View | Ward Vissers

Exchange Server 2016 Cumulative Update 7 (KB4018115) and Exchange Server 2013 Cumulative Update 18 (KB4022631)

The latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013 are now available on the download center. These releases include fixes to customer reported issues, all previously reported security/quality issues and updated functionality.

Minimum supported Forest Functional Level is now 2008R2

In our blog post, Active Directory Forest Functional Levels for Exchange Server 2016, we informed customers that Exchange Server 2016 would enforce a minimum 2008R2 Forest Functional Level requirement for Active Directory. Cumulative Update 7 for Exchange Server 2016 will now enforce this requirement. This change will require all domain controllers in a forest where Exchange is installed to be running Windows Server 2008R2 or higher. Active Directory support for Exchange Server 2013 remains unchanged at this time.

Support for latest .NET Framework

The .NET team is preparing to release a new update to the framework, .NET Framework 4.7.1. The Exchange Team will include support for .NET Framework 4.7.1 in our December Quarterly updates for Exchange Server 2013 and 2016, at which point it will be optional. .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases. Customers should plan to upgrade to .NET Framework 4.7.1 between the December 2017 and June 2018 quarterly releases.

The Exchange team has decided to skip supporting .NET 4.7.0 with Exchange Server. We have done this not because of problems with the 4.7.0 version of the Framework, rather as an optimization to encourage adoption of the latest version.

Known unresolved issues in these releases

The following known issues exist in these releases and will be resolved in a future update:

Online Archive Folders created in O365 will not appear in the Outlook on the Web UI
Information protected e-Mails may show hyperlinks which are not fully translated to a supported, local language

Release Details

KB articles that describe the fixes in each release are available as follows:

Exchange Server 2016 Cumulative Update 7 (KB4018115), Download, UM Lang Packs
Exchange Server 2013 Cumulative Update 18 (KB4022631), Download, UM Lang Packs

Exchange Server 2016 Cumulative Update 7 does not include new updates to Active Directory Schema. If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current.

Exchange Server 2013 Cumulative Update 18 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 18. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU18, 2016 CU7) or the prior (e.g., 2013 CU17, 2016 CU6) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What’s New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

Tags: 2, Active Directory, App, Change, Cloud, CU1, Deploy, Deployment, Exchange, Exchange 13 Cumulative Update 18 (KB4022631), Exchange 2013, Exchange 2016, Exchange Online, Exchange Server 2013, Exchange Server 2016, Exchange Server 2016 Cumulative Update 7 (KB4018115), Hybrid, Issue, Issues, Microsoft, Outlook, Permissions, Powershell, Release Notes, Running, Script, Security, Server, Server 2008, Server 2016, Update, Update 1, Updated, Updates, Version, View, Windows

EXCHANGE 2013 CU17 AND EXCHANGE 2016 CU6

On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.

A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26)
Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).

The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.

Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).

When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.

.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.

Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.

The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.

KB articles that describe the fixes, features and information in each release are available as follows:

Version	Build	KB Article	Download	UMLP	Schema Changes
Exchange 2016 CU6	15.1.1034.26	KB4012108	Download	UMLP	Yes
Exchange 2013 CU17	15.0.1320.4	KB4012114	Download	UMLP	No

Source: jaapwesselius

Tags: Change, CU1, Exchange, Exchange 2010, Exchange 2013, Exchange 2013 CU15, Exchange 2013 CU17, Exchange 2016, Exchange 2016 CU3, Exchange 2016 CU6, Exchange Server 2013, Group, HTTP, iOS, Microsoft, OWA, RDS, Running, Security, Server, TLS, Update, Updates, Version, View, Windows

CleanUp Old Active Sync Devices

Overview older than 30 Days:
Get-MobileDevice | Get-MobileDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)} | out-gridview

Delete active sync devices older then 30 days

Get-MobileDevice | Get-MobileDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)} | Remove-MobileDevice -Confirm:$false

Tags: Active-Sync, ActiveSync, Clean, CleanUp, False, Get-Mobile, Get-MobileDeviceStatistics, LastSyncAttemptTime, mobile, Remove-MobileDevice, View

Exchange 2016/2013/2010 Updates March 2017

Today, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.

