tag:blogger.com,1999:blog-7981948127508984172024-03-18T22:46:25.750-07:00The EXPTA {blog}Random musings of an Exchange Microsoft Certified Master and an Office Apps & Services MVP.Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.comBlogger905125tag:blogger.com,1999:blog-798194812750898417.post-9685417136394210062024-01-18T14:07:00.000-08:002024-01-18T14:43:04.127-08:00Deploy Extended Protection for Exchange server NOW<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioRnEh9vvff1_1z5xvfUOFp1vg_NxbL2av4UDkXuMsx8SMHo0WIP4hFogGRHZnx8CEag_HTkGyXmGSUqXmBGT2-dcY6xjWNAE3VjUmbn3-1MPIE9vVpBKovBXugynFxdzHWohX_TJrli607K3llpc1m8hrD_6dUBilcYbCmGbU3ZkvwN_hy1ATmZAmhMlX/s773/EP.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="293" data-original-width="773" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioRnEh9vvff1_1z5xvfUOFp1vg_NxbL2av4UDkXuMsx8SMHo0WIP4hFogGRHZnx8CEag_HTkGyXmGSUqXmBGT2-dcY6xjWNAE3VjUmbn3-1MPIE9vVpBKovBXugynFxdzHWohX_TJrli607K3llpc1m8hrD_6dUBilcYbCmGbU3ZkvwN_hy1ATmZAmhMlX/w640-h242/EP.png" width="640" /></a></div><br />Exchange 2019 CU14 is expected to enable <a href="https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection?view=exchserver-2019#prerequisites-for-enabling-extended-protection-on-exchange-server" target="_blank">Windows Extended Protection in Exchange Server</a> by default. This feature enhances the existing authentication in Windows Server and mitigates authentication relay or man-in-the-middle (MitM) attacks..<p></p><p>Extended Protection requires several very important <a href="https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection?view=exchserver-2019#prerequisites-for-enabling-extended-protection-on-exchange-server" target="_blank">prerequisites</a>, which the link above describes.</p><p></p><h3 style="text-align: left;"><b>Prerequisites for enabling Extended Protection on Exchange Server:</b></h3><ul style="text-align: left;"><li>SSL offloading must be disabled on all Exchange servers (it's enabled by default).</li></ul><ul style="text-align: left;"><li>Clients should use NTLMv2 instead of NTLMv1, which is the default setting in Windows. I recommend configuring this via Group Policy. If NTLMv1 is used by clients when Extended Protection is enabled, the configuration leads to password prompts on the client side without a way to authenticate successfully against the Exchange server.</li></ul><ul style="text-align: left;"><li>TLS configurations must be consistent across all Exchange servers within the organization. Any variation in TLS version use across servers can cause client connections to fail. I recommend that all Exchange servers be configured to use only TLS 1.2 for client and server operations, as well as .NET.</li></ul><ul style="text-align: left;"><li>Third-Party software running on your Exchange server must be compatible with Extended Protection. Ensure to test all third-party products that are running in your Exchange Server environment to ensure that they work properly when Extended Protection is enabled.</li></ul><ul style="text-align: left;"><li>Extended Protection doesn't work with hybrid servers using a Modern Hybrid configuration.</li></ul><ul style="text-align: left;"><li>Extended Protection can't be enabled on Exchange Server 2013 servers with Public Folders in a coexistence environment.</li></ul><ul style="text-align: left;"><li>Extended Protection can't be enabled on Exchange Server 2016 CU22 or Exchange Server 2019 CU11 or older that hosts a Public Folder hierarchy.</li></ul><p></p>It's unlikely that the Exchange 2019 CU14 installer will perform "deep" inspection for these prerequisites, so this may cause problems in your environment if the prerequisites are not met and CU14 enables Extended Protection. The most likely issue will be that clients will be unable to connect or authenticate to Exchange server after Extended Protection is enabled.<div><br /></div><div><span style="background-color: #fff2cc; font-size: medium;">I strongly recommend that all customers with Exchange server (including hybrid) check that they meet the requirements above and run the <a href="https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/" target="_blank"><b>Exchange Extended Protection Management script</b></a> before they install Exchange 2019 CU14. This script will check that the major requirements are met before enabling Extended Protection across all Exchange servers (not just Exchange 2019) in the organization.