Important update for Azure Active Directory Connect – Version 1.1.553.0

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

Expta

Very Important: Security update KB3159398 will break Group Policy

There is a known issue with the MS16-072/KB3163622 patch. This update will break GPO’s with faulty rights. Examples: Drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).

2. If you are using security filtering (WMI), add the Domain Computers group with read permission.

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

MDT 2013 Update 2 (6.3.8330) Released

The Microsoft Deployment Toolkit (MDT) 2013 Update 2 (6.3.8330) is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, available on the Microsoft Hardware Dev Center. (Note that there are known issues with the v1511 release of the Windows 10 ADK and System Center Configuration Manager; these issues do not directly affect MDT although may still impact ZTI or UDI scenarios.)

MDT 2013 Update 2 is primarily a quality release; there are no new major features. The following is a summary of the significant changes in this update:

  • Security- and cryptographic-related improvements:
    • Relaxed permissions on newly created deployment shares (still secure by default, but now also functional by default)
    • Creating deployment shares via Windows PowerShell adds same default permissions
    • Updated hash algorithm usage from SHA1 to SHA256
  • Includes the latest Configuration Manager task sequence binaries
  • Enhanced user experience for Windows 10 in-place upgrade task sequence
  • Enhanced split WIM functionality
  • Fixed OSDJoinAccount account usage in UDI scenario
  • Fixed issues with installation of Windows 10 language packs
  • Various accessibility improvements
  • Monitoring correctly displays progress for all scenarios including upgrade
  • Improvements to smsts.log verbosity

There are no other new release notes or significant known issues. See the previous post for more information as much of it is still applicable (other than the fix list above).

See the following post on How to get help with MDT.

Frequently Asked Questions

In anticipation of some questions that you may have about this release (or MDT in general):

Q: Should I expect a release of MDT with every new Windows 10 and/or Configuration Manager build release?

No. We shipped multiple MDT releases this year due to the timing of Windows 10 and Configuration Manager releases, but do not intend to keep that same cadence going forward.

Q: What branches of Windows 10 does MDT support?

MDT supports both the current branch of Windows 10 as well as the long-term servicing branch.

Q: What branches of System Center Configuration Manager does MDT support?

For ZTI and UDI scenarios MDT 2013 Update 2 supports the current branch of System Center Configuration Manager (currently version 1511) for an integrated solution for deploying Windows 10 current branch as well as prior Windows versions.

Q: When is the next planned release of MDT?

We do not currently have a timeframe. We will release any tactical changes as needed which may be required to support new builds of Windows 10 or Configuration Manager, but do not currently expect this to be needed.

Q: Is this the last release of MDT?

No, we will continue to iterate and invest in the product.

Q: Why is it still “MDT 2013” when the year is almost 2016?

Two primary reasons. First, we have only made minor changes to MDT which in our opinion does not constitute a major version revision. Second, per the MDT support lifecycle, a new major version will drop support for MDT2012 Update 1 which still supports legacy platforms.

Source

MDT 2013 Update 1 re-released (build 8298)

MDT Team have released a newer build (8298) to address many of these issues. The Download Center is updated with the new build and is still considered MDT 2013 Update 1. Build 8290 is no longer available, no longer supported, and superseded by build 8298.

NOTE: it can take time for the files to fully propagate through the live downloads cluster, and to be refreshed on the Akamai caches. Please ensure the build version under Details is 8298. I have seen the updated page on a non-internal system; it’s there, just be patient. Use the time to review the release notes below!

The following issues are fixed in build 8298
  • Multiple drive partitioning issues are addressed by significant revisions to the Format and Partition Disk step (see release note below), including:
    • Upgrading to MDT 2013 Update 1 does not work for UEFI systems
    • An extra unneeded partition is created on both UEFI and BIOS systems
    • You cannot specify a custom partition layout containing a “Recovery”-type partition needed for UEFI systems
    • LTIApply error, “There is not enough space on the disk”
    • WINRE_DRIVE_SIZE from ZTIDiskpart.wsf is Too Small
  • Multiple issues related to XML processing:
    • Application bundles returning error 87
    • Selecting a keyboard locale in the Deployment Wizard
    • Deployments failing due to Unattend.xml errors
    • ZTIPatches returning error “Object required (424)”
    • Cleanup after image capture doesn’t remove LTIBootstrap entry
  • Several issues with the Windows 10 in-place upgrade task sequence including:
    • The upgrade process ends with warnings “Unable to create WebService class”
    • The upgrade task sequence is available from Windows PE
    • After upgrade a System_License_Violation blue screen appears
  • Applications that use a command file start using System32 as the working directory
  • Spanned images cannot be applied

Below are the revised release notes and list of known issues. These inclusive lists supersede the previously published lists. New entries are marked with an asterisk (*).