As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:

If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU5	15.1.845.34	KB4012106	Download	UMLP
Exchange 2013 CU16	15.0.1293.2	KB4012112	Download	UMLP
Exchange 2010 SP3 Rollup 17	14.3.352.0	KB4011326	Download
Exchange 2007 SP3 Rollup 23	8.3.517.0	KB4011325	Download

Exchange 2016 CU5 fixes:

KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016

Exchange 2013 CU16 fixes:

KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013

Notes:

Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.

When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.

Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.

When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).

If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Source

Tags: .Net 4.6.1, 2012, 2012 R2, 4.6.1, 60, App, Certificate, Change, CU1, Deploy, Deployment, Exchange, Exchange 2007, Exchange 2010, Exchange 2010 Rollup 17, Exchange 2013, Exchange 2013 CU15, Exchange 2013 CU16, Exchange 2016, Exchange 2016 CU4, Exchange 2016 CU5, Exchange Online, Exchange Server 2013, Exchange Server 2016, Hybrid, Issue, Issues, Migration, OWA, Powershell, Running, Server, Server 2012, Server 2012 R2, Server 2016, Service Pack 3, Update, Updates, Version, View, Windows

Server 2016 and ADFS Error 364 0d00-0080000000e1 EnableIdPInitiatedSignonPage False

On ADFS page you get error: 00000000-0000-0000-0d00-0080000000e1

Event viewer: Event 364 Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request.

Get-AdfsProperties | select EnableIdPInitiatedSignonPage

Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

adfs-server-2016-issue-testing

Tags: 0d00-0080000000e1, ADFS, EnableIdPInitiatedSignonPage, Eventid 364, False, Issue, Microsoft, Office 365, Server, Server 2016, View

Fix “Already Used” status VMware Horizon View

When linked-clone desktops are not cleanly logged off and the “Refresh on logoff” policy is used, VMware Horizon View marks the desktop as “Already used” and blocks other users from accessing the machine.

This “Already Used” state is a default VMware security feature which prevents other users from accessing the previous user’s data and allows a VMware Horizon View administrator to investigate potential problems with the desktop.

The VMware Horizon View desktop can also go into the “Already Used” state if a virtual machine is powered on on another ESXi host in the cluster in response to an HA event, or if it was shut down without reporting to the broker that the user had logged out.

The problem with this “Already Used” state is that the default within VMware Horizon View waits until a View Administrator actually does something to resolve the issue.

To resolve the “Already Used” issue, you can

Refresh or delete the desktop through teh VMware Horizon View Administrator console (this is a manual action)
Set an LDAP attribute pae-DirtyVMPolicy in the VMware Horizon View ADAM database under OU=Server Groups,DC=vdi, DC=vmware, DC=int
- pae-DirtyVMPolicy=0 – This is the default behavior of leaving the desktop in the error state and not available for use.
- pae-DirtyVMPolicy=1 – This allows desktops that were not cleanly logged off to be available without being refreshed. The desktop is available in the pool for another user.
- pae-DirtyVMPolicy=2 – This setting will automatically refresh a desktop in the “already used” state and make it available again in the pool.

I prefer to set the pae-DirtyVMPolicy to 2 so “Already Used” situations will be automatically resolved by VMware Horizon View.

Changing the pae-DirtyVMPolicy needs to be done for each pool.

Manual method of setting the pae-DirtyVMPolicy value:

Start the ADSI Edit utility on your VMware Horizon View Connection Server host. Go to Start > Programs > ADAM > ADAM ADSI Edit.
Select or type a Distinguished Name or connect to DC=vdi, DC=vmware, DC=int.
Select or type a domain or server to localhost:389.
Locate the OU=Server Groups for editing.
Under the Server Groups OU, double-click CN=pool_name. This opens the properties of the CN.
Click the pae-DirtyVmPolicy attribute and click Edit.
Set the pae-DirtyVmPolicy attribute

PowerCLI method of setting the pae-DirtyVMPolicy value:

Create a function “Set-DirtyVMPolicy”

function Set-DirtyVmPolicy([string]$desktopid, [int]$policy) {
     $pool = [ADSI](“LDAP://localhost:389/cn=” + $desktopid + “,ou=server groups,dc=vdi,dc=vmware,dc=int”)
     $pool.put(“pae-DirtyVmPolicy”, $policy )
     $pool.setinfo()
     }