</span><br /><p>The best course of action is to check and mitigate the Extended Protection prerequisites first. Always read the CU installation notes, especially if you use Windows Update to deploy this security update.</p><p>Please reach out to <b><a href="mailto:info@expta.com?subject=Exchange Extended Protection assistance">EXPTA Consulting</a></b> if you would like assistance.</p></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-36539951357366784372023-11-10T12:19:00.000-08:002023-11-10T12:19:45.575-08:00Do yourself a favor. Deploy PowerShell serialization for Exchange server NOW<p>Exchange 2019 CU12/13 Security Update 13 is expected to enable <a href="https://support.microsoft.com/en-us/topic/certificate-signing-of-powershell-serialization-payload-in-exchange-server-90fbf219-b0dd-4b2c-8a68-9d73b3309eb1" target="_blank">PowerShell serialization</a> by default. This feature configures certificate-based signing of PowerShell serialization payloads to reduce the possibility of man-in-the-middle attacks in PowerShell scripts that connect to Exchange server.</p><p>PowerShell serialization requires prerequisites, which the link above describes:</p><blockquote><p style="background-color: white; box-sizing: border-box; color: #1e1e1e; line-height: 1.5; padding: 0px;"><span style="font-family: verdana;">Prerequisites to enable this feature: </span></p><ul style="background-color: white; box-sizing: border-box; color: #363636; list-style: square; margin: 30px 0px 30px 30px; padding-bottom: 0px; padding-left: 18px;"><li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem" style="box-sizing: border-box; margin-left: 0px; margin-top: 18px; padding-left: 6px;"><p style="box-sizing: border-box; color: #1e1e1e; line-height: 1.5; padding: 0px;"><span style="font-family: verdana;"><b>Make sure that all Exchange-based servers in your environment have the January 2023 SU or a later SU installed. If you enable this feature before you update all servers, deserialization failures might occur and trigger other issues. </b></span></p></li><li itemprop="itemListElement" itemscope="" itemtype="http://schema.org/ListItem" style="box-sizing: border-box; margin-left: 0px; margin-top: 18px; padding-left: 6px;"><p style="box-sizing: border-box; color: #1e1e1e; line-height: 1.5; padding: 0px;"><span style="font-family: verdana;"><b>Make sure that a valid Exchange Server auth certificate is configured and available on all Exchange-based servers (except Edge Transport servers) before and after you enable certificate signing.</b></span></p></li></ul><p style="background-color: white; box-sizing: border-box; color: #1e1e1e; line-height: 1.5; padding: 0px;"><span style="font-family: verdana;">You can run the <span class="ocpCodeInline" style="box-sizing: border-box; line-height: 1.5; padding: 0px;">MonitorExchangeAuthCertificate.ps1</span> script to check for a valid auth certificate on Exchange-bases servers in your environment. The script also checks whether the auth certificate will expire in less than 60 days, and it can help you to rotate the certificate. For more information about <span class="ocpCodeInline" style="box-sizing: border-box; line-height: 1.5; padding: 0px;">MonitorExchangeAuthCertificate.ps1</span>, see <a class="ocpExternalLink" data-bi-type="anchor" href="https://aka.ms/MonitorExchangeAuthCertificate" style="box-sizing: border-box; color: #006cb4; text-decoration-line: none;" target="_blank">Monitor Exchange AuthCertificate</a></span></p><p style="background-color: white; box-sizing: border-box; color: #1e1e1e; line-height: 1.5; padding: 0px;"><span style="font-family: verdana;">To manually check auth certificate availability and validity, see <a class="ocpExternalLink" data-bi-type="anchor" href="https://learn.microsoft.com/Exchange/plan-and-deploy/integration-with-sharepoint-and-skype/maintain-oauth-certificate?view=exchserver-2019" style="box-sizing: border-box; color: #006cb4; text-decoration-line: none;" target="_blank">Auth Certificate Availability and Validity. </a></span></p><p style="background-color: white; box-sizing: border-box; color: #1e1e1e; line-height: 1.5; padding: 0px;"><span style="font-family: verdana;">We strongly recommend that you use the <span class="ocpCodeInline" style="box-sizing: border-box; line-height: 1.5; padding: 0px;">MonitorExchangeAuthCertificate.ps1</span> script (or create a new one, if it's necessary). This is because the script can also renew an expired auth certificate. The script includes a manual execution mode (verify the auth certificate availability or verify and take action, if it's necessary). The script also includes an automation mode that works by using Windows Task Scheduler.