From 0d82ced054ef5fd4812fba8423f275a0c5e535c4 Mon Sep 17 00:00:00 2001
From: Bhalchandra Atre-MSFT <39634045+Batre-MSFT@users.noreply.github.com>
Date: Mon, 14 Aug 2023 19:23:28 +0530
Subject: [PATCH 1/4] Update Emerging-Issues.md
Aug 2023 SU Issue
---
docs/Emerging-Issues.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/Emerging-Issues.md b/docs/Emerging-Issues.md
index 5d9263efe8..a8cf575684 100644
--- a/docs/Emerging-Issues.md
+++ b/docs/Emerging-Issues.md
@@ -9,6 +9,7 @@ This page lists emerging issues for Exchange On-Premises deployments, possible r
|**Updated on** | **Update causing the issue**| **Issue**| **Workaround/Solution**
|-|-|-|-|
+8/14/2023|[Non-English August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. |The problematic SU's are taken down from the installation and fixed version of updates will be released shortly. Meanwhile, if you are affected by the issue, please follow steps in [this KB](https://support.microsoft.com/topic/exchange-server-2019-and-2016-august-2023-security-update-installation-fails-on-non-english-operating-systems-ef38d805-f645-4511-8cc5-cf967e5d5c75) for the workaround on affected systems
6/15/2023|[January 2023 Security Update](https://www.microsoft.com/en-us/download/details.aspx?id=104914) for Exchange 2016, Exchange 2019 | When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message:
[ERROR] The operation couldn't be performed because object '' couldn't be found on ''. |Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/help/5025312) for more details
6/15/2023|Extended protection enabled on Exchange server | Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled:
`The modified Permissions cannot be changed.`| Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/en-us/topic/extended-protection-doesn-t-support-public-folder-client-permissions-management-through-outlook-bd2037b5-40e0-413a-b368-746b3f5439ee) for more details
|3/16/2023| [Outlook client update for CVE-2023-23397 released](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397)| These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action **other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described on the link on the right.**
More details about specific CVEs can be found in the [Security Update Guide](https://msrc.microsoft.com/update-guide/) (filter on Exchange Server under Product Family).
**Awareness: Outlook client update for CVE-2023-23397 released**
There is a critical security update for Microsoft Outlook for Windows that is required to address [CVE-2023-23397](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397). To address this CVE, **you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform).** | **Please check [this page](https://aka.ms/OLKCVEFAQ) for FAQs about the [Outlook CVE-2023-23397](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397)**
From 879b20e75fbdfee8c64eac93b8e5fb02358237f7 Mon Sep 17 00:00:00 2001
From: David Paulson
Date: Tue, 15 Aug 2023 09:28:19 -0500
Subject: [PATCH 2/4] Include Aug23SUv2 version
---
.../Get-ExchangeBuildVersionInformation.ps1 | 46 +++++++++++--------
...-ExchangeBuildVersionInformation.Tests.ps1 | 38 +++++++++++++--
2 files changed, 59 insertions(+), 25 deletions(-)
diff --git a/Shared/Get-ExchangeBuildVersionInformation.ps1 b/Shared/Get-ExchangeBuildVersionInformation.ps1
