April 2024 Exchange Server Hotfix Updates – HU

Exchange April 2024 Hotfix Update

Want some updates to go with your updates?  That’s pretty much what you are getting with the April 2024 Exchange updates.  We can split the features which are part of the April 2024 release into two main areas:

  1. Fixing the multiple things that broke with the March 2023 Security Update (SU)
  2. Adding net new features

The April 2024 HU is available for the following builds of Exchange Server:

  • Exchange Serve
Read the rest “April 2024 Exchange Server Hotfix Updates – HU”

Unable To Install or Launch Exchange HCW

Unable To Launch Exchange Hybrid Configuration Wizard

You want to run the Exchange Hybrid Configuration Wizard (HCW) and after clicking the link to the HCW in the admin portal or manually browsing to the shortcut URL you are unable to either launch or install the HCW.  Despite using Edge, the HCW application just does not install and/or launch.  All you get is the initial prompt to open the file and nothing else.

For example, if we go to the shortcut … Read the rest “Unable To Install or Launch Exchange HCW”


Exchange 2016 – CU23 Now Required

Exchange 2016 CU23 Now Required

With the release of Exchange 2019 CU14 today, a separate announcement was added to the release post to highlight that only CU23 is supported for Exchange 2016.  Exchange Server 2016 is supported until the end of its support in 2025, however in order to receive support and to obtain Security Updates (SUs) you must be running CU23.  CU22 and all older releases of Exchange 2016 are no longer supporte… Read the rest “Exchange 2016 – CU23 Now Required”


Exchange Healthcheck Script– Unable to Connect to Server

Exchange Healthcheck Script - Unable to Connect

Below is a repro of a customer situation where the Exchange Healthcheck script was unable to connect to a remote Exchange server.  The Healthcheck script would run locally with no issues, and reported a clean bill of health.

Note that the expected output log was not present after running the script.

In the command below, we are trying to remotely assess sever Exch-2019-1

Exchange Healthcheck Script - Unable to Connect to Server

Troubleshooting Thoughts

It wa… Read the rest “Exchange Healthcheck Script– Unable to Connect to Server”


Unable To Access OWA Externally Via WAP 2019

Unable To Access OWA - Still Working On It

After upgrading Web Application Proxy (WAP) to Windows Server 2019 you may run into an issue with certain applications that are published via WAP to the Internet.

In the below example the AD FS upgrade went well with no issues.  The AD FS farm and WAP servers were upgraded to Windows Server 2019 and all appeared to be going well.  Too well that was, as when the external tests were validated against… Read the rest “Unable To Access OWA Externally Via WAP 2019”


Exchange Unexpected InternalNLBBypass URL – RecoverServer

Exchange Server Unexpected URL RecoverServer

Reviewing the output of an environement's CAS Namespaces showed that there was an unexpecte URL present for the version of Exchagne that was installed.  With Exchange 2013 onwards InternalNLBBypassURL is not something that we need to set.  That was an Exchange 2007 and 2010 thing.

In the environment below note that there are couple of things that pique my interest.

Any thoughts?

Exchange WebServices Showing InternalNLBBypassURL

What is interesting i… Read the rest “Exchange Unexpected InternalNLBBypass URL – RecoverServer”


Updated Guidance On Exchange Server Extended Protection

Extended Protection is set to Required on the OAB vDIR

Extended Protection (EP) was added to Windows back in 2009 as a new security feature. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protect… Read the rest “Updated Guidance On Exchange Server Extended Protection”


Exchange Server Extended Protection

Exchange Server Extended Protection

Extended Protection uses service binding and channel binding to help prevent an authentication relay attack. In an authentication relay attack, a client that can perform NTLM authentication (for example, Windows Explorer, Microsoft Outlook, a .NET SqlClient application, etc.), connects to an attacker (for example, a malicious CIFS file server). The attacker uses the client's credentials to masquer… Read the rest “Exchange Server Extended Protection”


Remediate Exchange Security CVE-2022-21978

Remediate Exchange CVE-2022-21978

The May 2022 security update for Exchange Server 2013, 2016 and 2019 resolved CVE-2022-21978.  A common issue is that admins are only doing part of the work to address this CVE.  Yes they are installing the update, but are not reading the rest of the documentation which states that an additional command must be run.

The FAQ states:

Do I need to take further steps to be protected from this vulnerabilRead the rest “Remediate Exchange Security CVE-2022-21978”


Implementing Exchange DownloadDomain Security

Implement Exchange DownloadDomain

In the field, I’m seeing multiple customers that are struggling to implement the DownloadDomain feature. It does require a little prep work and it is not as simple as just running a single command in Exchange to flip the setting on.

In order to mitigate and issue with OWA, it is necessary to create an additional CAS namespace that will be used for downloading attachments from OWA.  This will requir… Read the rest “Implementing Exchange DownloadDomain Security”