</span></p></blockquote><p>It's unlikely that the SU installer will check for these prerequisites, so this may cause problems with Exchange scripts in your environment if the prerequisites are not met but the SU enables PowerShell serialization.</p><p>The best course of action is to check the prerequisites first, especially if you don't read the SU installation notes first or you use Windows Update to deploy this security update.</p><p><br /></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-52004219625734579062023-06-20T17:19:00.001-07:002023-06-20T17:19:31.627-07:00Lessons Learned and Best Practices for Autodiscover in a Hybrid Environment<p>Outlook uses the Autodiscover service to get real-time connection information for your mailbox and any other mailbox you connect to. Without Autodiscover you may be able to get Outlook to connect, but it won't connect correctly. For example, Exchange Web Services (EWS) connectivity in Outlook can only be made using Autodiscover.</p><p>Outlook normally performs Autodiscover requests when you setup a mail profile for the first time and from then on, periodically in the background. This is how automapped shared mailboxes get automatically added to Outlook. Outlook also runs an Autodiscover request when your mailbox moves between servers or databases, as when a failover event occurs. Autodiscover is also used whenever you check free/busy availability of another user's calendar.</p><p>Domain-joined computers in an Exchange Server or hybrid environment normally use a Service Connection Point (SCP) published in Active Directory to get the URI Outlook should use for Autodiscover requests. This is set using the <span style="font-family: courier;"><b><a href="https://learn.microsoft.com/en-us/powershell/module/exchange/set-clientaccessservice?view=exchange-ps" target="_blank">Set-ClientAccessService</a> -AutoDiscoverServiceInternalUri <value></b></span> cmdlet in the Exchange Management Shell (EMS).</p><p>There's a lot of documentation in the web that says you should set the <b>AutoDiscoverServiceInternalUri</b> value to <b>$null</b> after a hybrid migration is complete. But is that the right thing to do?</p><p>It's a long answer, so strap in. 😉 <b>Tl;dr</b> at the end.</p><p>First, know that Autodiscover behavior changes depending on the Outlook client and build version, as well as possible non-standard registry settings.</p><p><b><a href="https://www.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-apps-for-enterprise" target="_blank">Microsoft 365 Apps for Enterprise</a></b> always tries <u><span style="color: #2b00fe;">https://outlook.office365.com/autodiscover/autodiscover.xml</span></u> first (Autodiscover-V2) regardless of your DNS settings. Microsoft's assumption is that if you’re running that version, your account is probably in the cloud. If your mailbox is indeed in EXO, that process looks like this and only takes 1-2 seconds:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgfEYPmS22qY-71SEGw5PS72Shw2x1d2SJQ9wB2CCwynPna2aEx5PQJB_kPaM6TPaZ1Zk3nvNhu8aUC02_U0MRMDWh__JVY7gz4Dq-tUtGHBLfyfB83fVhbee2CkIYiLieDGfa2_aPU_mXTjc-39GpIlrafpB3D-FU0AYdVxDLQtZhqz4ERixoZQ8dECzsY" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="461" data-original-width="662" height="446" src="https://blogger.googleusercontent.com/img/a/AVvXsEgfEYPmS22qY-71SEGw5PS72Shw2x1d2SJQ9wB2CCwynPna2aEx5PQJB_kPaM6TPaZ1Zk3nvNhu8aUC02_U0MRMDWh__JVY7gz4Dq-tUtGHBLfyfB83fVhbee2CkIYiLieDGfa2_aPU_mXTjc-39GpIlrafpB3D-FU0AYdVxDLQtZhqz4ERixoZQ8dECzsY=w640-h446" width="640" /></a></div><br />Autodiscover-V2 will fail if your account is missing in EXO or not migrated yet and Outlook will then start the regular Autodiscover-V1 process. Note that the Autodiscover-V2 process can also be skipped with the following reg key. I see this often in older enterprise environments.