Exchange 2013 SP1 Released

Exchange 2013 SP1 On Microsoft Download CenterExchange 2013 SP1 has now been released to the Microsoft Download Center!

The build number for Exchange Server 2013 SP1 is 15.00.0847.032

Update 5-3-2014:  If you are using custom transport agents please see Third-party transport agents cannot be loaded correctly in Exchange Server 2013  The script you need to remediate the issue is linked from that KB, and is available directly from the download center.

Update 14-4-2014:  As discussed in post “Patching Exchange? Don’t Overlook Outlook”, make sure to keep Outlook updated.  KB 2863911  Outlook 2013 profile might not update after mailbox is moved to Exchange 2013

Update 14-4-2014:  Please see KB 2958434  if deleting Exchange 2013 databases.  Users cannot access mailboxes in OWA or EAS when mailbox database is removed.

As always please read the release notes!  Exchange 2013 SP1 contains schema changes and you will need to go through testing and validation to ensure a smooth rollout!

Noted at the bottom of the Exchange Team Post the next Exchange 2013 update will be CU5.  Thus we could call this CU4, but Service Packs mark an important milestone for support lifecycle events so this do think of this as a Service Pack!

You can download Exchange 2013 SP1 from here.

Updates Of Particular Note

Scroll down below for details on each of these features!

  • Windows Server 2012 R2 support for Exchange Server installation
  • Windows Server 2012 R2 Domain Function Level and Forest Function Level
  • Return Of the Mac Edge Transport
  • AD FS claims-based authentication with Outlook Web App and ECP
  • Hybrid deployments with multiple Active Directory forests
  • Database Availability Group without an Administrative Access Point

Issues Resolved

KB 2926248  contains the description for Exchange 2013 SP1.

  • 2860242 HTML format is lost after saving as an MSG file in Exchange 2013
  • 2900076 Mailbox quota warning message uses an incorrect language in Exchange Server 2013
  • 2910199  "Reply all by IM" chat window displays seven recipients in Outlook Web App
  • 2913999  Meeting request body and instructions are lost in delegate's auto-forwarded meeting request
  • 2918655 Microsoft.Exchange.Servicehost.exe crashes after you enable FIPS
  • 2918951  Users cannot access public folders after you upgrade to Exchange Server 2013 Cumulative Update 3
  • 2925281 Outlook connectivity issue if SSLOffloading is "True" in Exchange 2013
  • 2925544 Empty ExternalURL value for ActiveSync virtual directory after build-to-build upgrade of Exchange Server 2013
  • 2927708  Resource mailboxes that are created by EAC will not be updated by policies in Exchange Server 2013
  • 2928748 Default from delegate's address in shared mailboxes in Exchange Server 2013
  • 2928803 Long server connection for Outlook after a database failover in Exchange Server 2013
  • 2930346 POP3 access does not work if the name of the resource mailbox differs from the user's name
  • 2930348 Manual redirection occurs in Outlook Web App if External URLs in each site are the same
  • 2930352 Outlook Web App cross-site silent redirection does not work in Exchange Server 2013

Detailed Update Descriptions

Windows Server 2012 R2 support

Windows Server 2012 R2 is now a supported operating system in Exchange 2013 SP1. Exchange 2013 SP1 also supports installation in Active Directory environments running Windows Server 2012 R2. For more information, see Exchange 2013 System Requirements.

Edge Transport

Edge Transport servers minimize attack surface by handling all Internet-facing mail flow, which provides SMTP relay and smart host services for your Exchange organization, including connection filtering, attachment filtering and address rewriting. For more information, see Edge Transport Servers.

OWA Junk Email Reporting

OWA customers can report missed spam in the inbox (false negative) and misclassified as spam (false positive) messages to Microsoft for analysis by using its built-in junk email reporting options. Depending on the results of the analysis, we can then adjust the anti-spam filter rules for our Exchange Online Protection (EOP) service. For more information, see Junk Email Reporting in OWA.

S/MIME for Message Signing and Encryption

Microsoft Exchange Online and Exchange 2013 SP1 now support S/MIME-based message security. Secure/Multipurpose Internet Mail Extensions (S/MIME) allows people with Office 365 mailboxes to help protect sensitive information by sending signed and encrypted email within their organization. Administrators can enable S/MIME for Office 365 mailboxes by synchronizing user certificates between Office 365 and their on-premises server and then configuring Outlook Online to support S/MIME. For more information, see S/MIME for Message Signing and Encryption and the Get-SmimeConfigcmdlet reference.

DLP Policy Tips available in the desktop and mobile version of Outlook Web App

Data loss prevention (DLP) Policy Tips are informative notices that are displayed to senders in Outlook when they try sending sensitive information. In Exchange 2013 SP1, this functionality has been extended to both the desktop version of Outlook Web App and the mobile version (named OWA for Devices). You’ll see it in action if you have an existing DLP policy with Policy Tips turned on for Outlook. If your policy already includes Policy Tips for Outlook, you don't need to set up anything else. Go ahead and try it out!

Not currently using Policy Tips? To get started, Create a DLP Policy From a Template, then add a policy tip by editing the policy and adding a Notify the sender with a Policy Tipaction.

DLP Classification based on Document Fingerprints

Deep content analysis is a cornerstone of DLP in Exchange. Document Fingerprintingexpands this capability to enable you to identify standard forms used in your organization, which may contain sensitive information. For example, you can create a fingerprint based off a blank employee information form, and then detect all employee information forms with sensitive content filled in.

DLP sensitive information types for new regions

SP1 provides an expanded set of standard DLP sensitive information types covering an increased set of regions, which makes it easier to start using the DLP features. SP1 adds region support for Poland, Finland and Taiwan. To learn more about the new DLP sensitive information types, see Sensitive Information Types Inventory.

