News

Exchange Server June Cumulative Updates Arrive, But with Red Tape

• By Kurt Mackie
• 06/19/2019

Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

The patching model for most Exchange Server products is based on the quarterly delivery of CUs. The CUs contain new software updates plus older updates from prior CU releases. Exchange Server 2010 is the lone exception and gets "update rollups" instead of CUs.

This week, Microsoft announce it had delivered CU23 for Exchange Server 2013, CU13 for Exchange Server 2016, and CU2 for Exchange Server 2019. However, Nino Bilic of the Microsoft Tech Community said that "we are aware of slight delay of downloads actually being available."

Active Directory Scope Change Step
IT pros are required to keep pace with these CU releases if they use Exchange Server in "hybrid" environments (connected with Exchange Online). However, before they can install the CUs this time, Microsoft is recommending performing an extra step -- that is, making an Active Directory permissions change first.

For that Active Directory permissions change, IT pros are tasked with running a "cumulative update setup program we are releasing today with the /PrepareAD parameter." It will change the permissions scope of Exchange Server.

The reason for this Active Directory scope change is that certain permission rights aren't needed with Exchange Server, Microsoft explained:

The Exchange Team has made two changes to the rights Exchange has in the Active Directory. We have placed a Deny ACE [Access Control Entries] on the DNS [Domain Name Server] Admins group and removed the ability for Exchange to assign Service Principal Names (SPN's). We have determined these rights are not required by Exchange. Before upgrading to one of the updates released today, we recommend administrators apply the permissions change to their environment.

Usually security is the reason for reducing access privileges, but Microsoft didn't elaborate on why this extra step is recommended.

Legacy Protocol Changes
For Exchange Server 2019, Microsoft's CUs are bringing the ability to disable "legacy" (old) authentication protocols. It's another typical security practice.

Microsoft began this ability to disable legacy protocols with the CU1 release for Exchange Server 2019, which just permitted per-user disabling. This week's CU2 release, though, has an enhancement that lets IT pros disable legacy protocols "at organization level," Microsoft indicated.

The legacy protocols weren't specified. The Exchange team expects to issue a future blog post on the topic, though.

.NET Framework 4.8
The new CUs, when installed, will add support for .NET Framework 4.8 for the Exchange Server products. Microsoft plans to require the use of .NET Framework 4.8 by the time it releases its December CUs, according to the announcement.

In the meantime, "the minimum .NET requirement remains 4.7.2 on Exchange Servers," Microsoft's announcement indicated. The various .NET Framework dependencies for Exchange Server products are illustrated in table format in this "Exchange Server Supportability Matrix" document.

Public Folders Controls
Exchange Server 2016 and Exchange Server 2019 users are getting the ability to specify which Outlook mail-client users can see public folders with these CU releases.

Microsoft had implemented that change for Exchange Online users late last year. Back then, Microsoft had just suggested it was considering adding this public folder capability for Exchange Server users, too. And so it has.

Precautions
Microsoft requires having the Visual C++ 2012 runtime installed on the edge role before installing the CUs.

Also, installing the CUs is a one-way trip. If the CUs get uninstalled, then the Exchange Server bits get removed, too, Microsoft warns.

No Modern Authentication on Premises
Lastly, Microsoft added a sour note for organizations using Exchange Server on their own servers regarding the prospect of getting access to so-called "modern authentication" technologies. Modern authentication technologies will just be available for hybrid Exchange users. They won't be available for organizations purely using Exchange Server "on premises."

The announcement explained that "after much deliberation we have come to the decision that this capability [modern authentication] in on-premises Exchange server will no longer be pursued," adding that "our investments in Modern Authentication will be restricted to those with hybrid deployments."

Microsoft defines modern authentication as the use of cloud-based Azure Active Directory (AD) for authentication, plus conditional access for security, along with mobile application management solutions, such as Microsoft Intune.

Microsoft's hybrid support for modern authentication seems to be continuing. For instance, last year, Microsoft announced it had added Exchange Server hybrid modern authentication support for Outlook apps on both Android and iOS devices.