<p></p><blocktext><span style="font-family: courier;"><b>HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]<br />"ExcludeExplicitO365Endpoint"=dword:00000001</b></span></blocktext><p>Office 2016/2019 clients normally only do the regular Autodiscover-V1 process, which is well known:</p><p></p><ol style="text-align: left;"><li>Check for Local Data preference (configured via GPO to use an autodiscover.xml file stored locally on the computer)</li><li>Check for Last Known Good (LKG) cached data</li><li><i>Some later builds use heuristics to determine if the user account comes from Azure AD and will check against <u><span style="color: #2b00fe;">https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml</span></u> </i></li><li>SCP (see *notes below)</li><li>DNS</li><ul><li>Root domain (<span style="color: #2b00fe; text-decoration-line: underline;">https://contoso.com/autodiscover/autodiscover.xml</span><span>, which nearly always fails)</span></li><li>Autodiscover URI (<u><span style="color: #2b00fe;">https://autodiscover.contoso.com/autodiscover/autodiscover.xml</span></u>)</li></ul><li>HTTP redirect</li><ul><li><u><span style="color: #2b00fe;"><b>http</b>://autodiscover.contoso.com/autodiscover/autodiscover.xml</span></u></li></ul><li>SRV</li><ul><li>Value from <b>_autodiscover._tcp.contoso.com 443 0 0</b> in DNS</li></ul></ol><p></p><p>*Note that the SCP process won't work in several scenarios:</p><p></p><ul style="text-align: left;"><li>The computer is not domain-joined</li><li>SCP is <b>$null</b></li><li>SCP is not available via LDAP because the domain-joined machine is disconnected from the DC</li><li><a href="https://learn.microsoft.com/en-us/outlook/troubleshoot/profiles-and-accounts/unexpected-autodiscover-behavior" target="_blank">Registry keys</a> can, and most often will, override the default Autodiscover behavior</li></ul><p></p><p>Here’s what the process looks like for an M365 mailbox user in a hybrid environment from a domain-joined computer on the LAN. The SCP is set to <u><span style="color: #2b00fe;">https://autodiscover.contoso.com/autodiscover.autodiscover.xml</span></u> (the on-prem Exchange Server). This process took 52 seconds to complete. Remember, this is the same process that Outlook goes through when creating a new mail profile, too.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjvuuOiSdpzeZMXVaHQ-1uxHB0dsXgD3-MWFTKB7WEGvyWaqWPe55of09Nsk_K2167lQ-ofS_JBZ2Xb2s6Q5aiNpjmZ02hl55easggqQ3IMWRkEaB5DwwRlyMGquCQ5ClA1Mzlxss_WiTJ9RMnDzIDJ-WRZ9bf6IO3oSFsz1gzshkOXBGQ8jVGO7q2V7Ndu" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="565" data-original-width="662" height="547" src="https://blogger.googleusercontent.com/img/a/AVvXsEjvuuOiSdpzeZMXVaHQ-1uxHB0dsXgD3-MWFTKB7WEGvyWaqWPe55of09Nsk_K2167lQ-ofS_JBZ2Xb2s6Q5aiNpjmZ02hl55easggqQ3IMWRkEaB5DwwRlyMGquCQ5ClA1Mzlxss_WiTJ9RMnDzIDJ-WRZ9bf6IO3oSFsz1gzshkOXBGQ8jVGO7q2V7Ndu=w640-h547" width="640" /></a></div><br />When the SCP is set to <b>$null</b> it skips the first five lines, but execution time is nearly the same. It gets there, but it's not efficient and takes a really long time.<p></p><p>If we set the SCP to <u><span style="color: #2b00fe;">https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml</span></u>, the process only takes about 1 second.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjeUome8Keouc_JQxp7pRVtRXh5T3Ft4akELQOF6VNTS2bEL7N93vMAXr9nJjGta7ClflHPoJbdI6UIVF7Q4xxiPts5OGcE8OnfWfXElqV8gU4pE68uYCrnvknMDxHVpqNlWn517KqSc6cO41DXegFzRVFLNFJ_zmsw3kJLA0FyCLyP0eGBEY3ekQbgbAZ4" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="461" data-original-width="662" height="446" src="https://blogger.googleusercontent.com/img/a/AVvXsEjeUome8Keouc_JQxp7pRVtRXh5T3Ft4akELQOF6VNTS2bEL7N93vMAXr9nJjGta7ClflHPoJbdI6UIVF7Q4xxiPts5OGcE8OnfWfXElqV8gU4pE68uYCrnvknMDxHVpqNlWn517KqSc6cO41DXegFzRVFLNFJ_zmsw3kJLA0FyCLyP0eGBEY3ekQbgbAZ4=w640-h446" width="640" /></a></div><br />As you can see, setting the SCP to <u><span style="color: #2b00fe;">https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml</span></u> is much more efficient than setting it to <b>$null</b> when the migration is complete.<br /><p></p><h3 style="text-align: left;">Tl;dr:</h3><p>The Service Connection Point (SCP) is set using the <span style="font-family: courier;"><b>Set-ClientAccessService -AutoDiscoverServiceInternalUri <value></b></span> cmdlet.</p><p></p><ul style="text-align: left;"><li><b>If you're a hybrid customer and you still have mailboxes on-premises that use Outlook</b>:</li><ul><li>Set your SCP to <u><span style="color: #2b00fe;">https://autodiscover.contoso.com/autodiscover/autodiscover.xml</span></u>.