Exchange 2016/2013/2010 Updates March 2017

Today, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.

As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:

  • If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
  • If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU5

15.1.845.34

KB4012106

Download

UMLP

Exchange 2013 CU16

15.0.1293.2

KB4012112

Download

UMLP

Exchange 2010 SP3 Rollup 17

14.3.352.0

KB4011326

Download

 

Exchange 2007 SP3 Rollup 23

8.3.517.0

KB4011325

Download

 

Exchange 2016 CU5 fixes:

  • KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
  • KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
  • KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
  • KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
  • KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
  • KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016

Exchange 2013 CU16 fixes:

  • KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013

Notes:

Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.

When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.

Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.

When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).

  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Source

Microsoft Deployment Toolkit (MDT) build 8443

The Microsoft Deployment Toolkit (MDT), build 8443, is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, available on the Microsoft Hardware Dev Center (adksetup.exe file version 10.1.14393.0).

You may notice that we are not tagging this release with a year or update version. To better align with the current branches of Windows 10 and Configuration Manager, and to simplify the branding and release process, we are now just referring to it as the “Microsoft Deployment Toolkit”, using the build number to distinguish each release. This is not necessarily a “current branch” of MDT; we are committed to updating MDT as needed with revisions to Windows, the Windows ADK, and Configuration Manager.

Here is a summary of the significant changes in this build of MDT:

  • Supported configuration updates
    • Windows ADK for Windows 10, version 1607
    • Windows 10, version 1607
    • Windows Server 2016
    • Configuration Manager, version 1606
  • Quality updates
    • Deployment Wizard scaling on high DPI devices
    • Johan’s “uber bug” for computer replace scenario
    • Multiple fixes for the Windows 10 in-place upgrade scenario
    • Several fixes to Configure ADDS step
    • Removed imagex/ocsetup dependencies, rely solely on DISM
    • Includes the latest Configuration Manager task sequence binaries (version 1606)

Mobile security is more important than ever!!!

The most used device these days is a mobile phone. Malware/Spyware/Hacking is everywhere, anytime,anywhere See: Update: Lookout re-airing on 60 Minutes

Some latest news about Mobile Security Alerts:

Hundreds of millions of devices potentially affected by first major iOS malware outbreak

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire

Soo what can you do about it:

Install Security app on your device: So i installed the free version of lookout on my phone.

unnamed

It works great so far: Testing it.

Windows 10 1607 Windows Update Change

For those of you who have started deploying Windows 10 1607, you might notice a change in the behavior of the Windows Update agent for PCs that are configured to pull updates from WSUS.  Instead of pulling the updates from WSUS, PCs may start grabbing them from peers on your network, leveraging the Delivery Optimization service for referrals to other PCs that have already obtained the content.  This change should generally help reduce the amount of network traffic being generated for both quality (monthly) updates and feature updates, offloading that traffic from the WSUS server.  It will add some additional traffic between each client PC and the Delivery Optimization service on the internet, as it has to talk to this internet-only service in order to get a list of peers.

If the Windows Update agent can’t talk to the Delivery Optimization service (due to firewall or proxy configurations), or if there are no peers able to provide the content, it will then go ahead and grab the content from the WSUS server.

There is a new Group Policy setting available if you want to disable this behavior, e.g. because you are already using BranchCache for peer-to-peer sharing.  To do this, you need to set the “Download Mode” policy under “Computer Configuration –> Administrative Templates –> Windows Components –> Delivery Optimization” to specify “Bypass” mode, which will result in the client always using BITS to transfer the content from WSUS (with BranchCache jumping in to provide the peer-to-peer capabilities through its integration with BITS):

image291

Of course to set this policy, you need the latest ADMX files, which can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=53430 and are also included in Windows 10 1607 and Windows Server 2016.  (The “Bypass” setting wasn’t available in previous versions.)  See https://support.microsoft.com/en-us/kb/3087759 for details on how to update the Group Policy central store with these latest ADMX files, if you are using a central store.

Source: https://blogs.technet.microsoft.com/mniehaus/2016/08/08/using-wsus-with-windows-10-1607/

Cumulative Update 2 for Exchange Server 2016

.Net 4.6.1 Support

Support for .Net 4.6.1 is now available for Exchange Server 2016 and 2013 with these updates. We fully support customers upgrading servers running 4.5.2 to 4.6.1 without removing Exchange. We recommend that customers apply Exchange Server 2016 Cumulative Update 2 or Exchange Server 2013 Cumulative Update 13 before upgrading .Net FrameWork. Servers should be placed in maintenance mode during the upgrade as you would do when applying a Cumulative Update. Support for .Net 4.6.1 requires the following post release fixes for .Net as well.

