skip to Main Content

August 2022 Exchange Server Security Updates

Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.

Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

Exchange Server Security Updates

Microsoft has released Security Updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These Security Updates are available for the following specific versions of Exchange:

Read more on how to Install Exchange Security Update.

If you are not at these Exchange Server CU versions, please update right now and apply the above patch.

Read more on how to Install Exchange Cumulative Update.

Vulnerabilities addressed in the August 2022 Security Updates were responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

Manual enablement of Windows Extended Protection

Addressing some of CVEs released this month requires admins to enable Windows Extended protection on your Exchange servers. To help you enable this feature, we have developed a script for this process. Please carefully evaluate your environment and review all known issues mentioned in the script documentation before enabling Windows Extended protection on your Exchange servers.

Please note that enabling Extended Protection (EP) is only supported on specific versions of Exchange (please see documentation for full list of prerequisites).

The current version of this script can be found at https://aka.ms/ExchangeEPScript and the documentation is at https://aka.ms/ExchangeEPDoc. For script and documentation changes and suggestions, please engage with us via GitHub to ensure proper issue and change tracking. The script provided to enable Extended Protection will automatically perform an automatic update if the computer on which it is executed has an internet connection (direct or via proxy). However, if you don’t have internet access, make sure to download the latest version of the script as we are continuously improving it.

Note: It is important that you fully understand Windows Extended Protection prerequisites and all known issues before running the script in your environment. Enabling Extended Protection affects communication between your Exchange servers and between clients and servers.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the August 2022 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on “Exchange Management Tools only” workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

We skipped installation of May 2022 SU. Do we need to run /preparealldomains after we install the August SU?

When May 2022 SU was released, the /preparealldomains switch needed to be run manually to address a particular CVE. If you skipped the May 2022 SU and are going straight to August 2022 SU, you will still need to run /preparealldomains to address that particular CVE. Please see the May 2022 SU release post for more details. When in doubt, run HealthChecker which will tell you what you need to do!

Further information

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 23 Comments

  1. We have 3 Exchange 2016 on server 2012 r2 with the latest CU/ SU patches. Using a DAG environment with non modern hybrid configuration. For loadbalancing we are using F5 with SSL bridging. After Enabling the Enhanced Protection features. We started having problems with trying to enabling/disabling UM for users through the admin console. We receive a 401 unauthorized error message. The weird thing is that this only happens to users that are in a database that are mounted on either 2 of the 3 exchange servers. If anyone is mounted on a database that is mounted on the 1st server this is not an issue. If i mount the database to the first server, i am able to modify the users UM settings. I am not sure as to what is causing 1 out of the 3 servers to work as intended after the Extended Protection was enabled. In order to try and remedy this, i disabled the Extended protection for the EWS directory both back-end and front-end. Doing this fixed the issue but i feel like something isnt configured properly because it did work on the 1st server. Has anyone else come across this issue? would you recommend rolling back the Extended Protection mode till more information is out.

  2. hi . Why? This happened after the update and the web client and server do not open.
    🙁
    Something went wrong
    Your request couldn’t be completed. HTTP Status code: 500.

    X-ClientId: 14FF3AEB4D1F444C9A474448C75E1090
    request-id df2c5bb3-851d-40a1-9103-a49c79b6b1cb
    X-OWA-Error System.Web.HttpUnhandledException
    X-OWA-Version 15.1.2507.12
    X-FEServer EXS2016
    X-BEServer EXS2016
    Date:8/30/2022 6:16:44 AM
    InnerException: System.IO.DirectoryNotFoundException

    1. Hello Ali,
      Same issue. Single Exchange 2016 CU23 (hybrid configured).
      Full patched, just after installed the latest august SU (via CMD as admin) and reboot, OWA get an error 500 “DirectoryNotFoundException”. This issue because all subfolders under Microsoft\Exchange Server\V15\ClientAccess\Owa\15.1.2507.12 are empty.
      I just re-executed the SU (CMD as admin), issue has been resolved.
      Cheers

      1. Hi Teva,
        I didn’t understand exactly what you mean by running SU again. Can you explain more fully?

  3. Ali,

    If I have a single Exchange 2016 running CU22, install the August SU, then enable extended protection, it looks like it is going to break some of the Public Folders unless I upgrade to CU23 first, can you confirm?

  4. Hello Ali,
    Thank you so much for the great guide.
    We are running Exchange 2016 CU23 in hybrid mode. I ran the health check script after deploying the August security update and noticed that in the “Security Vulnerability” section, ConfigSupported is all false except for “Default Web Site/Autodiscover” and “Exchange Back End/Autodiscover”.
    I also read from the MS article saying that Extended Protection does not work with hybrid servers using Modern Hybrid configuration.
    In this case, should we run the Exchange Extended Protection Management script?
    Thanks.

    1. Hi Michael,

      No, don’t run the script if you have Modern Hybrid configuration.

      Enabling Extended Protection on Hybrid servers using Modern Hybrid configuration will lead to disruption of hybrid features like mailbox migrations and Free/Busy. Hence, it is important to identify all the Hybrid Servers in the organization published via Hybrid Agent and not enable Extended Protection specifically on these servers.

  5. hi

    thanks for good job Ali

    well i have exchange 2013 with ssloffloading, so it is no-go for me, if i understand the readme/conditions.
    but if i have understood, i can still install the SU, it will no activate this feature, so it is “safe” for me.
    i will continue withour this feature (im currently migrating to new forest ex2019)

    thanks
    pierre

  6. Hi Ali,

    we are running Exchange 2016 as a 2 server cluster and after applying the Windows Extended Protecion on the first node, this node does not allow user autheintication from outlook clients anymore (webmail and smartphone access are working fine).
    Any experience about that?

    Thank you
    Claudio

  7. after i run the health script it shows the below in red color.

    Security Settings
    —————–

    TLSVersion ServerEnabled ServerDbD ClientEnabled ClientDbD Configuration
    ———- ————- ——— ————- ——— ————-
    1.0 False False False False Half Disabled
    1.1 False False False False Half Disabled
    1.2 False False False False Half Disabled

    1.1 ServerEnabledValue: -1 — Error: Must be a value of 1 or 0.
    1.2 ServerEnabledValue: -1 — Error: Must be a value of 1 or 0.
    1.0 ServerEnabledValue: -1 — Error: Must be a value of 1 or 0.
    1.1 ClientEnabledValue: -1 — Error: Must be a value of 1 or 0.
    1.2 ClientEnabledValue: -1 — Error: Must be a value of 1 or 0.
    1.0 ClientEnabledValue: -1 — Error: Must be a value of 1 or 0.
    More Information: https://aka.ms/HC-TLSConfigDocs

    FrameworkVersion SystemDefaultTlsVersionsWow6432NodeSystemDefaultTlsVersionsSchUseStrongCrypto Wow6432NodeSchUseStrongCrypto

    what does it means ?

    1. Because of the potential future protocol downgrade attacks and other TLS vulnerabilities, it’s recommended to disable TLS 1.0 and 1.1.

      The Microsoft link describes what you have to do. That’s to define the TLS registry values on the Exchange Server.

      So it will look like this:

      1. Enable TLS 1.2
      2. Enable TLS 1.2 for .NET 4.x
      3. Enable TLS 1.2 for .NET 3.5
      4. Disable TLS 1.0
      5. Disable TLS 1.1
      6. Disable TLS 1.3

      Note that you must ensure that every application supports TLS 1.2 before disabling TLS 1.0 and 1.1.

      Read more in the article Configure Exchange Server TLS settings.

  8. Hi Ali,
    Thanks for your great documentation.
    What will be the impact if we don’t install the Windows Extended Protection. We are in a hybrid environment running Exchange 2013 server but soon moving to 2019. I am concerned that this will impact the hybrid connections. Can I just install the security updates without the Windows Extended Protection?

    1. Hi Ras,

      Click on the CVEs, and down below in the FAQ, it will show the impact.

      You can install the SU and, at a later stage, enable Extended Protection on Exchange Servers.

  9. Hi Ali,

    Regarding the Extended Protection, would you say we are safe to run the script if our health checker values all come back as “True” within the “Security Vulnerability” section within the “ConfigSupported” column?

    Thanks!
    Chris

  10. Dear Ali,

    first of all thank you for all your precious and effective documentation, which I find very useful.
    My question is: do I need to run the Windows Extended Protection script while the exchange servers are still in maintenance mode, or shall I run while they are fully productive?
    Is any further restart needed?

    Thank you
    Claudio

  11. Hi Ali,

    thank you very much for your courses they are very useful. For new security updates of august 2022 on https://msrc.microsoft.com/update-guide/ website i see several updates. CVE-2022-34692 ,CVE-2022-30134 ,CVE-2022-24477, CVE-2022-24516, CVE-2022-21980, CVE-2022-21979 for example they have been for EXchange2019Cu19 published. Do we need to install all these Security Updates separately ?
    I guess we don’t have a chance to install them all at once 🙂

    1. Hi Emre,

      You only have to download the SU for your Exchange Server version.

      There is no Exchange Server 2019 CU19 available. The latest is Exchange Server 2019 CU12. Perhaps a typo.

      If you’re on that version, you should only download and install “Security Update For Exchange Server 2019 CU12 (KB5015322)”

Leave a Reply

Your email address will not be published.