</li><li>Create an A record for <b>autodiscover.contoso.com</b> in internal and external DNS resolving to on-prem Exchange for computers that can't reach AD.</li></ul></ul><ul style="text-align: left;"><li><b>If you're a hybrid or cloud customer and all mailboxes that use Outlook or in EXO</b>:</li><ul><li>Use Microsoft 365 Apps for Enterprise, which always checks EXO first. It also provides the best experience, features, and performance for cloud mailboxes.</li><li>If you're hybrid, set your SCP to <u><span style="color: #2b00fe;">https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml</span>.</u></li><li>Create a CNAME record for <b>autodiscover.contoso.com</b> in external DNS resolving to <b>autodiscover.outlook.com</b>. This way, older clients that don't use Autodiscover-V2 will use the HTTP redirect method to get to EXO.</li></ul></ul><p></p><div><br /></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-28234734048614090292023-03-23T16:23:00.002-07:002023-03-23T16:23:33.926-07:00Exchange Online will Throttle and Block Email from Persistently Vulnerable Exchange Servers<p>Microsoft announced that they will begin <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/" target="_blank">Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online</a>.</p><p>They will begin slowly by blocking OnPremises (hybrid) connections from Exchange 2007 servers to Exchange Online, but plan to include all persistently vulnerable servers soon. A “persistently vulnerable server” is any Exchange server that has reached end of life (e.g., Exchange 2007, Exchange 2010, and very soon, Exchange 2013), or remains unpatched for known vulnerabilities.</p><p><b>If you have any Exchange 2007, 2010, or 2013 servers in your organization that are used for hybrid or SMTP relay, you must make plans to replace or remove them ASAP. You must also keep any Exchange 2016 and 2019 servers up to date with the latest Cumulative and Security Updates, as they are released.</b></p><div>I support this initiative. Organizations using Exchange Servers with known and unpatched vulnerabilities put themselves and their partners at risk. I look forward to seeing it include additional unsupported Exchange Server versions, and I understand their approach of rolling this out slowly and carefully at first.</div><div><br /></div><div><div>There are millions of mailboxes in Exchange Online and they have a duty to protect those mailboxes. They know there are 16-year old Exchange 2007 servers currently connecting to their service that haven’t been patched in years and have dozens of known vulnerabilities. </div><div><br /></div><div>Microsoft is not forcing anyone to move to Exchange Online. They’re just not going to allow Exchange servers with known vulnerabilities to send hybrid (trusted) emails into their service.</div><div><br /></div><div>It’s only 2007 for now, but eventually it will be any Exchange Server that is not running the latest or second to latest updates. It’s too risky for everyone.</div></div><div><br /></div><div>The table below details the stages of progressive enforcement over time of a persistently vulnerable server:</div><div><br /><p style="background-color: white; box-sizing: border-box; color: #333333; font-family: SegoeUI, Lato, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; margin: 0px 0px 10px;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="VulnServ02.jpg" style="box-sizing: border-box; clear: both; display: block; margin: auto; max-width: 100%; position: relative; width: 999px;"><span class="lia-message-image-wrapper lia-message-image-actions-narrow lia-message-image-actions-below" style="box-sizing: border-box;"><img alt="thumbnail image 2 of blog post titled
Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online
" class="lia-media-image" li-bindable="" li-bypass-lightbox-when-linked="true" li-compiled="true" li-image-display-id="'453106iB81E52B8DB700A4E'" li-image-url="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/453106iB81E52B8DB700A4E?v=v2" li-message-uid="'3762078'" li-messages-message-image="true" li-use-hover-links="false" role="button" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/453106iB81E52B8DB700A4E/image-size/large?v=v2&px=999" style="border: 0px; box-sizing: border-box; cursor: zoom-in; display: block; height: auto; max-width: 100%; vertical-align: middle;" tabindex="0" /></span></span></p></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-63054627141775896422023-02-15T09:05:00.009-08:002023-02-15T09:39:13.288-08:00Do