoEst post, we've just installed the SU on our Exchange 2013 CU23 servers and sure enough, we can no longer see or access any of the messages in the queues via the Exchange Toolbox. This poses an issue with management and troubleshooting queue delays or build-ups.

Please advise!

UPDATE: Clicking on "View Messages" in Toolbox returns the following critical error:

@Nino Bilic 

I can also confirm the error with Exchange 2013 CU23.

With Exchange 2016 CU22 i have no errors.

But:

I can access the queue from Exchange 2016 to an exchange 2013 with the viewer...

Hi!

@Nino Bilic @Lukas Sassl 

Are there known issues/changes with some attributes/methods? It seems that this also breaks some scripts provided by MS.

It seems that the returned type changed?

see example below, Exchange 2016 CU23 (the 1st one updated with the November Security Updates (incl. Exchange), the 2nd one still has the October 2022 Security Updates (incl. Exchange)):

1)

(get-item $env:ExchangeInstallPath\bin\setup.exe).versioninfo.fileversion
15.01.2507.016

(Get-PublicFolderStatistics -Identity 000000001A447390AA6611CD9BC800AA002FC45A0300BC832444C05B35458FFE8622B0C0C19D0000480B5CC80000).Totalitemsize.ToMB()
Method invocation failed because [System.String] does not contain a method named 'ToMB'.
At line:1 char:1
+ (Get-PublicFolderStatistics -Identity 000000001A447390AA6611CD9BC800A ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound


(Get-PublicFolderStatistics -Identity 000000001A447390AA6611CD9BC800AA002FC45A0300BC832444C05B35458FFE8622B0C0C19D0000480B5CC80000).Totalitemsize | get-member


   TypeName: System.String

Name             MemberType            Definition
----             ----------            ----------
Clone            Method                System.Object Clone(), System.Object ICloneable.Clone()
CompareTo        Method                int CompareTo(System.Object value), int CompareTo(string strB), int IComparab...
Contains         Method                bool Contains(string value)
CopyTo           Method                void CopyTo(int sourceIndex, char[] destination, int destinationIndex, int co...
EndsWith         Method                bool EndsWith(string value), bool EndsWith(string value, System.StringCompari...
Equals           Method                bool Equals(System.Object obj), bool Equals(string value), bool Equals(string...
GetEnumerator    Method                System.CharEnumerator GetEnumerator(), System.Collections.IEnumerator IEnumer...
GetHashCode      Method                int GetHashCode()
GetType          Method                type GetType()
GetTypeCode      Method                System.TypeCode GetTypeCode(), System.TypeCode IConvertible.GetTypeCode()
IndexOf          Method                int IndexOf(char value), int IndexOf(char value, int startIndex), int IndexOf...
IndexOfAny       Method                int IndexOfAny(char[] anyOf), int IndexOfAny(char[] anyOf, int startIndex), i...
Insert           Method                string Insert(int startIndex, string value)
IsNormalized     Method                bool IsNormalized(), bool IsNormalized(System.Text.NormalizationForm normaliz...
LastIndexOf      Method                int LastIndexOf(char value), int LastIndexOf(char value, int startIndex), int...
LastIndexOfAny   Method                int LastIndexOfAny(char[] anyOf), int LastIndexOfAny(char[] anyOf, int startI...
Normalize        Method                string Normalize(), string Normalize(System.Text.NormalizationForm normalizat...
PadLeft          Method                string PadLeft(int totalWidth), string PadLeft(int totalWidth, char paddingChar)
PadRight         Method                string PadRight(int totalWidth), string PadRight(int totalWidth, char padding...
Remove           Method                string Remove(int startIndex, int count), string Remove(int startIndex)
Replace          Method                string Replace(char oldChar, char newChar), string Replace(string oldValue, s...
Split            Method                string[] Split(Params char[] separator), string[] Split(char[] separator, int...
StartsWith       Method                bool StartsWith(string value), bool StartsWith(string value, System.StringCom...
Substring        Method                string Substring(int startIndex), string Substring(int startIndex, int length)
ToBoolean        Method                bool IConvertible.ToBoolean(System.IFormatProvider provider)
ToByte           Method                byte IConvertible.ToByte(System.IFormatProvider provider)
ToChar           Method                char IConvertible.ToChar(System.IFormatProvider provider)
ToCharArray      Method                char[] ToCharArray(), char[] ToCharArray(int startIndex, int length)
ToDateTime       Method                datetime IConvertible.ToDateTime(System.IFormatProvider provider)
ToDecimal        Method                decimal IConvertible.ToDecimal(System.IFormatProvider provider)
ToDouble         Method                double IConvertible.ToDouble(System.IFormatProvider provider)
ToInt16          Method                int16 IConvertible.ToInt16(System.IFormatProvider provider)
ToInt32          Method                int IConvertible.ToInt32(System.IFormatProvider provider)
ToInt64          Method                long IConvertible.ToInt64(System.IFormatProvider provider)
ToLower          Method                string ToLower(), string ToLower(cultureinfo culture)
ToLowerInvariant Method                string ToLowerInvariant()
ToSByte          Method                sbyte IConvertible.ToSByte(System.IFormatProvider provider)
ToSingle         Method                float IConvertible.ToSingle(System.IFormatProvider provider)
ToString         Method                string ToString(), string ToString(System.IFormatProvider provider), string I...
ToType           Method                System.Object IConvertible.ToType(type conversionType, System.IFormatProvider...
ToUInt16         Method                uint16 IConvertible.ToUInt16(System.IFormatProvider provider)
ToUInt32         Method                uint32 IConvertible.ToUInt32(System.IFormatProvider provider)
ToUInt64         Method                uint64 IConvertible.ToUInt64(System.IFormatProvider provider)
ToUpper          Method                string ToUpper(), string ToUpper(cultureinfo culture)
ToUpperInvariant Method                string ToUpperInvariant()
Trim             Method                string Trim(Params char[] trimChars), string Trim()
TrimEnd          Method                string TrimEnd(Params char[] trimChars)
TrimStart        Method                string TrimStart(Params char[] trimChars)
Chars            ParameterizedProperty char Chars(int index) {get;}
Length           Property              int Length {get;}