Release Notes

TechNet documentation is not updated

The MDT product documentation published on TechNet is current as of MDT 2013; it has not yet been updated for MDT 2013 Update 1.

Do not upgrade from Preview to RTM

MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.

Windows System Image Manager will fail to validate MDT Unattend.xml templates

The Windows System Image Manager (WSIM, a component of the Windows ADK used to create and modify unattended installation answer files) does not allow blank values which exist in the default MDT Unattend.xml templates. When using WSIM option, Validate Answer File, it will return validation errors, such as “The ‘HorizontalResolution’ element is invalid – The value ” is invalid according to its datatype ‘HorizontalResolutionType’ – The string ” is not a valid UInt32 value.”

MDT removes blank values before injecting the file during deployment, so Windows always receives a valid XML answer file.

Integrating with System Center Configuration Manager

When integrating MDT with Configuration Manager, follow the version of the Windows ADK. MDT 2013 Update 1 only works with the Windows 10 ADK, so make sure it is used with a version of Configuration Manager that supports and also uses the Windows 10 ADK.

Image files larger than 4 GB are not split by default

Split image (.SWM) support is now off by default. It must be enabled by modifying %DeployRoot%\Control\Settings.xml with the following:

<SkipWimSplit>False</SkipWimSplit>

Using HideShell with Windows 10

The behavior of the HideShell option changed with Windows 10. Michael Niehaus explains this in great detail on his blog.

Changes to the Format and Partition Disk step *

The Format and Partition Disk step in the task sequence is now more closely aligned with the similar step in Configuration Manager; it will explicitly show all of the partitions that are created when the task sequence runs.

  • Backwards compatibility remains when using a task sequence that was created in a prior version of MDT. You should expect the same behavior as previously.
  • The DoNotCreateExtraPartition variable is deprecated. It should not be used with new task sequences (as the partitions are explicitly created by the task sequence step).
Changes to permissions of new deployment shares *

New deployment shares will now be created with more restrictive permissions. You should review these permissions and adjust accordingly for your access requirements.

Upgraded deployment shares are not modified, but the former default permissions are overly permissive. You should review the permissions on the share and directory and adjust accordingly for your environment.

MDT Known Issues

Static IP not restored when using media deployment

When doing a media deployment and using a static IP the static IP does not get restored.

Workarounds:

  • Modify Litetouch.wsf to enable MEDIA deployments (Keith Garner explains in this forum post)
    or
  • Add an extra Apply Network Settings action (alternative suggested by Johan Arwidmark on his blog)
Static IP not set in Network Adapter Configuration Wizard

When initializing a deployment in Windows PE and clicking Configure Static IP Address, if you uncheck Enable DHCP and enter static IP information, the following Network Settings Error will display:

WMI Function: Adapter.EnableStatic(IPAddress,SubnetMask) FAILURE: -2147467259

This warning may also be seen in the results screen and log files during a deployment.

Workaround: a static IP can be manually set from Windows PE using netsh, but otherwise there are no workarounds at this time.

UDI wizard does not handle the domain join account user name *

When using the OSDJoinAccount variable in CustomSettings.ini for a UDI task sequence, the wizard cannot be completed because the domain join account user name is encoded. The New Computer Details page will display an error, “User name format is invalid. Example is domain\user.”

Workarounds:

  • Specify the OSDJoinAccount variable in the task sequence before the UDI wizard starts.
  • Alternatively, require the user to manually specify credentials in the UDI wizard.
Unable to browse for user data path *

In the LTI Deployment Wizard, on the User Data page, when selecting the Browse button, the Browse for Folder window does not display anything for selecting a path.

Workarounds:

  • Manually enter the path (do not browse).
  • Set the UserDataLocation variable in CustomSettings.ini.
The ZTIWinRE.wsf script and PrepareWinRE variable do not function properly *

If you specify PrepareWinRE=YES in CustomSettings.ini, Windows RE does not get enabled because the commandline is malformed.

The ZTIWinRE.wsf script is deprecated and should not be used.

Windows 10 language packs may not install *

We are still investigating an issue where Windows 10 language packs may not install during LTI.

Issues after successful Windows 10 in-place upgrade *

Following a successful upgrade to Windows 10:

  • Monitoring will continue to show the task sequence in progress until a user logs on.
  • A low rights user may receive an error at logon. This is a non-fatal error; the MDT script requires administrator elevation in order to display the final summary screen. Avoid this by using the variable, SkipFinalSummary.

Windows 10 Known Issues

The following are issues that are known to the MDT product team when doing Windows 10 deployments.

Issues with CopyProfile *

We are aware of reports of issues regarding the CopyProfile property in Unattend.xml. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with CopyProfile, please open a case with Microsoft Support to troubleshoot.

USMT LoadState fails on Windows 7 *

Using MDT 2013 Update 1 to deploy Windows 7 to an existing machine (refresh scenario), and using USMT 10 to capture and restore the user data will result in an error (“DismApi.DLL is missing”) while restoring the user state on Windows 7. This is a known issue with loadstate; see https://support.microsoft.com/kb/3084782 for more information.

MDAC component fails being added to Windows PE

This is a known bug with DISM; it is external to MDT. DISM can sometimes fail to add the MDAC component to WinPE boot images. This seems to be a timing issue which most commonly occur when you are using SSD disks.

Workarounds:

  • Remove MDAC. On the deployment share properties, Windows PE tab, Features subtab, uncheck Microsoft Data Access Components (MDAC/ADO) support.
  • If you need MDAC for database connectivity, you can try updating your boot images from a system where the %TMP% directory is located on a non-SSD drive. This is not a guaranteed workaround, but has been seen to work

NOTE: we are also aware of reports of issues regarding the WMI component in Windows PE. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.

Issues with Windows PowerShell in Windows PE

Windows PowerShell cmdlets in Windows PE may not function as expected. We are investigating this issue with the Windows team. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.

CalCheck Powershell Script to fix Calander Issues the Easy Way

I created a handy script to fix a Exchange calender the easy way.

I does the following:
– Ask for the username
– Gives full access to user mailbox and disable automapping
– Export Name,LegacyExchangeDN from the user to list.txt
– Run CalCheck
– Remove Full Access Permissions

Put CalCheck.ps1 in de same folder where calcheck.exe exsist.

Download CalCheck

You can find the script the Microsoft Script Libary:
https://gallery.technet.microsoft.com/scriptcenter/CalCheck-Powershell-Script-c419c10e

Outlook 2007 and Exchange 2013 not a real good combination

Exchange 2013 and Outlook 2007 is a interrested thing

Outlook 2007 SP3 is supported with with April 2014 Public Update KB 2863811
See https://technet.microsoft.com/library/dn803988(v=office.14).aspx

For you as a System or Exchange administrator or Consultant you might consider some things before migrating to Exchange 2013.

You can’t share your calendar in Outlook 2007
When you use Microsoft Office Outlook 2007 to share your calendar, you receive the following error message:

Error while preparing to send sharing message.

Also, if you try to check the permissions on the calendar, you may receive the following error message:

An error occurred when setting schedule permissions.

Solotion Microsoft: Using OWA

It works for share the calendar and you can set editor calendar permissies. All other permissions are not availible

image

  • Accessrights Missing
    None
    Owner
    PublishingEditor
    PublishingAuthor
    Author
    NonEditingAuthor
    Reviewer
    Contributor

    With Powershell you can set the permissions

Add-MailboxFolderPermission –identity (username+’:\calendar’) –user testuser –Accessrights PublishingEditor

Better solution

Upgrade your Outlook Client to 2010 or 2013

Public Folder Migratie to Office365

Move Public Folder script from 2007/2010 to Office 365 Script created by Ward Vissers
www.wardvissers.nl

THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK
OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER

                                        
Please Select the Choice You Want

Prepare for Migration (Legacy Exchange Server
00) Add the Office 365 Domain Name
01) Take a snapshot of the original source folder structure
02) Take a snapshot of public folder statistics such as item count, size, and owner.
03) Take a snapshot of the permissions
04) Locate public folders that have a backslash in the name
05) Rename Public Folder
06) Checks the public folder migration status.
07) Set PublicFolderMigrationComplete to False