Not Install the February 2023 Exchange Server Security Updates via Windows Update<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhViuk7mb_aw-TeqK3K3wO_kUi9QWTXV6ei7RhTX9q3cl3FcCNoIfc3TR7SRNZGzDrrEI8cYGVVLxYOF-hQTf-YbajXZDoPaLj8nV5HELDHChIQHzLIG9SAH7ybQeKrdsAHEArmsJIl_K2B3SkIfgui3hW-S14HGszOyjlVDzuAn19ZdSrRECVZcWnRFA" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="338" data-original-width="998" height="216" src="https://blogger.googleusercontent.com/img/a/AVvXsEhViuk7mb_aw-TeqK3K3wO_kUi9QWTXV6ei7RhTX9q3cl3FcCNoIfc3TR7SRNZGzDrrEI8cYGVVLxYOF-hQTf-YbajXZDoPaLj8nV5HELDHChIQHzLIG9SAH7ybQeKrdsAHEArmsJIl_K2B3SkIfgui3hW-S14HGszOyjlVDzuAn19ZdSrRECVZcWnRFA=w640-h216" width="640" /></a></div><br />Microsoft released the <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058" target="_blank">February 2023 Exchange Server Security Updates</a> yesterday, February 14, via Windows Update and on their website. The website links to the correct files for the February 2023 Security Updates, but Windows Update currently is deploying the January 2023 Security Update CAB file for Exchange Server 2013, 2016, and 2019. <p></p><p>For this reason, <b><a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058" target="_blank">install the February updates from the hyperlinks listed in the EHLO Blog post</a></b>, not Windows Update. If you did already install the Exchange Security Updates via Windows Update, download the files directly and reinstall them on all your servers. Then check the version with the <a href="https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/" style="font-weight: bold;" target="_blank">HealthChecker.ps1</a> script.</p><p><b>UPDATE</b>: Microsoft just said, "<span style="font-family: Calibri, sans-serif; font-size: 11pt;"><b><i>We've fixed the
issue, so it's safe to install the SU from MU/WU again. Apologies for the
inconvenience.</i></b></span>" According to Microsoft, customers who already installed the February SU via Windows Update can either install it again via Windows Update or download the update from the web and install it.</p><p>For further details, keep reading.</p><p><br /></p><p>Several of my customers installed the Security Update For Exchange Server CU23 SU6 (KB5023038) on multiple servers via Windows Update. These servers include Exchange Server 2013, 2016, and 2019.</p><p>Windows Update history shows the February 2023 <b>KB5023038 </b>update has been installed, but <b><a href="https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/" target="_blank">HealthChecker.ps1</a> </b>reports the servers are still on the January 2023 <b>KB5022143 </b>SU. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_dZ8DGPMw9UPc2swkOHNJdbO2RTfGiPW7cdv3dqL6_r35vWK79sjIWT-8OzWkjZEuAV4sGSkfB8FDF0hH3WH7cHbCSb5VGJrKkighyJE2cYTYQ7__52KYuegcS0MGIB3BQ6D7xk3qaJ80Ai56kNhX1jm6oS3KI4h7HGpsr47o8iEuh7KhYu1-EmW1Fw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="414" data-original-width="939" height="282" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_dZ8DGPMw9UPc2swkOHNJdbO2RTfGiPW7cdv3dqL6_r35vWK79sjIWT-8OzWkjZEuAV4sGSkfB8FDF0hH3WH7cHbCSb5VGJrKkighyJE2cYTYQ7__52KYuegcS0MGIB3BQ6D7xk3qaJ80Ai56kNhX1jm6oS3KI4h7HGpsr47o8iEuh7KhYu1-EmW1Fw=w640-h282" width="640" /></a></div><br /><p></p><p>Checking the registry,</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Exchange v15\<b>DisplayVersion </b>says the Exchange build is <b>15.1.2507.18</b> (not listed <a href="https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019" target="_blank">here</a>, but should be <b>15.1.2507.21</b>). </p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Patch\<b>DisplayName </b>says “<b>Security Update for Exchange Server 2016 Cumulative Update 23 (KB5022143)</b>” </p><p>When you run Windows Update again, it says no updates are pending.</p><p>When I view the <b>C:\Windows\SoftwareDistribution\Download</b> folder I see a folder named <b>f664b5c67010fa70659624355017ed43 </b>with the date and time when Windows Updates were applied.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj8BZdKKbOCpMeDqGixfMplbUeyonl6GLs8wWWQ29T4_b_2KpQp9_Ze-vbJe_fn6rAcDWTc_sOwoNuEJIDqZpzxeKiz6Q74YlCuk7XjF9m7iwQ3862tCb5MusxPFbHUSE3MgXS2_GT3TGrkSASFmcELi-KUQ2ahnNJctZnIQCDgYMpUv4LOSXZ4mx61dg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="440" data-original-width="712" height="396" src="https://blogger.googleusercontent.com/img/a/AVvXsEj8BZdKKbOCpMeDqGixfMplbUeyonl6GLs8wWWQ29T4_b_2KpQp9_Ze-vbJe_fn6rAcDWTc_sOwoNuEJIDqZpzxeKiz6Q74YlCuk7XjF9m7iwQ3862tCb5MusxPFbHUSE3MgXS2_GT3TGrkSASFmcELi-KUQ2ahnNJctZnIQCDgYMpUv4LOSXZ4mx61dg=w640-h396" width="640" /></a></div><br /><p>Inside that folder is the <b>Exchange2016-KB5022143-x64-en.cab</b> which is the January 2023 Exchange Security Update, proving that Windows Update is pushing the wrong SU.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgf7MWrNoULhbYXGRRbdduUUrtfuTqzyv178HXOX-yAVEH9xgaZUmZJxkeJKWDdUAiOI8CHoYuY8sb9QBsXcFpxrD4M1tEkIamWYbaOpb25vvpun_W9Ak4umShZlJ_S7_7sCQSHnQnWShGGilN8fB0909vDctMzxb0ksU2e1BB76br6DWD-XLfXUPFSsg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="436" data-original-width="713" height="392" src="https://blogger.googleusercontent.com/img/a/AVvXsEgf7MWrNoULhbYXGRRbdduUUrtfuTqzyv178HXOX-yAVEH9xgaZUmZJxkeJKWDdUAiOI8CHoYuY8sb9QBsXcFpxrD4M1tEkIamWYbaOpb25vvpun_W9Ak4umShZlJ_S7_7sCQSHnQnWShGGilN8fB0909vDctMzxb0ksU2e1BB76br6DWD-XLfXUPFSsg=w640-h392" width="640" /></a></div><br /><p></p><p>Installing the February 2023 Exchange Security Updates from the published download pages installs the correct SU. Verify with the <a href="https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/" target="_blank">HealthChecker</a> script.</p><p><br /></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-82890011785011970632023-01-19T09:48:00.000-08:002023-01-19T09:48:42.998-08:00How to Remove Internet Explorer from Windows Computers and Servers<p></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEikWMFE4kd4cEGfBEtqSiGjnNTNXpox8zHg3UYPROkmWZcu9TNWqmFIAZ8S87P8T7egoAV8wQrnhD3EASyQk2s_MTTLdP9AN4qJasrBcOCqxLXpTh8mDtm-PcbIgCGMMfEft7F1Nta9p4iSEqpesDz4yWjy7ZkD3tnkYAD-lilUJCzjsWE71DHDhJ6iBA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="322" data-original-width="328" height="197" src="https://blogger.googleusercontent.com/img/a/AVvXsEikWMFE4kd4cEGfBEtqSiGjnNTNXpox8zHg3UYPROkmWZcu9TNWqmFIAZ8S87P8T7egoAV8wQrnhD3EASyQk2s_MTTLdP9AN4qJasrBcOCqxLXpTh8mDtm-PcbIgCGMMfEft7F1Nta9p4iSEqpesDz4yWjy7ZkD3tnkYAD-lilUJCzjsWE71DHDhJ6iBA=w200-h197" width="200" /></a></div><span style="text-align: left;"><div style="text-align: left;">Support for Internet Explorer 11 ended on June 15, 2022 and IE 11 will no longer be accessible after February 14, 2023.</div></span></div><p></p><p>Even so, Internet Explorer 11 is still installed as the default web browser with every version of Windows and Windows Server. To make matters worse, Windows 10 also shipped with non-Chromium Edge (now called <a href="https://www.theverge.com/2021/3/9/22321779/microsoft-edge-legacy-spartan-browser-support-ended" target="_blank">Legacy Edge</a>). You'll need to download and install a "modern" web browser, such as <a href="https://www.microsoft.com/en-us/edge/server/download" target="_blank">Microsoft Edge</a>, <a href="https://www.google.com/chrome/" target="_blank">Google Chrome</a>, <a href="https://www.mozilla.org/en-US/firefox/new/?redirect_source=firefox-com" target="_blank">FireFox</a>, etc. Keep in mind that you can reload Internet Explorer sites with IE mode in Microsoft Edge.</p><p>Even with ChrEdge (my name for Chromium Edge) installed as the default web browser, I've heard from a few customers that IE is still being used for some web work flows. For example, a customer recently showed me this MFA security confirmation prompt that is opening in IE for some reason.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjbtZEAmUw_bCoVneImVg036akg6lh5Wx8LhZuoh07eyZt91wC31cxvAHO24eAUjyHryOcIyuFPnsn_rspTUBpS4GBywxKInWJ1WUuAbgP7nFjSn40XePXNcGgUglkqAGxsbY8cNz_XLyL9KYM4qoRRf_t-iAJq1VJzpaDhAcpgn34sTiz3Hi6uoyaAgQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="579" data-original-width="482" height="640" src="https://blogger.googleusercontent.com/img/a/AVvXsEjbtZEAmUw_bCoVneImVg036akg6lh5Wx8LhZuoh07eyZt91wC31cxvAHO24eAUjyHryOcIyuFPnsn_rspTUBpS4GBywxKInWJ1WUuAbgP7nFjSn40XePXNcGgUglkqAGxsbY8cNz_XLyL9KYM4qoRRf_t-iAJq1VJzpaDhAcpgn34sTiz3Hi6uoyaAgQ=w533-h640" width="533" /></a></div><br />All this leads me to the task at hand. <b>How do you uninstall Internet Explorer 11 from Windows?</b><div><br /></div><div> This is not straight forward since IE 11 is part of the Windows installation. It cannot be removed as a Windows application or feature. The answer is to use DISM (Deployment Imaging Servicing Management) installed with all versions of Windows and Windows Server.