We are excited to announce the Skype for Business Server 2019 June 2023 Cumulative Update (CU Build Number 2046.521) which, in addition to fixes for customer-driven bugs and many security hardening improvements, includes two new features: Emergency Mitigation Service (EMS) and OAuth for Dial-in and Web Scheduler.
Emergency Mitigation Service
Microsoft takes security very seriously and we continue to work hard to protect your systems and data from cyber threats and to comply with evolving regulations. In line with this, we have introduced the Skype for Business Server Emergency Mitigation Service to help protect your servers from potential threats. This service provides a temporary and interim mitigation until you can install an update that fixes the vulnerability.
Understanding the Skype for Business Server Emergency Mitigation Service
A mitigation is an action or set of actions that are taken automatically to secure a Skype for Business server from a known threat that is being actively exploited. The Emergency Mitigation Service can apply multiple mitigations, including:
- IIS URL rewrite rule mitigation: This mitigation is a rule that blocks specific patterns of malicious HTTP requests that can endanger a Skype for Business server.
- App pool mitigation: This mitigation disables a vulnerable app pool on a Skype for Business server.
EMS checks Office Configuration Service (OCS) for available mitigations every hour. EMS subsequently downloads newly discovered XML file mitigations and validates the signature to prevent file tampering. EMS checks the issuer, the extended Key Usage, and the certificate chain. After successful validation, EMS applies mitigation. The use of EMS is optional and can be disabled if you prefer not to have Microsoft automatically apply mitigations to your servers.
Each mitigation is a temporary “fix” until the security update that fixes the vulnerability in the code is applied. EMS is not a replacement for Skype for Business SUs and CUs. However, it's the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Skype for Business servers before updating. You are not required to undo the pre-existing mitigation when applying the SU or CU. The mitigation is automatically removed once a proper fix has been released.
Option to send diagnostic data to Microsoft
When installing the Skype for Business Server 2019 Build 7.0.2046.521 or later, you’ll also notice a change to the license terms acceptance process. We have added the ability to send diagnostic data from your Skype for Business servers related to mitigations to protect you better. This data is sent to Microsoft when EMS checks for available mitigations.
EMS Connectivity
EMS needs outbound connectivity to OCS to check for and download mitigations.
While EMS can be installed without connectivity to OCS, it must have connectivity to OCS to download and apply the latest mitigations. OCS must be reachable from the front-end server through the internet, on which Skype for Business Server is installed, for EMS to function correctly.
You can verify that a Skype for Business server has connectivity to OCS by using the
Test-CsMitigationServiceConnectivity cmdlet.
You can find more detailed information about installing EMS and managing mitigations at the end of this blog.
OAuth for Dial-in and Web Scheduler
We have streamlined the setup process for Active Directory Federation Services OAuth authentication in Modern Admin Control Panel and introduced OAuth in Dial-in and Web Scheduler. If you already have OAuth set up, all you need to do is install the update and continue using OAuth. If you’re setting up OAuth for the first time, you no longer need to follow a lengthy process. Please refer to our documentation for a quick and easy step-by-step guide. Additionally, with OAuth set up, it is no longer necessary for an administrator to be SIP enabled.
Cumulative Update Installation Instructions
- Run UI SSUI (Skype Server Update Installer)
- Run Bootstrapper.exe
- SSUI will prompt the admin to consent for Microsoft to collect diagnostic data. Regardless of whether consent is accepted or rejected, the installer should run successfully.
- If consent is provided to collect diagnostic data, EMS sends the following to OCS:
- Information about the admin-configured behaviour of EMS (such as state of EMS, mitigations blocked by admin, etc.)
- Information about Skype for Business Server version, build number, immutable device ID, and immutable org ID.
Skype for Business Supportability
We recommend customers with existing Lync Server 2013 or Skype for Business Server 2015 deployments start planning and installing Skype for Business Server 2019 to ensure continued support. This version provides the furthest window for Mainstream Service, the smoothest upgrade to the “vNext,” and the easiest path to migrate users to Microsoft Teams in the future. Know we are fully committed to supporting the product even after 2025.
Thank you for choosing Skype for Business Server. Feel free to reach out to us with any questions or concerns in the comments section below.
- The Skype for Business Server Team
About Skype for Business Server Emergency Mitigation Service (EMS)
Skype for Business Server EMS helps keep your Skype for Business servers secure by applying mitigations to address specific potential threats against your servers. EMS uses the cloud-based Office Config Service (OCS) to check for new mitigations, download available mitigations, and send diagnostic data to Microsoft. The use of EMS is optional. If you do not want Microsoft to automatically apply mitigations to your Skype for Business servers, you can disable the feature.
EMS is available for Skype for Business Server 2015 and Skype for Business Server 2019.
How to install the Cumulative Update with EMS
Step 1: Install the SfB Server build number 2046.521 released on June 29, 2023
Step 2: SSUI will prompt Admin to consent for Microsoft to collect diagnostic data. Admin will have two options to either accept or reject. In any case the installer should run successfully.
If consent is provided to collect diagnostic data, EMS sends the following to OCS.
- Information about the admin-configured behavior of EMS such as state of EMS, mitigations blocked by admin, etc.
- We also collect the SfB server version, build number, immutable device ID, and immutable org ID.
You may use Get-CsMitigationTelemetryConfiguration cmdlet to check if diagnostic data is being sent, and use Set-CsMitigationTelemetryConfiguration cmdlet to enable or disable sending diagnostic data at any point in time.
Step 3: View mitigations by using Get-CsMitigation cmdlet and for a more detailed view, you can export as an XML file using the ExportAsXml parameter.
Step 4: After a new CU has been installed, mitigations that are no longer needed are rollbacked automatically. For example, if a mitigation ID ‘M1’ is no longer needed after installing a CU with a fix for the vulnerability, EMS will stop applying it and it will be removed from the list of applied mitigations.
Disabling the “auto apply” of mitigations
By default, MitigationsEnabled is set to $true. To disable automatic mitigation, run the following command:
Set-CsMitigationConfiguration - PoolFqdn <Pool1> -MitigationsEnabled $false
Blocking or removing mitigations
If a mitigation critically affects the functionality of your Skype for Business server and you accept the risk of exposing your servers to the vulnerabilities, you can block the mitigation and manually reverse it.
- To block a mitigation, use the following cmdlet, replacing M0001 with the mitigation you wish to block.
Set-Csmitigation - PoolFqdn <poolName> -MitigationBlocked M0001
The cmdlet blocks the M0001 mitigation, which ensures that EMS will not reapply this mitigation in the next hourly cycle.
- To add more than one mitigation, add the Mitigation ID as S comma separated list.
Set-Csmitigation - PoolFqdn <poolName> -MitigationBlocked M0001,M0002
To manually remove the mitigation immediately, stop and restart EMS.
Reapplying mitigations
You can remove one or more mitigations from the blocked mitigations list by:
- Removing the Mitigation ID in the MitigationsBlocked parameter
- Using the MitigationsApplied parameter:
Set-Csmitigation - PoolFqdn <poolName> -MitigationApplied M0001
3. Use the Repair cmdlet: Repair-CsMitigation
To manually reapply the mitigation immediately, stop and restart EMS.