Check Office 365
08) Get-PublicFolderMigrationRequest
09) Get-Mailbox -PublicFolder
10) Get-PublicFolder

Generate CSV Files and create Public Folder Mailboxes (Legacy Exchange Server)
11) Export-PublicFolderStatistics PFSizeMap.csv
12) PublicFolderToMailboxMapGenerator PFMailboxMap.csv

Create the public folder mailboxes on Exchange Online
13) Master Public Folder Name
14) Create Public Folder Mailboxen (Check PFMailboxMap.csv)

Migrating the Public Folders
15) Export mail-enabled public folders from Active Directory
16) LegacyExchangeDN Administrator
17) LegacyExchangeDN Public Folder Server
18) External Name Outlook Anywhere
19) Set the XML file
20) Give the CSV file to start the Migration
21) Public Folder Migration Status

Lock down the public folders on the legacy Exchange server for final migration (downtime required)
22) Lock the legacy public folders for finalization

Finalize the public folder migration (downtime required)
23) Finalize the public folder migration (downtime required)

Test and unlock the public folder migration
24) Add Public Folder to Test User
25) Unlock the public folders for all other users
26) Public Folder Migration Complete (Legacy Exchange Server)
27) Public Folders Enabled Local

Final Check
28) Take a snapshot of the original source folder structure.
29) Take a snapshot of the public folder statistics such as item count, size, and owner
30) Take a snapshot of the permissions

99) Exit
Public Folder Migratie to Office365

Download: https://gallery.technet.microsoft.com/scriptcenter/Public-Folder-Migratie-to-25bd50a0

Public Folder Move Script to Exchange 2013

Move Public Folder script from 2007/2010 to Exchange 2013 Script created by Ward Vissers www.wardvissers.nl

THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK
OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER

Please Select the Choice You Want

Prepare for Migration (Legacy Exchange Server)
01) Take a snapshot of the original source folder structure
02) Take a snapshot of public folder statistics such as item count, size, and owner.
03) Take a snapshot of the permissions
04) Locate public folders that have a backslash in the name
05) Rename Public Folder
06) Checks the public folder migration status.
07) Set PublicFolderMigrationComplete to False

Check Exchange 2013
08) Get-PublicFolderMigrationRequest
09) Get-Mailbox -PublicFolder
10) Get-PublicFolder

Generate CSV Files and create Public Folder Mailboxes (Legacy Exchange Server)
11) Export-PublicFolderStatistics PFSizeMap.csv
12) PublicFolderToMailboxMapGenerator PFMailboxMap.csv

Create the public folder mailboxes on the Exchange 2013 server
13) Master Public Folder Name
14) Create Public Folder Mailboxen (Check PFMailboxMap.csv)

Migrating the Public Folders
15) BadItemLimit (Exchange 2007 Only)
16) Migrate Exchange 2010 public folders
17) To verify that the migration started successfully (AutoSuspend is Compleet)

Lock down the public folders on the legacy Exchange server for final migration (downtime required)
18) Lock the legacy public folders for finalization

Finalize the public folder migration (downtime required)
19) Finalize the public folder migration (downtime required)

Test and unlock the public folder migration
20) Add Public Folder to Test User
21) Unlock the public folders for all other users
22) Public Folder Migration Complete (Legacy Exchange Server)
23) Public Folders Enabled Local

Final Check
24) Take a snapshot of the original source folder structure.
25) Take a snapshot of the public folder statistics such as item count, size, and owner
26) Take a snapshot of the permissions

99) Exit

Download the script here: https://gallery.technet.microsoft.com/scriptcenter/Public-Folder-Move-Script-49126418

Cumulative Update 7 for Exchange Server 2013

Today, Cumulative Update 7 for Exchange Server 2013 was released by the Exchange Team (KB2986485). This update raises Exchange 2013 version number to 15.0.1044.22.

Note: Customers that run backups of their Exchange databases are advised to upgrade to CU7 and perform a post-upgrade full backup. This is due to a race condition which could prevent proper restoration of pre-CU7 Exchange databases.

