February 2024 Exchange Server Security Updates

Hi All,

Yesterday, Microsoft has anounced on the Exchange Team Blog the 2024 H1 Cumulative Update (Exchange 2019 CU14) Update.

• Released: 2024 H1 Cumulative Update for Exchange Server

News:

• Exchange 2016 ist supported only with the latest CU (CU23) - Update to the latest Security Update (SU)

Exchange 2019 CU14:

• Exchange Server Support for Windows Extended Protection is enabled by default (Can be disabled with Setup Parameter /DoNotEnableEP or /DoNotEnableEPFEEWS but is not recommended)
• Read the Prerequisites for enabling Extended Protection on Exchange server
• New Exchange Schema Version (setup.exe /prepareAD)
• .NET Framework 4.8.1 support on Windows Server 2022
• TLS 1.3 support moved to CU15
• To address CVE-2024-21410 (also released today) - Extended Protection needed to be enabled

Here is the Process for updating from Microsoft

I would regommend to enable Extended Protection first on a earlyer Version and make sure it works, before upgrading to Exchange 2019 CU14

Updating Exchange Mailbox Role

I’ve checked the Exchange Schema Version before the Update

• How to check Exchange Active Directory Versions

Then i mounted the ISO and started the setup.exe

There is a Pending Reboot - so i need to reboot the Server first

Now we are ready for the update

In the First step, the Exchange Schema is updated

I’ve checked the Exchange Schema Version before the Update

• How to check Exchange Active Directory Versions

Only the Object Version has been changed from 16761 to 16762

If you download the newest Exchange Healthchecker, you need to Unblock it before the first run

• HealthChecker.ps1

Run the Healthckeer

I decided to run the Exchange Extended Protection Script

• ExchangeExtendedProtectionManagement.ps1

And run the Healthchecker again

Dotnet Framework 4.8.1

I’ve downloaded the Offline Installer Runtime

Download .NET Framework 4.8.1

You have to reboot after the Installation of the Dotnet Framework

You can use the Script below to check your Dotnet Framework Version

$release = Get-ItemPropertyValue -LiteralPath 'HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full' -Name Release
switch ($release) {
    { $_ -ge 533320 } { $version = '4.8.1 or later'; break }
    { $_ -ge 528040 } { $version = '4.8'; break }
    { $_ -ge 461808 } { $version = '4.7.2'; break }
    { $_ -ge 461308 } { $version = '4.7.1'; break }
    { $_ -ge 460798 } { $version = '4.7'; break }
    { $_ -ge 394802 } { $version = '4.6.2'; break }
    { $_ -ge 394254 } { $version = '4.6.1'; break }
    { $_ -ge 393295 } { $version = '4.6'; break }
    { $_ -ge 379893 } { $version = '4.5.2'; break }
    { $_ -ge 378675 } { $version = '4.5.1'; break }
    { $_ -ge 378389 } { $version = '4.5'; break }
    default { $version = $null; break }
}

if ($version) {
    Write-Host -Object ".NET Framework Version: $version"
} else {
    Write-Host -Object '.NET Framework Version 4.5 or later is not detected.'
}

Updating Exchange Edge Role

I’ve decided to check first for pending Reboot

• Check for pending reboot with PowerShell

Installation of Exchange Server 2019 CU 14

As there are less Services on a Exchange Server Edge Role - there are less Steps

Install the Dotnet Framework 4.8.1

Regards
Andres Bohren