Run the function on the desktop pool

Set-DirtyVMPolicy -desktopid <yourdesktoppoolid> -policy 2

References: Ituda & TheFinalByte

Tags: Already Used, Clean, desktop, ESX, ESXi, Group, Horizon, pae-DirtyVMPolicy, Security, Server, Set-DirtyVMPolicy, View, VM, VMWare

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
To configure your environment for BitLocker, you will need to do the following:

Configure Active Directory for BitLocker.
Download the various BitLocker scripts and tools.
Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
On the Before you begin page, click Next.
On the Select installation type page, select Role-based or feature-based installation, and click Next.
On the Select destination server page, select DC01.contoso.com and click Next.
On the Select server roles page, click Next.
On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
1. BitLocker Drive Encryption Administration Utilities
2. BitLocker Drive Encryption Tools
3. BitLocker Recovery Password Viewer
On the Confirm installation selections page, click Install and then click Close.

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
Assign the name BitLocker Policy to the new Group Policy.
Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:
Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
  1. Allow data recovery agent (default)
  2. Save BitLocker recovery information to Active Directory Domain Services (default)
  3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This )
2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.
  Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

On DC01, start an elevated PowerShell prompt (run as Administrator).
Configure the permissions by running the following command:
```
cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
```

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234

Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available

Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

Tags: 2008 R2, 2012, 2012 R2, Active Directory, App, Bitlocker, Data Recovery, Deployment, GPO, Group Policy, iOS, MDT, MDT 2013, MDT 2013 Update 2, Microsoft, Permissions, Powershell, Script, Server, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Template, Toolkit, Tools, UEFI, Update, Update 2, Version, View, Windows, Windows 10

Cumulative Update 1 for Exchange Server 2016

Exchange Team released: Cumulative Update 1 for Exchange Server 2016

Issues that the cumulative update fixes

KB 3139730 Edge Transport service crashes when you view the properties of a poison message in Exchange Server 2016
KB 3135689 A custom SAP ODI URI is removed by ActiveSync from an email message in an Exchange Server environment
KB 3135688 Preserves the web.config file for Outlook Web App when you apply a cumulative update in Exchange Server 2016
KB 3135601 Cyrillic characters are displayed as question marks when you run the “Export-PublicFolderStatistics.ps1” script in an Exchange Server 2016 environment
KB 3124242 Mailbox quota is not validated during migration to Exchange Server 2013 or Exchange Server 2016

Exchange Server 2016 Cumulative Update 1 (KB3134844), Download, UM Lang Packs

Tags: 60, App, Crash, CU01, Exchange, Exchange 2016, Exchange Server 2013, Exchange Server 2016, Exchange Server 2016 Cumulative Update 1, Export, KB3134844, Microsoft, Migration, Outlook, Script, Server, Update, Update 1, View

Cumulative Update 12 for Exchange Server 2013

Exchange team released CU12 for Exchange 2013

Issues that this cumulative update fixes:

KB 3143710 “Failed Search or Export” error occurs when an eDiscovery search in the Exchange Admin Center finishes

Exchange Server 2013 Cumulative Update 12 (KB3108023), Download, UM Lang Packs

Tags: Active Directory, Crash, CU12, Cumulative Update 12, Exchange, Exchange 2013, Exchange Server 2013, Exchange Server 2013 Cumulative Update 12, Exchange Server 2016, Export, Hybrid, KB3108023, Microsoft, Migration, mobile, Office, Office 365, Outlook, OWA, Server, Update, Update 1, View, Windows

Microsoft Exchange Server User Monitor For Exchange 2013 and 2016

Use the Microsoft Exchange Server User Monitor to gather real-time data to better understand current client usage patterns, and to plan for future work.

Administrators can view details on server resource utilization as reported through server-side tracing. This tool works with Microsoft Exchange Server 2013 and 2016.

Exchange Server User Monitor

Tags: Exchange, Exchange 2013, Exchange 2016, Exchange Server 2013, Exchange Server User Monitor, Exmon, Microsoft, Microsoft Exchange Server, Server, Update, Updates, User Monitor, View