Note: .Net 4.6.1 installation replaces the existing 4.5.2 installation. If you attempt to roll back the .Net 4.6.1 update, you will need to install .Net 4.5.2 again.

AutoReseed Support for BitLocker

Beginning with Exchange 2013 CU13 and Exchange 2016 CU2, the Disk Reclaimer function within AutoReseed supports BitLocker. By default, this feature is disabled. For more information on how to enable this functionality, please seeEnabling BitLocker on Exchange Servers.

SHA-2 Support for Self-Signed Certificates

The New-ExchangeCertificate cmdlet has been updated to produce a SHA-2 certificate for all self-signed certificates created by Exchange. Creating a SHA-2 certificate is the default behaviour for the cmdlet. Existing certificates will not automatically be regenerated but newly installed servers will receive SHA-2 certificates by default. Customers may opt to replace existing non-SHA2 certificates generated by previous releases as they see fit.

Migration to Modern Public Folder Resolved

The issue reported in KB3161916 has been resolved.

 

This cumulative update fixes the following issues:

This cumulative update also fixes the issues that are described in the KB 3160339 MS16-079: Security update for Microsoft Exchange: June 14, 2016 and KB 3134844 Cumulative Update 1 for Exchange Server 2016

Microsoft Knowledge Base articles.
This update also includes new daylight saving time (DST) updates for Exchange Server 2016. For more information about DST, go to Daylight Saving Time Help and Support Center.

Download: https://www.microsoft.com/en-us/download/details.aspx?id=52968

Cumulative Update 1 for Exchange Server 2016

Exchange Team released:  Cumulative Update 1 for Exchange Server 2016

Issues that the cumulative update fixes

KB 3139730 Edge Transport service crashes when you view the properties of a poison message in Exchange Server 2016
KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
KB 3135688 Preserves the web.config file for Outlook Web App when you apply a cumulative update in Exchange Server 2016
KB 3135601 Cyrillic characters are displayed as question marks when you run the “Export-PublicFolderStatistics.ps1” script in an Exchange Server 2016 environment
KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016

Exchange Server 2016 Cumulative Update 1 (KB3134844), Download, UM Lang Packs

Staying up-to-date with Windows Server updates for Remote Desktop Services (RDS)

Microsoft Remote Desktop Team get customer enquiries asking which RDS updates are available for a particular Windows Server platform; or when providing support we need to verify if certain hotfixes and servicing rollups are installed on the customers’ servers. To make it easier for customers and ourselves, we regularly revise KB articles that list all of the available updates specific to Remote Desktop services for each Windows Server release:

Don’t use DHCP Option 60/66/67 when you want to use UEFI & Legacy PXE Boot with MDT

If you want to use EUFI Boot with MDT 2013 Update X.
Don’t use DHCP Option 60/66/67!!!

DC01 = Windows Server 2008 R2 SP1
DC02 = Windows Server 2012
MDT01 = Windows Server 2012 R2

UEFI Client: Dell Laptop E5450
BIOS Client: HyperV Virtual machine with Legacy network adapert

DC1; MDT01 and DHCPServer all in Subnet1.
(IP Helper is set for DHCPServer for DHCP and for DC01 & MDT01 for DHCP and BootP – I checked serveral times if everything is right here)
UEFI Client and BIOS Client in Subnet2.

Situation1 — Using no DHCP Options and WDS running (IP HELPER-ADDRESS):
UEFI Client – Boots perfectly (contacting Server MDT01)
BIOS Client – Boots perfectly (contacting Server MDT01)

Situaion2 — Using no DHCP Options and WDS just running on MDT01:
UEFI Client – Does not boot (no error information is provided)
BIOS Client – Does not boot (no Bootfilename recieved)

Situation3 — Using DHCP Options(Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01:
UEFI Client – Does not boot (no error information is provided)
BIOS Client – Boots perfectly (contacting Server DP1)

Situation4 — Using DHCP Options(Option 60=”PXEClient” Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01:
UEFI Client – Boots perfectly (contacting Server DP1)
BIOS Client – Does not boot (taking hours to recieve dhcp options..)

Solution:

On most switches you can configure ip helper-addresses. This is most time al ready configured for the use of DHCP.

Add the IP of the MDT server als ip helper-address:

Example:

interface Vlan100
description GEBRUIKERS VLAN
ip address 192.168.101.254 255.255.254.0 show
ip helper-address 192.168.25.6   (DC01)
ip helper-address 192.168.25.7   (DC02)
ip helper-address 192.168.25.30 (MDT01)
end