2)

(get-item $env:ExchangeInstallPath\bin\setup.exe).versioninfo.fileversion
15.01.2507.013

(Get-PublicFolderStatistics -Identity 000000001A447390AA6611CD9BC800AA002FC45A0300BC832444C05B35458FFE8622B0C0C19D0000480B5CC80000).Totalitemsize.ToMB()
166

(Get-PublicFolderStatistics -Identity 000000001A447390AA6611CD9BC800AA002FC45A0300BC832444C05B35458FFE8622B0C0C19D0000480B5CC80000).Totalitemsize | get-member


   TypeName: Microsoft.Exchange.Data.ByteQuantifiedSize

Name          MemberType Definition
----          ---------- ----------
CompareTo     Method     int CompareTo(Microsoft.Exchange.Data.ByteQuantifiedSize other), int IComparable.CompareTo(System.Object obj), int IComparabl...
Equals        Method     bool Equals(System.Object obj), bool Equals(Microsoft.Exchange.Data.ByteQuantifiedSize other)
GetHashCode   Method     int GetHashCode()
GetType       Method     type GetType()
RoundUpToUnit Method     uint64 RoundUpToUnit(Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier quantifier)
ToBytes       Method     uint64 ToBytes()
ToGB          Method     uint64 ToGB()
ToKB          Method     uint64 ToKB()
ToMB          Method     uint64 ToMB()
ToString      Method     string ToString(), string ToString(string format), string ToString(string format, System.IFormatProvider formatProvider), str...
ToTB          Method     uint64 ToTB()

Regards

@JacoEst @Wess33 @Tonibert Hmmm... we cannot seem to repro; can you please share the OS that you are running on?

Hi @Nino Bilic ,

We are running Microsoft Windows Server 2012 R2 Standard.

@JacoEst @Wess33 @Tonibert It seems like we have a repro of this (but not totally clear yet as to what makes it work but we are still looking at this). It seems like the workaround that always works is to open a Queue Viewer from a remote machine (either a management workstation or a different Exchange server).

We are running 2012R2 too.

@Nino Bilic 2012 R2 as well. Opening remotely from another Exchange server does not work either, same error! Unless it needs to be a different version of Exchange, in which case it's not a realistic workaround for most organisations I would assume.

@Nino Bilic the mail queue viewing issue also happens on a windows 2012 (non-R2 server as well)

@Nino Bilic  , @Wess33 , @Tonibert  Thank you Nino, If I install the management tools on another computer and connect to Exchange remotely it works fine until I install the November SU then it breaks again. This is unfortunately not an acceptable workaround as I will not be able to run the unpatched version in the environment.

@JacoEstExertp from FAQ's

Do we need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers and workstations running only the management tools (no Exchange services) do not need these updates.

@HansH 

Maybe not, but I need to then ask, why would the the update change components used in the management tools and are they then not the same files / components that are at risk on the Exchange servers?

Should the update process then not stop on trying to install on a management server?

@JacoEst @Wess33 @Tonibert I just added workarounds to the blog post under "Known issues".