index f56292d33f..4aa68a9d92 100644
--- a/Shared/Get-ExchangeBuildVersionInformation.ps1
+++ b/Shared/Get-ExchangeBuildVersionInformation.ps1
@@ -127,6 +127,7 @@ function Get-ExchangeBuildVersionInformation {
$cuReleaseDate = "05/03/2023"
$supportedBuildNumber = $true
}
+ (GetBuildVersion $ex19 "CU13" -SU "Aug23SUv2") { $latestSUBuild = $true }
(GetBuildVersion $ex19 "CU13" -SU "Aug23SU") { $latestSUBuild = $true }
{ $_ -lt (GetBuildVersion $ex19 "CU13") } {
$cuLevel = "CU12"
@@ -134,6 +135,7 @@ function Get-ExchangeBuildVersionInformation {
$supportedBuildNumber = $true
$orgValue = 16760
}
+ (GetBuildVersion $ex19 "CU12" -SU "Aug23SUv2") { $latestSUBuild = $true }
(GetBuildVersion $ex19 "CU12" -SU "Aug23SU") { $latestSUBuild = $true }
{ $_ -lt (GetBuildVersion $ex19 "CU12") } {
$cuLevel = "CU11"
@@ -221,6 +223,7 @@ function Get-ExchangeBuildVersionInformation {
$cuReleaseDate = "04/20/2022"
$supportedBuildNumber = $true
}
+ (GetBuildVersion $ex16 "CU23" -SU "Aug23SUv2") { $latestSUBuild = $true }
(GetBuildVersion $ex16 "CU23" -SU "Aug23SU") { $latestSUBuild = $true }
{ $_ -lt (GetBuildVersion $ex16 "CU23") } {
$cuLevel = "CU22"
@@ -693,15 +696,16 @@ function GetExchangeBuildDictionary {
"Nov22SU" = "15.1.2375.37"
})
"CU23" = (NewCUAndSUObject "15.1.2507.6" @{
- "May22SU" = "15.1.2507.9"
- "Aug22SU" = "15.1.2507.12"
- "Oct22SU" = "15.1.2507.13"
- "Nov22SU" = "15.1.2507.16"
- "Jan23SU" = "15.1.2507.17"
- "Feb23SU" = "15.1.2507.21"
- "Mar23SU" = "15.1.2507.23"
- "Jun23SU" = "15.1.2507.27"
- "Aug23SU" = "15.1.2507.31"
+ "May22SU" = "15.1.2507.9"
+ "Aug22SU" = "15.1.2507.12"
+ "Oct22SU" = "15.1.2507.13"
+ "Nov22SU" = "15.1.2507.16"
+ "Jan23SU" = "15.1.2507.17"
+ "Feb23SU" = "15.1.2507.21"
+ "Mar23SU" = "15.1.2507.23"
+ "Jun23SU" = "15.1.2507.27"
+ "Aug23SU" = "15.1.2507.31"
+ "Aug23SUv2" = "15.1.2507.32"
})
}
"Exchange2019" = @{
@@ -780,19 +784,21 @@ function GetExchangeBuildDictionary {
"Mar23SU" = "15.2.986.42"
})
"CU12" = (NewCUAndSUObject "15.2.1118.7" @{
- "May22SU" = "15.2.1118.9"
- "Aug22SU" = "15.2.1118.12"
- "Oct22SU" = "15.2.1118.15"
- "Nov22SU" = "15.2.1118.20"
- "Jan23SU" = "15.2.1118.21"
- "Feb23SU" = "15.2.1118.25"
- "Mar23SU" = "15.2.1118.26"
- "Jun23SU" = "15.2.1118.30"
- "Aug23SU" = "15.2.1118.36"
+ "May22SU" = "15.2.1118.9"
+ "Aug22SU" = "15.2.1118.12"
+ "Oct22SU" = "15.2.1118.15"
+ "Nov22SU" = "15.2.1118.20"
+ "Jan23SU" = "15.2.1118.21"
+ "Feb23SU" = "15.2.1118.25"
+ "Mar23SU" = "15.2.1118.26"
+ "Jun23SU" = "15.2.1118.30"
+ "Aug23SU" = "15.2.1118.36"
+ "Aug23SUv2" = "15.2.1118.37"
})
"CU13" = (NewCUAndSUObject "15.2.1258.12" @{
- "Jun23SU" = "15.2.1258.16"
- "Aug23SU" = "15.2.1258.23"
+ "Jun23SU" = "15.2.1258.16"
+ "Aug23SU" = "15.2.1258.23"
+ "Aug23SUv2" = "15.2.1258.25"
})
}
}
diff --git a/Shared/Tests/Get-ExchangeBuildVersionInformation.Tests.ps1 b/Shared/Tests/Get-ExchangeBuildVersionInformation.Tests.ps1
index 62a8a3782b..4261426631 100644
--- a/Shared/Tests/Get-ExchangeBuildVersionInformation.Tests.ps1
+++ b/Shared/Tests/Get-ExchangeBuildVersionInformation.Tests.ps1
@@ -173,14 +173,24 @@ Describe "Testing Get-ExchangeBuildVersionInformation.ps1" {
ForEach-Object { [System.Version]$_ } |
Sort-Object -Descending |
Select-Object -First 2
+
+ # RegEx to find if the latest is a v* version. Then we assume what we have set is correct and we don't test them.
$latestSU = Get-ExchangeBuildVersionInformation -FileVersion $latest2SUs[0]
$latestSU.Supported | Should -Be $true
$latestSU.LatestSU | Should -Be $true
+ $notSecondVersionSU = $null -eq ($latestSU.FriendlyName | Select-String "\D{3}\d{2}SUv\d")
- if ($latest2SUs.Count -eq 2) {
+ if ($latest2SUs.Count -eq 2 -and
+ $notSecondVersionSU) {
$latestSU = Get-ExchangeBuildVersionInformation -FileVersion $latest2SUs[1]
$latestSU.Supported | Should -Be $true
$latestSU.LatestSU | Should -Be $false
+ } elseif ($latest2SUs.Count -eq 2) {
+ $secondSU = Get-ExchangeBuildVersionInformation -FileVersion $latest2SUs[1]
+ $secondSU.Supported | Should -Be $true
+ $latestSU.FriendlyName.Substring(0, $latestSU.FriendlyName.Length - 2) | Should -Be $secondSU.FriendlyName
+ # This test could change depending on the reason for the v2 release.
+ $secondSU.LatestSU | Should -Be $true
}
}
}
@@ -201,11 +211,19 @@ Describe "Testing Get-ExchangeBuildVersionInformation.ps1" {
$latestSupportedSU = Get-ExchangeBuildVersionInformation -FileVersion $latestSupportedSUs[0]
$latestSupportedSU.Supported | Should -Be $true
$latestSupportedSU.LatestSU | Should -Be $true
+ $notSecondVersionSU = $null -eq ($latestSupportedSU.FriendlyName | Select-String "\D{3}\d{2}SUv\d")
- if ($latestSupportedSUs.Count -eq 2) {
+ if ($latestSupportedSUs.Count -eq 2 -and
+ $notSecondVersionSU) {
$latestSupportedSU = Get-ExchangeBuildVersionInformation -FileVersion $latestSupportedSUs[1]
$latestSupportedSU.Supported | Should -Be $true
$latestSupportedSU.LatestSU | Should -Be $false
+ } elseif ($latestSupportedSUs.Count -eq 2) {
+ $secondSU = Get-ExchangeBuildVersionInformation -FileVersion $latestSupportedSUs[1]
+ $secondSU.Supported | Should -Be $true
+ $latestSupportedSU.FriendlyName.Substring(0, $latestSupportedSU.FriendlyName.Length - 2) | Should -Be $secondSU.FriendlyName
+ # This test could change depending on the reason for the v2 release.
+ $secondSU.LatestSU | Should -Be $true
}
$latestUnsupportedSUs = (GetExchangeBuildDictionary)["Exchange2019"][$unSupportedCU.CU].SU.Values |
@@ -240,9 +258,19 @@ Describe "Testing Get-ExchangeBuildVersionInformation.ps1" {
$latestSU.Supported | Should -Be $true
$latestSU.LatestSU | Should -Be $true
- $previousSU = Get-ExchangeBuildVersionInformation -FileVersion $latest2SUs[1]
- $previousSU.Supported | Should -Be $true
- $previousSU.LatestSU | Should -Be $false
+ $notSecondVersionSU = $null -eq ($latestSU.FriendlyName | Select-String "\D{3}\d{2}SUv\d")
+
+ if ($notSecondVersionSU) {
+ $previousSU = Get-ExchangeBuildVersionInformation -FileVersion $latest2SUs[1]
+ $previousSU.Supported | Should -Be $true
+ $previousSU.LatestSU | Should -Be $false
+ } else {
+ $previousSU = Get-ExchangeBuildVersionInformation -FileVersion $latest2SUs[1]
+ $previousSU.Supported | Should -Be $true
+ $latestSU.FriendlyName.Substring(0, $latestSU.FriendlyName.Length - 2) | Should -Be $previousSU.FriendlyName
+ # This test could change depending on the reason for the v2 release.