Using AD FS claims-based authentication with Outlook Web App and ECP

Deploying and configuring Active Directory Federation Services (AD FS) using claims means multifactor authentication can be used with Exchange 2013 SP1 including supporting smartcard and certificate-based authentication in Outlook Web App. In a nutshell, to implement AD FS to support multifactor authentication:

  • Install and configure Windows Server 2012 R2 AD FS (this is the most current version of AD FS and contains additional support for multifactor authentication). To learn more about setting up AD FS, see Active Directory Federation Services (AD FS) Overview
  • Create relying party trusts and the required AD FS claims.
  • Publish Outlook Web App through Web Application Proxy (WAP) on Windows Server 2012 R2.
  • Configure Exchange 2013 to use AD FS authentication.
  • Configure the Outlook Web App virtual directory to use only AD FS authentication. All other methods of authentication should be disabled.
  • Restart Internet Information Services on each Client Access server to load the configuration.

For details, see Using AD FS claims-based authentication with Outlook Web App and EAC

SSL Offloading support

SSL offloading is supported for all of the protocols and related services on Exchange 2013 Client Access servers. By enabling SSL offloading, you terminate the incoming SSL connections on a hardware load balancer instead of on the Client Access servers. Using SSL offloading moves the SSL workloads that are CPU and memory intensive from the Client Access server to a hardware load balancer.

SSL offloading is supported with following protocols and services:

  • Outlook Web App
  • Exchange Admin Center (EAC)
  • Outlook Anywhere
  • Offline Address Book (OAB)
  • Exchange ActiveSync (EAS)
  • Exchange Web Services (EWS)
  • Autodiscover
  • Mailbox Replication Proxy Service (MRSProxy)
  • MAPI virtual directory for Outlook clients

If you have multiple Client Access servers, each Client Access server in your organization must be configured identically. You need to perform the required steps for each protocol or service on every Client Access server in your on-premises organization. For details, see Configuring SSL Offloading in Exchange 2013

Public Attachment Handling in Exchange Online

Although there are both private (internal network) and public (external network) settings to control attachments using Outlook Web App mailbox policies, admins require more consistent and reliable attachment handling when a user signs in to Outlook Web App from a computer on a public network such as at a coffee shop or library. Go here for details, Public Attachment Handling in Exchange Online.

Browser Support for AppCache

Internet Explorer 10 and Windows Store apps using JavaScript support the Application Cache API (or AppCache), as defined in the HTML5 specification, which allows you to create offline web applications. AppCache enables webpages to cache (or save) resources locally, including images, script libraries, style sheets, and so on. In addition, AppCache allows URLs to be served from cached content using standard Uniform Resource Identifier (URI) notation. The following is a list of the browsers that support AppCache:

  • Internet Explorer 10 or later versions
  • Google Chrome 24 or later versions
  • Firefox 23 or later versions
  • Safari 6 or later (only on OS X/iOS) versions

Exchange OAuth authentication protocol

Information workers in Exchange on-premises organizations need to collaborate with information workers in Exchange Online organizations when they are connected via an Exchange hybrid deployment. New in Exchange 2013 SP1, this connection can now be enabled and enhanced by using the new Exchange OAuth authentication protocol. The new Exchange OAuth authentication process will replace the Exchange federation trust configuration process and currently enables the following Exchange features:

  • Exchange hybrid deployment features, such as shared free/busy calendar information, MailTips, and Message Tracking.
  • Exchange In-place eDiscovery

For more information, see Configure OAuth Authentication Between Exchange and Exchange Online Organizations.

Hybrid deployments with multiple Active Directory forests

New in Exchange 2013 SP1, hybrid deployments are now supported in organizations with multiple Active Directory forests. For hybrid deployment features and considerations, multi-forest organizations are defined as organizations having Exchange servers deployed in multiple Active Directory forests. Organizations that utilize a resource forest for user accounts, but maintain all Exchange servers in a single forest, aren’t classified as multi-forest in hybrid deployment scenarios. These types of organizations should consider themselves a single forest organization when planning and configuring a hybrid deployment.

For more information, see Hybrid Deployments with Multiple Active Directory Forests.

Database Availability Group without an Administrative Access Point

Windows Server 2012 R2 enables you to create a failover cluster without an administrative access point. Exchange 2013 SP1 introduces the ability to leverage this capability and create a database availability group (DAG) without a cluster administrative access point. Creating a DAG without an administrative access point reduces complexity and simplifies DAG management. In addition, it reduces the attack surface of a DAG by removing the cluster/DAG name from DNS, thereby making it unresolvable over the network.

For more information, see High Availability and Site Resilience.

Some Items For Consideration

As with previous CUs, SP1 follows the new servicing paradigm that was previously discussed on the blog.  This package can be used to perform a new installation, or to upgrade an existing Exchange Server 2013 installation to SP1.  You do not need to install Cumulative Update 1 or 2 for Exchange Server 2013 RTM when you are installing SP1.

After you install this Service pack, you cannot uninstall the Service Pack to revert to an earlier version of Exchange 2013. If you uninstall this Service pack, Exchange 2013 is removed from the server.

Note that customised configuration files are overwritten on installation.  Make sure you have any changes fully documented!

Once the Service Pack Installation has completed, restart the server.  The server should be restarted even if you are not prompted.

Please enjoy the update responsibly!

What do I mean by that?  Well, you need to ensure that you are fully informed about the caveats with the CU  and are aware of all of the changes that it will make within your environment.  Additionally you will need to test the CU your lab which is representative of your production environment.



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *