Cumulative Update February 2024

Für Exchange Server 2019 steht seit dem 13. Februar das neue Kumulative Update bereit. In diesem Exchange 2019 Cumulative Update Februar 2024 sind alle zuvor veröffentlichten Sicherheitsupdates enthalten.

Die Installation kann per Kommandozeile wie folgt gestartet werden:

.\Setup.EXE /Mode:Upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF
.\Setup.EXE /Mode:Upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

Dieser Parameter aktiviert beim Upgrade erst gar nicht die Extended Protection:

.\Setup.EXE /Mode:Upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /DoNotEnableEP

Exchange Installationsablauf

Microsoft Exchange Server 2019 Cumulative Update 14 Unattended Setup

Copying Files…
File copy complete. Setup will now collect additional information needed for installation.

Languages
Management tools
Mailbox role: Transport service
Mailbox role: Client Access service
Mailbox role: Mailbox service
Mailbox role: Front End Transport service
Mailbox role: Client Access Front End service

Performing Microsoft Exchange Server Prerequisite Check

Configuring Prerequisites COMPLETED
Prerequisite Analysis COMPLETED

Setup will prepare the organization for Exchange Server 2019 by using ‘Setup /PrepareAD‘. No Exchange Server 2013 roles have been detected in this topology. After this operation, you will not be able to install any Exchange Server 2013 roles.

For more information, visit: https://learn.microsoft.com/Exchange/plan-and-deploy/deployment-ref/ms-exch-setupreadiness-NoE15ServerWarning?view=exchserver-2019

Configuring Microsoft Exchange Server

Organization Preparation COMPLETED
Preparing Setup COMPLETED
Stopping Services COMPLETED
Language Files COMPLETED
Removing Exchange Files COMPLETED
Preparing Files COMPLETED
Copying Exchange Files COMPLETED
Language Files COMPLETED
Restoring Services COMPLETED
Language Configuration COMPLETED
Exchange Management Tools COMPLETED
Mailbox role: Transport service COMPLETED
Mailbox role: Client Access service COMPLETED
Mailbox role: Mailbox service COMPLETED
Mailbox role: Front End Transport service COMPLETED
Mailbox role: Client Access Front End service COMPLETED
Finalizing Setup

The Exchange Server setup operation completed successfully.

Exchange Setup preserved the required configurations during upgrade. More details can be found in Exchangesetup.log located in <SystemDrive>:\ExchangeSetupLogs folder. For more information, visit: https://aka.ms/PreserveExchangeConfig2019.

Exchange Setup has enabled Extended Protection on all the virtual directories on this machine. For more information visit: https://aka.ms/EnableEPviaSetup.

We recommend running Exchange HealthChecker script to evaluate if there are any configuration issues which can cause feature breakdowns. HealthChecker script can be downloaded from https://aka.ms/ExchangeSetupHC.

Extended Protection Powershell Parameter für Exchange 2016 und 2019

Wenn der Installationsbefehl .\Setup.EXE /Mode:Upgrade /DoNotEnableEP_FEEWS lautete, wäre der nächste Befehl für die manuelle Aktivierung abzusetzen und mit Ja zu bestätigen. Alle notwendigen Einstellungen würden automatisiert umgesetzt werden.

.\ExchangeExtendedProtectionManagement.ps1

.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection
.\ExchangeExtendedProtectionManagement.ps1 -DisableExtendedProtection
.\ExchangeExtendedProtectionManagement.ps1 -RollbackType “RestoreConfiguration”
.\ExchangeExtendedProtectionManagement.ps1 -RollbackType “RestoreIISAppConfig”

Exchange 2019 Cumulative Update Februar 2024

Was ist neu an dem CU14?

.NET Framework 4.8.1 Support nur für Windows Server 2022
Extended Protection wird in der Standardeinstellung aktiviert,siehe “Exchange Installationsablauf”, die lässt sich in der Shell aber wieder abschalten.
- Achtung: Die Aktivierung erfolgt ohne vorherige Prüfung auf Kompatibilität bzw. ob die Vorraussetzungen erfüllt werden.

Was fehlt im CU14?

Die TLS 1.3 Unterstützung ist auch in diesem CU noch nicht enthalten, soll aber im nächsten endlich enthalten sein.

In Exchange Server 2019 können folgende Probleme behoben werden:

Dieses kumulative Update behebt die Sicherheitsanfälligkeit CVE-2024-21410 sofern die Extended Protection auch aktiviert worden ist!

