When running a hybrid deployment or when using Exchange Online Archiving in combination with Exchange on-premises, make sure you run the latest CU or one version older (i.e. Exchange 2013 CU23, Exchange 2016 CU18/CU19 or Exchange 2019 CU7/CU8)
No schema changes in these CUs but there are changes to AD, so make sure you run the Setup.exe /PrepareAD command
And as always, test thoroughly in your lab environment, and when deploying make sure your servers are in maintenance mode (especially the DAG).
On December 8, 2020 Microsoft released a number of security updates for Exchange server. Despite the fact that Exchange 2010 is out of support at all, an important security update for Exchange 2010 was released as well.
Last September Microsoft released their quarterly Cumulative Updates for Exchange, Exchange 2016 CU18 and Exchange 2019 CU7. This was quickly followed by a security update, KB4581424 that addresses the CVE-2020-16969 Microsoft Exchange Information Disclosure vulnerability.
Unfortunately, the Exchange 2016 CU18 and Exchange 2019 CU7 contain a nasty bug. If you use OWA, open a shared mailbox and try to access an attachment, OWA redirects to Office 365 instead of the on-premises Exchange 2016/2019 server to download it. This happens in an hybrid environment, but also in a pure on-premises Exchange deployment without any Office 365 connection.
Microsoft is aware of this issue and it will be fixed in the next Cumulative Updates for Exchange 2016 and Exchange 2019. Looking at the quarterly cadence this should be by the end of this year.
If you have a Microsoft Premier support contract and this is an issue that impacts your business you can open a support ticket and request a fix for this. This service is available for Premier support customers only.
This fix is a replacement for the KB4581424 security update, as such it contains all the fixes in KB4581424, plus the OWA Attachment hotfix. If you are a Premier support customer and do have this fix available, make sure that you uninstall the KB4581424 first before installing this update. One workaround that I’ve seen in a newsgroup is not to open the Shared Mailbox as “Open another mailbox” but as “Add shared folder”. This should work also, but I have not tested it. I do have a customer with a Premier support contract, I can confirm the problem is fixed in the interim update.
After migrating all mailboxes to Exchange 2016 and Exchange Online it is time to decommission the old Exchange 2010 servers. One of the servers could not be removed and the dreaded “This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, or arbitration mailboxes” was shown:
This typically means that there is some sort of mailbox (arbitration or archive) is still available in the database, causing this issue. Unfortunately using the -Verbose switch did not reveal any other useful information.
Also, when trying to use Remote PowerShell directly (Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010, which bypasses RBAC and sometimes help) dit not help either this time.
Note. I was able to find dozens of similar threads on the Internet about this warning, but not a single one applied to my scenario. Ok, I found one where they removed the mailbox database using ADSI Edit, but on the long term that will cause other issues I’m afraid. You can do this, but there are still references to this mailbox database in Active Directory, so stuff will be lingering if you do this. Also, a lot of the threads are about Exchange 2013 and higher, but we were decommissioning Exchange 2010.
Last resort is to look directly into the mailbox database properties in Active Directory using LDP.exe. In LDP, navigate to the mailbox database and open the details (or dump it to a text file). Using the dump a user account was found that still referenced this mailbox database for an archive mailbox:
The user account was fixed and we were able to remove the mailbox database.
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.
To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.
The security update corrects the way that Exchange handles these token validations.
Please be aware that the updates are CU specific. The fact that an update for Exchange 2013 is released indicates the importance of this Security Update.
When installing, start the Security Update from an elevated command prompt (Run As Administrator) and as always, test the security update thoroughly.
Microsoft Exchange Server 2013 Cumulative Update 23