Notes:

  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • CU7 adds support for hierarchies containing 250,000 modern public folders. Consult this article for co-existence scenarios.
  • Be advised of OAB architectural changes introduced with CU5 which are documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.
  • If you have installed the Interim Update to fix Hybrid Configuration Wizard, you can install the Cumulative Update over it – there is no need to uninstall the IU prior to installing CU6.

This Cumulative Update includes schema and AD changes, so make sure you run PrepareSchema / PrepareAD. After updating, the schema version will be 15965.

Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

Finally, for any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.

You can download Exchange 2013 Cumulative Update 7 here; UM Language Packs can be found here.

This update resolves security issues that are described in December 2014 security update for Exchange Server 2013 Service Pack 1 and Cumulative Update 6.
Additionally, this update also resolves the issues that are described in the following Microsoft Knowledge Base (KB) articles:

  • 3004235 Exchange Server meetings in Russian time zones as well as names of time zones are incorrect after October 26, 2014

  • 3012655 New-MailboxImportRequest causes unreadable characters when you import an ANSI format .pst file of Russian language

  • 3012652 CalendarProcessing cmdlet does not generate delegate permissions to universal security groups in Exchange Server 2013

  • 3009631 Advanced Find against the Sent Items folder in Outlook returns no result in Exchange Server 2013

  • 3009612 Outlook Web App shows organization details on the contact card beyond the scope of user ABP in Exchange Server 2013

  • 3009291 Shared mailbox cannot be opened in Outlook in an Exchange Server 2013 environment that has multiple domains

  • 3008453 Cannot edit or delete forms from the organizational forms library in Exchange Server 2013

  • 3008438 User who is trying to Log on to Exchange Admin Console is logged in to OWA instead

  • 3006672 Move request fails if the IsExcludedFromProvisioning option is true in Exchange Server 2013

  • 3005391 Exchange Server 2013 Cumulative Update 5 breaks free|busy lookup from Exchange Online to Exchange Server 2007

  • 3003986 RejectMessageReasonText in transport rule appears in the user section of a DSN in Exchange Server 2013

  • 3001217 TLS 1.0 is hardcoded for SMTP traffic encryption in Exchange Server 2013

  • 3001037 Distribution group cannot send email messages to a mail enabled public folder in an Exchange Server 2013 environment

  • 2999031 A cross-forest mailbox move from Exchange Server 2007 to Exchange Server 2013 finishes with CompletedWithWarnings status

  • 2998144 New-MoveRequest cmdlet with RemoteLegacy parameter cannot perform a cross-forest mailbox move

  • 2988553 Add-ADPermission and Remove-ADPermission can be run outside the management scope in Exchange Server 2013

  • 2981538 Exchange Control Panel crashes when you proxy from Exchange 2013 to Exchange 2010

  • 3014051 Cannot migrate mailboxes in a multiple domains environment in Exchange Server 2013

  • 3012986 ContentIndexRetryQueueSize value for a passive node never drops to zero in Exchange Server 2013 Cumulative Update 6

  • 3004011 Sound alerts do not work in Outlook Web App when new email or calendar notification is received in Exchange Server 2013

  • 3003580 Event ID 4999 and 4401 when the Microsoft Exchange Replication service crashes in Exchange Server 2013

  • 3003518 “550 5.7.1” NDR when you send messages to external recipients in an Exchange Server 2013 hybrid environment

  • 3003068 Cannot see online archive mailbox after you upgrade to Exchange Server 2013 Cumulative Update 6

  • 3000944 Subfolders under the Deleted Items folder are not visible in Outlook in an Exchange Server 2013 environment

  • 2997847 You cannot route ActiveSync traffic to Exchange 2007 mailboxes after you upgrade to Exchange 2013 CU6

  • 2997355 Exchange Online mailboxes cannot be managed by using EAC after you deploy Exchange Server 2013 CU6

  • 2997209 Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007

  • 2995263 OAB cannot be rebuilt if the .flt file is larger than two GB in Exchange Server 2013

  • 2994216 PublicFolderMoveRequest deletes all read or unread state in target mailbox for each user in Exchange Server 2013

  • 2993871 Resource Booking Assistant crashes after you upgrade to Exchange Server 2013 Cumulative Update 5

  • 2983216 Category setting on an item in Outlook jumps the selection to the top of the list in an Exchange Server 2013 environment

  • 2931223 MAPI virtual directory is missing from Default Web Site node