+ $previousSU.LatestSU | Should -Be $true
+ }
(Get-ExchangeBuildVersionInformation -FileVersion $latest2CUs[1]).Supported | Should -Be $false
}
From dfa9bee72970f1daa9bc775066af5c002534d7fd Mon Sep 17 00:00:00 2001
From: David Paulson
Date: Tue, 15 Aug 2023 12:27:41 -0500
Subject: [PATCH 3/4] Detect if KB5029388 is installed on non-english OS
---
.../Invoke-AnalyzerExchangeInformation.ps1 | 28 +++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1
index 6fa3c4a2e5..5857857f54 100644
--- a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1
+++ b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1
@@ -116,6 +116,8 @@ function Invoke-AnalyzerExchangeInformation {
if ($null -ne $exchangeInformation.BuildInformation.KBsInstalled) {
Add-AnalyzedResultInformation -Name "Exchange IU or Security Hotfix Detected" @baseParams
+ $problemKbFound = $false
+ $problemKbName = "KB5029388"
foreach ($kb in $exchangeInformation.BuildInformation.KBsInstalled) {
$params = $baseParams + @{
@@ -123,6 +125,32 @@ function Invoke-AnalyzerExchangeInformation {
DisplayCustomTabNumber = 2
}
Add-AnalyzedResultInformation @params
+
+ if ($kb.Contains($problemKbName)) {
+ $problemKbFound = $true
+ }
+ }
+
+ if ($problemKbFound) {
+ Write-Verbose "Found problem $problemKbName"
+ if ($null -ne $HealthServerObject.OSInformation.BuildInformation.OperatingSystem.OSLanguage) {
+ [int]$OSLanguageID = [int]($HealthServerObject.OSInformation.BuildInformation.OperatingSystem.OSLanguage)
+ # https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-operatingsystem
+ $englishLanguageIDs = @(9, 1033, 2057, 3081, 4105, 5129, 6153, 7177, 8201, 10249, 11273)
+ if ($englishLanguageIDs.Contains($OSLanguageID)) {
+ Write-Verbose "OS is english language. No action required"
+ } else {
+ Write-Verbose "Non english language code: $OSLanguageID"
+ $params = $baseParams + @{
+ Details = "Error: August 2023 SU 1 Problem Detected. More Information: https://aka.ms/HC-Aug23SUIssue"
+ DisplayWriteType = "Red"
+ DisplayCustomTabNumber = 2
+ }
+ Add-AnalyzedResultInformation @params
+ }
+ } else {
+ Write-Verbose "Language Code is null"
+ }
}
}
From 61f2f71dab005fbc7c7ca59b2169079e0ac2b29b Mon Sep 17 00:00:00 2001
From: David Paulson
Date: Tue, 15 Aug 2023 14:28:36 -0500
Subject: [PATCH 4/4] Updated Emerging Issues page for Aug SU update
---
docs/Emerging-Issues.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/Emerging-Issues.md b/docs/Emerging-Issues.md
index a8cf575684..871b058386 100644
--- a/docs/Emerging-Issues.md
+++ b/docs/Emerging-Issues.md
@@ -9,10 +9,10 @@ This page lists emerging issues for Exchange On-Premises deployments, possible r
|**Updated on** | **Update causing the issue**| **Issue**| **Workaround/Solution**
|-|-|-|-|
-8/14/2023|[Non-English August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. |The problematic SU's are taken down from the installation and fixed version of updates will be released shortly. Meanwhile, if you are affected by the issue, please follow steps in [this KB](https://support.microsoft.com/topic/exchange-server-2019-and-2016-august-2023-security-update-installation-fails-on-non-english-operating-systems-ef38d805-f645-4511-8cc5-cf967e5d5c75) for the workaround on affected systems
+8/15/2023|[Non-English August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. |The latest SUs have been released that do not require a workaround to install. If you used a workaround to install KB5029388, it is highly recommend to uninstall the KB5029388 to avoid issues down the line. For more information please check out [this KB](https://support.microsoft.com/topic/exchange-server-2019-and-2016-august-2023-security-update-installation-fails-on-non-english-operating-systems-ef38d805-f645-4511-8cc5-cf967e5d5c75).
6/15/2023|[January 2023 Security Update](https://www.microsoft.com/en-us/download/details.aspx?id=104914) for Exchange 2016, Exchange 2019 | When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message:
[ERROR] The operation couldn't be performed because object '' couldn't be found on ''. |Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/help/5025312) for more details
6/15/2023|Extended protection enabled on Exchange server | Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled:
`The modified Permissions cannot be changed.`| Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/en-us/topic/extended-protection-doesn-t-support-public-folder-client-permissions-management-through-outlook-bd2037b5-40e0-413a-b368-746b3f5439ee) for more details
-|3/16/2023| [Outlook client update for CVE-2023-23397 released](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397)| These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action **other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described on the link on the right.**
More details about specific CVEs can be found in the [Security Update Guide](https://msrc.microsoft.com/update-guide/) (filter on Exchange Server under Product Family).
**Awareness: Outlook client update for CVE-2023-23397 released**
There is a critical security update for Microsoft Outlook for Windows that is required to address [CVE-2023-23397](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397). To address this CVE, **you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform).** | **Please check [this page](https://aka.ms/OLKCVEFAQ) for FAQs about the [Outlook CVE-2023-23397](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397)**
+|3/16/2023| [Outlook client update for CVE-2023-23397 released](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397)| These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action **other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described on the link on the right.**
More details about specific CVEs can be found in the [Security Update Guide](https://msrc.microsoft.com/update-guide/) (filter on Exchange Server under Product Family).
**Awareness: Outlook client update for CVE-2023-23397 released**
There is a critical security update for Microsoft Outlook for Windows that is required to address [CVE-2023-23397](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397). To address this CVE, **you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform).** | **Please check [this page](https://aka.ms/OLKCVEFAQ) for FAQs about the [Outlook CVE-2023-23397](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397)**
3/14/2023|[February 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058) for Exchange 2016, Exchange 2019, Exchange 2013 | After installing February 2023 security update, customers are seeing EWS application pool crash with Event ID 4999 with following error
E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.
The issue is causing connectivity issues to EWS based clients (Outlook for Mac) | **Update on 3/14/2023**
The issue is fixed in [March 2023 security update for Exchange servers](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224)
Please follow the steps in [this KB](https://support.microsoft.com/help/5024257)
3/14/2023|[February 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058) for Exchange 2016, Exchange 2019, Exchange 2013 | Some customers are reporting issues with Outlook/OWA add-ins, like add-in not listing in EAC or with the Get-App command. Additionally, they may notice EWS application pool crash with Event ID 4999 in the application log of the Exchange server. | **Update on 3/14/2023**
The issue is fixed in [March 2023 security update for Exchange servers](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224)
3/14/2023|[January 2023 Security Update](https://www.microsoft.com/en-us/download/details.aspx?id=104914) for Exchange 2016, Exchange 2019 |The Exchange toolbox may start crashing on launch after [certificate Serialization for PowerShell](https://aka.ms/HC-SerializedDataSigning) is enabled. The error noticed is "Deserialization fails: System.Reflection.TargetInvocationException".
The issue happens only on Exchange 2016 and Exchange 2019| **Update on 3/14/2023**
The issue is fixed in [March 2023 security update for Exchange servers](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224)