Do yourself a favor. Deploy PowerShell serialization for Exchange server NOW

Friday, November 10, 2023

Exchange 2019 CU12/13 Security Update 13 is expected to enable PowerShell serialization by default. This feature configures certificate-based signing of PowerShell serialization payloads to reduce the possibility of man-in-the-middle attacks in PowerShell scripts that connect to Exchange server.

PowerShell serialization requires prerequisites, which the link above describes:

Prerequisites to enable this feature: 

  • Make sure that all Exchange-based servers in your environment have the January 2023 SU or a later SU installed. If you enable this feature before you update all servers, deserialization failures might occur and trigger other issues. 

  • Make sure that a valid Exchange Server auth certificate is configured and available on all Exchange-based servers (except Edge Transport servers) before and after you enable certificate signing.

You can run the MonitorExchangeAuthCertificate.ps1 script to check for a valid auth certificate on Exchange-bases servers in your environment. The script also checks whether the auth certificate will expire in less than 60 days, and it can help you to rotate the certificate. For more information about MonitorExchangeAuthCertificate.ps1, see Monitor Exchange AuthCertificate

To manually check auth certificate availability and validity, see Auth Certificate Availability and Validity. 

We strongly recommend that you use the MonitorExchangeAuthCertificate.ps1 script (or create a new one, if it's necessary). This is because the script can also renew an expired auth certificate. The script includes a manual execution mode (verify the auth certificate availability or verify and take action, if it's necessary). The script also includes an automation mode that works by using Windows Task Scheduler.

It's unlikely that the SU installer will check for these prerequisites, so this may cause problems with Exchange scripts in your environment if the prerequisites are not met but the SU enables PowerShell serialization.

The best course of action is to check the prerequisites first, especially if you don't read the SU installation notes first or you use Windows Update to deploy this security update.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.