CVE-2024-21410 – Sicherheitsanfälligkeit in Microsoft Exchange Server bezüglich Rechteerweiterungen

Behobene Probleme:

5035439 BlockModernAuth does not respond in AuthenticationPolicy
5035442 Exchange Mitigation Service does not log incremental updates
5035443 Read receipts are returned if ActiveSyncSuppressReadReceipt is „True“ in Exchange Server 2019
5035444 System.argumentnullexception when you try to run an eDiscovery search
5035446 OAB shadow distribution fails if legacy authorization is blocked
5035448 MCDB fails and leads to lagged copy activation
5035450 Exchange 2019 setup installs a outdated JQuery library
5035452 Usernames are not displayed in Event ID 23 and 258
5035453 Issues in Exchange or Teams when you try to delegate information
5035455 MSExchangeIS stops responding and returns „System.NullReferenceExceptions“ multiple times per day
5035456 „Deserialization blocked at location HaRpcError“ error and Exchange replication stops responding
5035493 FIP-FS Proxy Customizations are disabled after a CU or an SU update
5035494 Modern attachment doesn’t work when web proxy is used in Exchange Server 2019
5035495 OWA displays junk operations even if junk mail reporting is disabled
5035497 Edit permissions option in the ECP can’t be edited
5035542 Remote equipment and room mailboxes can now be managed through EAC
5035616 Logon events failure after updating Windows Server
5035617 Transport rules aren’t applied to multipart or alternative messages
5035689 „High %Time in GC“ and EWS doesn’t respond

Bekannte Probleme in diesem kumulativen Update

bisher keine bekannt

Was sollte außerdem beachtet werden?

Der Setup-Assistent führt ein /PrepareAD aus. Setup will prepare the organization for Exchange Server 2019 by using ‘Setup /PrepareAD’.

SSL-Offloading für Outlook Anywhere

Die nachfolgende Befehle angepasst und ausgeführt in der Powershell deaktivieren das SSL-Offloading für Outlook-Anywhere.

Set-OutlookAnywhere -Identity EX1\Rpc* -Externalhostname EX1.windowspapst.de -ExternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod Basic

Set-OutlookAnywhere -Identity EX1\Rpc* -SSLOffloading $true
Set-OutlookAnywhere -Identity EX1\RPC (Default Web Site) -SSLOffloading $true

appcmd Recycle AppPool MSExchangeRpcProxyFrontEndAppPool

Restart-WebAppPool MSExchangeRpcProxyFrontEndAppPool

Hier noch einmal der Hinweis, was nicht geht, wenn EP aktiviert ist:

Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work when Extended Protection is enabled.

– SSL offloading or SSL termination via Layer 7 load balancing.
– Exchange Hybrid Features if using Modern Hybrid.
– Access to Public folders on Exchange 2013 Servers.

You can find more information on: https://aka.ms/ExchangeEPDoc.

SSL-Bridging

SSL-Bridging ermöglicht es den gesamten sicheren Datenverkehr zwischen dem SSL-Client und dem SSL-Server zu überbrücken. Es kommt zu keinem Ausladen, Verschlüsseln oder Entschlüsseln und beschleunigt den Bridge-Traffic nicht. Daher ist es wichtig, das die Web Application Firewall, der Loadbalancer sowie der Exchange das gleiche Zertifikat nutzen. HTTP/s Passthrough und HTTP/s re-encrypted sorgen für die nötige Verschlüsselung zwischen den Endpunkten.

Exchange Funktionen prüfen

Nach erfolgter Installation sollte überprüft werden, ob die Exchange Dienste und Komponenten einwandfrei laufen.

Exchange Server Funktionen prüfen

# Exchange Server Dienste prüfen
Get-Service | Where {$_.DisplayName -Like “*Exchange*”} | Format-Table DisplayName, Name, Status
Get-Service *MSExchange*
Test-ServiceHealth

# MAPI Test
Test-MAPIConnectivity -Server SRVEX
Get-MailboxDatabase | Test-MAPIConnectivity

# Replikation überprüfen
Get-DatabaseAvailabilityGroup | Select -ExpandProperty:Servers | Test-ReplicationHealth

# Prüfen ob alle Komponenten aktiv sind
Get-ServerComponentState -Identity SRVEX | select @{N=’Exchange’;E={SRVEX}}, Component,State

Nicht vergessen den AV-Schutz zu prüfen!

HealthChecker

.\HealthChecker.ps1
.\HealthChecker.ps1 -Server EX1
.\HealthChecker.ps1 -Server EX1, EX2
.\HealthChecker.ps1 -BuildHtmlServersReport
.\HealthChecker.ps1 -LoadBalancingReport
.\HealthChecker.ps1 -VulnerabilityReport

Download Exchange Server kumulatives Update:

Download Cumulative Update 14 for Exchange Server 2019 (KB5035606)

Die neue Versionsnummer lautet: 15.2.1544.4

Exchange Support:

Exchange Server 2019: Mainstreamsupports bis 09.01.2024
Exchange Server 2019: Erweiterter Support bis 14.10.2025

Exchange Server 2016: Mainstreamsupports bis 13.10.2020
Exchange Server 2016: Erweiterter Support bis 14.10.2025

Exchange Versionsnummern

Product Name	Release Date	Build Number short	Build Number long
Exchange Server 2013 CU23	September 28, 2021	15.0.1497.23	15.00.1497.023
Exchange Server 2013 CU23 Feb23SU	February 14, 2023	15.0.1497.47	15.00.1497.047
Exchange Server 2013 CU23 Jan23SU	January 10, 2023	15.0.1497.45	15.00.1497.045
Exchange Server 2013 CU23 Nov22SU	November 08, 2022	15.0.1497.44	15.00.1497.044
Exchange Server 2013 CU23 Oct22SU	October 11, 2022	15.0.1497.42	15.00.1497.042
Exchange Server 2013 CU23 Aug22SU	August 9, 2022	15.0.1497.40	15.00.1497.040
Exchange Server 2013 CU23 Mar22SU	March 8, 2022	15.0.1497.33	15.00.1497.033
Exchange Server 2013 CU23 Jan22SU	Januar 11, 2022	15.0.1497.28	15.00.1497.028
Exchange Server 2013 CU23 Nov21SU	November 08, 2021	15.0.1497.26	15.00.1497.026
Exchange Server 2013 CU23 Oct21SU	October 12, 2021	15.0.1497.24	15.00.1497.024
Exchange Server 2016 CU23 (2022H1)	April 20, 2022	15.1.2507.6	15.01.2507.006
Exchange Server 2016 CU23 March24SU	March 12, 2024	15.1.2507.37	15.01.2507.037
Exchange Server 2016 CU23 Nov23SU	November 14, 2023	15.1.2507.35	15.01.2507.035
Exchange Server 2016 CU23 Oct23SU	October 10, 2023	15.1.2507.34	15.01.2507.034
Exchange Server 2016 CU23 Aug23SU	August 8, 2023	15.1.2507.31	15.01.2507.031
Exchange Server 2016 CU23 Jun23SU	June 13, 2023	15.1.2507.27	15.01.2507.027
Exchange Server 2016 CU23 Mar23SU	March 14, 2023	15.1.2507.23	15.01.2507.023
Exchange Server 2016 CU23 Feb23SU	February 14, 2023	15.1.2507.21	15.01.2507.021
Exchange Server 2016 CU23 Jan23SU	January 10, 2023	15.1.2507.17	15.01.2507.017
Exchange Server 2016 CU23 Nov22SU	November 8, 2022	15.1.2507.16	15.01.2507.016
Exchange Server 2016 CU23 Oct22SU	October 11, 2022	15.1.2507.13	15.01.2507.013
Exchange Server 2016 CU23 Aug22SU	August 9, 2022	15.1.2507.12	15.01.2507.012
Exchange Server 2016 CU22	September 28, 2021	15.1.2308.8	15.00.1497.023
Exchange Server 2016 CU22 Mar22SU	March 8, 2022	15.1.2375.24	15.01.2375.024
Exchange Server 2016 CU22 Jan22SU	Januar 11, 2022	15.1.2375.18	15.01.2375.018
Exchange Server 2016 CU22 Nov21SU	November 08, 2021	15.1.2375.17	15.01.2375.017
Exchange Server 2016 CU22 Oct21SU	October 12, 2021	15.1.2375.12	15.01.2375.012
Exchange Server 2019 CU12 (2022H1)	April 20, 2022	15.2.1118.7	15.02.1118.007
Exchange Server 2019 CU14 SU1	March 12, 2024	15.2.1544.9	15.02.1544.009
Exchange Server 2019 CU14 Feb24	February 13, 2024	15.2.1544.4	15.2.1544.004
Exchange Server 2019 CU13 Nov23SU	November 14, 2023	15.2.1258.28	15.02.1258.028
Exchange Server 2019 CU13 Oct23SU	October 10, 2023	15.2.1258.27	15.02.1258.027
Exchange Server 2019 CU13 Aug23SU2	August 8, 2023	15.2.1258.23	15.02.1258.023
Exchange Server 2019 CU13 Jun23SU1	June 13, 2023	15.2.1258.16	15.02.1258.016
Exchange Server 2019 CU13 May23	May 3, 2023	15.2.1258.12	15.02.1258.012
Exchange Server 2019 CU12 Mar23SU7	March 14, 2023	15.2.1118.26	15.02.1118.026
Exchange Server 2019 CU12 Feb23SU6	February 14, 2023	15.2.1118.25	15.02.1118.025
Exchange Server 2019 CU12 Jan23SU	January 10, 2023	15.2.1118.21	15.02.1118.021
Exchange Server 2019 CU12 Nov22SU	November 8, 2022	15.2.1118.20	15.02.1118.020
Exchange Server 2019 CU12 Oct22SU	October 11, 2022	15.2.1118.15	15.02.1118.015
Exchange Server 2019 CU12 Aug22SU	August 9, 2022	15.2.1118.12	15.02.1118.012
Exchange Server 2019 CU11	September 28, 2021	15.2.986.5	15.02.0986.005
Exchange Server 2019 CU11 Mar22SU	March 8, 2022	15.2.986.22	15.02.0986.022
Exchange Server 2019 CU11 Janu22SU	Januar 11, 2022	15.2.986.15	15.02.0986.015
Exchange Server 2019 CU11 Nov21SU	November 08, 2021	15.2.986.14	15.02.0986.014
Exchange Server 2019 CU11 Oct21SU	October 12, 2021	15.2.986.9	15.02.0986.009

Exchange Build Number abfragen

Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo}