When all the mailboxes are in Exchange Online, and all the SMTP relay goes directly…
January 2023 Exchange Server Security Updates
Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.
Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
Exchange Server Security Updates
Microsoft has released Security Updates for vulnerabilities found in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
These Security Updates are available for the following specific versions of Exchange:
Read more on how to Install Exchange Security Update.
If you are not at these Exchange Server CU versions, please update right now and apply the above patch.
Read more on how to Install Exchange Cumulative Update.
Vulnerabilities addressed in the January 2023 Security Updates were responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.
Defense-in-depth: Enable Certificate Signing of PowerShell Serialization Payload
Serialization is the process of converting the state of an object into a form (stream of bytes) that can be persisted or transmitted to memory, a database, or a file. PowerShell, for example, uses serialization (and its counterpart deserialization) when passing objects between sessions.
To defend Exchange servers against attacks on serialized data, we’ve added certificate-based signing of PowerShell serialization payloads in the January 2023 SUs. In the first rollout stage, this new feature must be manually enabled by an Exchange Server admin due to feature dependencies.
This article details the steps to enable certificate-based signing of serialization data in Exchange Server. We have also released a script you can use to validate/create the required auth certificate in your organization or you can do it manually.
Important: If you have an Exchange Server 2013 in your environment, turning on the signing of serialization payload feature might lead to several issues impacting management in your organization. We recommend not to turn on this feature for now. We will address this in the future update. Customers with Exchange Server 2016 / 2019 only can proceed with using the certificate signing of PowerShell serialization payload feature.
Known issues with this release
- If Exchange Server 2016 is installed on Windows Server 2012 R2, after installation of the January 2023 SU, the AD Topology service might not start automatically, causing services that depend on it to not start automatically either. To work around this problem, start Exchange services manually. Please see Some Exchange services do not start automatically after installing January 2023 Security Update.
- Once the update is installed on an Exchange Server 2016 or 2019, web page previews for URLs shared in OWA will not be rendered properly. We will resolve this in a future update.
- Version error when you install Exchange Server in RecoverServer mode.
- Exchange Toolbox and Queue Viewer fails after Certificate Signing of PowerShell Serialization Payload is enabled.
FAQs
When should we enable the new certificate signing of PowerShell serialization payload feature?
This feature should be enabled only after you have updated all your Exchange Servers to the January 2023 (or newer) SU. Enabling the feature before all servers are updated might lead to failures and errors when managing your organization.
Why do we need to enable the new certificate signing manually? Why does Microsoft not enable the feature automatically?
Our intention is to enable certificate signing of PowerShell serialization payload by default in a future update. The feature relies on a valid auth certificate being present in the organization, so we wanted to give admins a chance to validate their certificate before enabling a feature that depends on it (certificate issues could lead to unexpected results and errors if the feature was enabled by default.) We have released a script you can use to validate / create this certificate.
How does this SU relate to Extended Protection feature?
If you already enabled Extended Protection on your servers, install the SU as usual. If you did not enable Extended Protection yet, our recommendation is to enable it after installing January (or any later) SU. Running Health Checker script will always help you validate exactly what you might need to do after SU installation.
Is Windows Extended Protection a prerequisite that needs to be activated before or after applying the SU, or is that an optional but strongly recommended activity?
Extended Protection is not a prerequisite for this Security Update. You can install it without having to activate the Extended Protection feature. However, configuring Extended Protection is strongly recommended, which can help you protect your environments from authentication relay or “Man in the Middle” (MITM) attacks.
The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one?
The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only.
My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the January 2023 Security Update needs to be installed on your on-premises Exchange Servers, even if they are used only for management purposes. If you change the auth certificate after installing the January 2023 SU, you should re-run the Hybrid Configuration Wizard.
Do I need to install the updates on “Exchange Management Tools only” workstations?
Install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.
Warning!
After enabling Certificate Signing of PowerShell Serialization Payload the Exchange Toolbox with Queue Viewer won’t start. There is still no workaround.
Regarding Exchange 2016 and 2019.
This is a workaround if you have activated PowerShell Serialization Payload. But I’m not sure it´s a good thing to do. Because safety first and you can live without the Queue Viewer and its works in EMS.
Get-SettingOverride -Identity “EnableSigningVerification” | Remove-SettingOverride
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Restart-Service -Name W3SVC, WAS -Force
https://support.microsoft.com/en-us/topic/exchange-toolbox-and-queue-viewer-fails-after-certificate-signing-of-powershell-serialization-payload-is-enabled-7a1bff2d-614f-4fa0-bab1-ea6c25dae047
I am seeing an issue with exchange services starting up automatically post install and running commands. I am able to manually start all the automatic services that havent started without any issues and after starting them all and running the health checker it is not finding anything. I also checked ran the SetupLogReviewer and the SetupAssist Powershell scripts but it also did not find anything. I also tried resetting the automatic services to automatic and starting the services before rebooting but it did not having any impact. Some services start but not all. Im not seeing anything of value in event viewer either. I am experiencing this issue on both my exchange servers after the install and post install commands. Is anyone else seeing something similar or have any suggestions as to what may be the issue.
-Installed SU 23 for Exchange 2016 on both 2012 R2 servers
-Ran .\MonitorExchangeAuthCertificate.ps1 but no renewal needed
-Ran to enable serialization: Organizational-wide: New-SettingOverride -Name “EnableSigningVerification” -Component Data -Section EnableSerializationDataSigning -Parameters @(“Enabled=true”) -Reason “Enabling Signing Verification”
– Ran to Refresh: Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
-Ran to restart W3SVC and WAS: Restart-Service -Name W3SVC, WAS -Force
Exchange Server 2016 on Windows Server 2012 R2:
After installation of the January 2023 SU, the AD Topology service might not start automatically, causing services that depend on it to not start automatically either.
To work around this problem, start Exchange services manually.
The Exchange team is investigating this further.
Thank you for the quick update. The AD Topology Service does start up fine each time i reboot to test. I will create a powershell script to run through the needed services and start them till further notice.