July 2021 Security Updates for Exchange

On July 13, 2021 Microsoft has released a number of Security Updates for Exchange. Security Updates are released for:

  • Exchange 2013 CU23
  • Exchange 2016 CU20 and CU21
  • Exchange 2019 CU9 and CU10

Some of the issues are marked ‘critical’ (Remote Code Execution) but no evidence have been found for any exploits in the wild, but it is strongly recommended to install these Security Updates as soon as possible.
The following CVE’s are addressed in these Security Updates:

Detailed information regarding the vulnerabilities can be found in the Security Update Guide.

As always, when installing the Security Update manually from a command prompt, use elevated privileges. If you do not, installation will succeed but under the hood things break! This is not an issue when installing using Windows Update.

Note. This Security Update has a dependency on the Schema update that came with Exchange 2016 CU21 and Exchange 2019 CU10. If you are running an older version of these CUs, please update the Schema first to the latest level. If you are still running Exchange 2013, and only Exchange 2013 at the latest level, you can install the Security Update, but you must run setup.exe /PrepareSchema from the V15\bin directory. The SU installation will install the latest schema files in the V15\bin directory which will be used by the setup application to make the schema changes. Failure to do so will result in an unprotected Exchange 2013 environment.

Microsoft Teams and Exchange 2016 connectivity

More than a year ago I wrote a blogpost regarding Teams calendaring and Exchange 2016 integration: https://jaapwesselius.com/2020/04/07/microsoft-teams-and-exchange-2016/.

Currently I am working with a customer on this specific scenario, and to my surprise I ran into this Teams/Exchange connectivity test on the Microsoft Remote Connectivity Analyzer (https://aka.ms/exRCA). Open the Remote Connectivity Analyzer, select Microsoft Teams and click the Teams Calendar Tab button. Login with the account you want to test (in this example I have an on-premises mailbox on Exchange 2019, but works for Exchange 2016 as well) and click Perform Test.

Within seconds you will see if connectivity from Microsoft Teams to your Exchange server is working properly. Very nice!

June 2021 Exchange Cumulative Updates

One June 29, 2021 Microsoft has released the June 2021 Cumulative Updates for Exchange server, two weeks later than initially planned.

For Exchange 2016 it is a special Cumulative Update, since CU21 is the latest update that will be released for the product.

Besides a number of fixes, both CU’s contain integration with the Anti-Malware Scan Interface (AMSI). AMSI is available in Windows 2016 and Windows 2019, and Exchange now integrates with AMSI. Prerequisite is of course that Exchange 2016 is running on Windows 2016. When running on Windows 2012 R2, the AMSI integration is not available.

AMSI integration is a result of the HAFNIUM infections earlier this year. When using an anti-malware solution that is AMSI capable, malicious HTTP requests are blocked before they are processed by the Exchange server.

Important notes:

  • Both CUs contain a Schema Update and an Active Directory update, so you must run Setup.exe /PrepareSchema and Setup.exe /PrepareAD. 
  • When running the Exchange servers in a DAG, don’t forget to put your DAG members in maintenance mode prior to updating.
  • When running in Hybrid Mode, Microsoft requires you to run the last or second-last Cumulative Update.
  • As usual, test the CUs thoroughly before bringing them into your production environment. 
VersionKnowledge BaseDownload
Exchange 2019 CU10KB5003612CU10 for Exchange 2019
Exchange 2016 CU21KB5003611CU21 for Exchange 2016
Exchange 2016 CU12 UM Language PackUM LP for Exchange 2016 CU21

Office Online server – Sorry there was a problem and we can’t open this document

For a current project I am working with Exchange 2019 and for OWA we want to implement Office Online Server. I did this in the past and blogged about it (Install Office Online Server 2016) so I thought it should not be a big deal.

Installed Windows 2016, installed prerequisite software, configured an SSL certificate, installed Office Online Server and created a new Office Web Apps farm.

After testing the https://fqdn/hosting/discovery and configured the organization configuration everything must be good.

When opening an attachment in OWA I do see the OOS environment, it tries to open a document and then generates this error:

“Sorry, there was a problem and we can’t open this document. If this happens again, try opening the document in Microsoft Word.”

When opening an Excel attachment, I get the following error message:
“Unable to open the file. We couldn’t find the file you wanted. It’s possible the file was renamed, moved or deleted.”

I know Office Online Server is sensitive for SSL certificates, but this was a regular Digicert certificate. Name resolution was fine as well. But the check https://fqdn/op/generate.aspx failed as well with the following (pretty useless) error:

“Server Error. We’re sorry. An error has occurred. We’ve logged the error for the server administrator.”

Unfortunately, nothing useful in the eventlog, or in the ULS logging on the Office Web Apps server. Asked colleagues, but they had only experience with Exchange 2016 and OOS.

After two days of searching, fiddling with the server, checking .NET versions (Windows 2016 comes with a newer version of .NET then required by Office Online Server), rebuilding the Office Online Server several times I realized it might be a TLS 1.2 issue. Exchange 2019 is using TLS 1.2 only by default, whereas Exchange 2016 can use multiple versions of TLS.

So, on the Windows 2016 server with OOS, I enabled strong cryptography in .NET and disabled older versions of TLS on Windows to fix the issue.

To enable strong cryptography in the .NET Framework, add the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

To disabled older versions or TLS, add the following registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
@="DefaultValue"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
@="DefaultValue"
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
@="DefaultValue"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
@="DefaultValue"
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
@="DefaultValue"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
@="DefaultValue"
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
@="DefaultValue"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
@="DefaultValue"
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
@="DefaultValue"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
@="DefaultValue"
"Enabled"=dword:00000000

After rebooting the Office Online Server, it worked as expected.

Exchange server patching performance and windows defender

Patching an Exchange server, whether it be Windows Update, a Cumulative Update or a Security Update always takes a long time. When looking at the task manager, it is always the Antimalware Service Executable (Windows Defender Antivirus Service) that is responsible for this. It just consumes a lot of processor cycles:

To overcome this and speed up the overall performance of patching the Exchange server you can temporarily disable Windows Defender.

For Exchange 2016 running on Windows 2016 follow these steps:

Start | Settings | Update and Security | Windows Defender

For Exchange 2019 running on Windows 2019 follow these steps:

Start | Settings | Update and Security | Windows Security | Open Windows Security I Virus & Threat protection I Manage Settings

And switch Real-time protection to off as shown in the following screenshot:

Much easier is using PowerShell, just execute this command:

Set-MpPreference -DisableRealtimeMonitoring $True

When patching the Exchange server you will notice how much faster it will be. When patched and rebooted, enable Windows Defender by executing the following PowerShell command:

Set-MpPreference -DisableRealtimeMonitoring $False

You can check the status of Windows defender using one of the following commands:

Get-MpPreference | select DisableRealtimeMonitoring
Get-MpComputerStatus

Check the output for RealTimeProtectionEnabled, this should be set to True. As a sidenote, there is a lot of other interesting information when executing Get-MpComputerStatus for anti-malware.

Microsoft UC Specialist