<p></p><p>Run the following command from an elevated CMD or PowerShell prompt:</p><p><b><span style="font-family: courier;"></span></b></p><blockquote><b><span style="font-family: courier;">C:\Windows\System32\dism.exe /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64</span></b></blockquote><p></p><p>Removal only takes a few seconds and the output looks like this:</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh7q_Xnf1UZjrdAGgIXG3Kskm6u6cN8ZhLsrxuEInRKYp3P9JWzdhmyvulYPQV95dYh2hHTGtRdVlEJ0F1nNb7u4GMohIS2XexAjO68_kUnRXZs6VubsR-ps5BBccI68ghYJUFTX1ogbdtgMieab4Sf9nCg4tQlxeAjMElZFaCHVbT9ApgHteGAb6Gv6Q" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="501" data-original-width="862" height="372" src="https://blogger.googleusercontent.com/img/a/AVvXsEh7q_Xnf1UZjrdAGgIXG3Kskm6u6cN8ZhLsrxuEInRKYp3P9JWzdhmyvulYPQV95dYh2hHTGtRdVlEJ0F1nNb7u4GMohIS2XexAjO68_kUnRXZs6VubsR-ps5BBccI68ghYJUFTX1ogbdtgMieab4Sf9nCg4tQlxeAjMElZFaCHVbT9ApgHteGAb6Gv6Q=w640-h372" width="640" /></a></div><br />DISM will prompt you to restart the computer to complete the operation. Until you do, Internet Explorer will still show as an available web browser. Optionally, you can add the <b><span style="font-family: courier;">/Quiet</span></b> switch which will not show DISM uninstall progress and will automatically restart the computer when it's done.</div><div><br /></div><span><a name='more'></a></span><div><h2 style="text-align: left;">How to remove Internet Explorer using Group Policy</h2><p>For those admins who want to remove Internet Explorer 11 from domain-joined computers and servers via Group Policy, do the following:</p><p></p><ul style="text-align: left;"><li>Create a new GPO or edit an existing one. Make sure the GPO applies to the computers you want to remove IE11 from. In my example, I'm configuring the Default Domain Policy so it applies to all computers and servers in the domain.</li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjCGur-6ITOYyeRb8uk-Bj0WetreinKG4PFzkmRYds3WNy4mAEXdkODq4Dhe6XHPUXKtwN4vaq2DRNyJeH_HZ5BMhJeK3WzdmQzD0BJTqTcCX3ari5yre7rhMBTD_ls_VNZzWcjqQxm5T7Nlh-vCiihC8-Y5fmhYy8n2GRZjTr3KQGzu3V3RCXWZnrphw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="689" data-original-width="805" height="549" src="https://blogger.googleusercontent.com/img/a/AVvXsEjCGur-6ITOYyeRb8uk-Bj0WetreinKG4PFzkmRYds3WNy4mAEXdkODq4Dhe6XHPUXKtwN4vaq2DRNyJeH_HZ5BMhJeK3WzdmQzD0BJTqTcCX3ari5yre7rhMBTD_ls_VNZzWcjqQxm5T7Nlh-vCiihC8-Y5fmhYy8n2GRZjTr3KQGzu3V3RCXWZnrphw=w640-h549" width="640" /></a></div><br /></div><ul style="text-align: left;"><li>Navigate to <b>Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)</b>.</li><li>Double-click <b>Shutdown</b>.</li><li>Click the <b>Add </b>button and <b>Browse</b>.</li><li>Right-click the blank are select <b>New > Text Document</b>.</li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhJocpDhxmOl5fcfLQFF5LSR8xSLDmDpnz2v_mNyDv7JQWvhdDIoRTIJ3IO0kbIM22GPm1Erg8GwlZRF03Yw6MDeSLw8ivwif5AMpEbEySkjnLXKj92FcN7vJ28ts-zbKL3SUmAfTWEvhH_gRzUpcG6OAh4KLPuFxZ2VvOuoLb0vCU2jWtrPI0E-Iylkg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="464" data-original-width="1016" height="292" src="https://blogger.googleusercontent.com/img/a/AVvXsEhJocpDhxmOl5fcfLQFF5LSR8xSLDmDpnz2v_mNyDv7JQWvhdDIoRTIJ3IO0kbIM22GPm1Erg8GwlZRF03Yw6MDeSLw8ivwif5AMpEbEySkjnLXKj92FcN7vJ28ts-zbKL3SUmAfTWEvhH_gRzUpcG6OAh4KLPuFxZ2VvOuoLb0vCU2jWtrPI0E-Iylkg=w640-h292" width="640" /></a></div><br /><ul style="text-align: left;"><li>Rename the <b>New Text Document.txt</b> file to <b>Remove-IE.bat</b>.</li><li>Right-click the <b>Remove-IE.bat</b> file you just created and select <b>Edit</b>.</li><li>Enter the following line and then save and close the file:</li></ul><div><b><span style="font-family: courier;"><blockquote>C:\Windows\System32\dism.exe /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64 /Quiet</blockquote></span></b></div></div><div></div><p></p><p></p><ul style="text-align: left;"><li>Select the <b>Remove-IE.bat</b> file and click <b>Open</b>. Remove-IE.bat is listed as the <b>Script Name</b>.</li><li>Click <b>OK </b>in the <b>Add a Script</b> dialog window.</li><li>Click <b>OK </b>again on the <b>Shutdown Properties </b>window and close the Group Policy Management Editor.</li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhwJk6rNGO7cVAaHJodFn4CR4ubmfa7Nvj_L5C-ZGsAdoj_eDXiWm6EqS8VLdUfW1w3MC8uPeAYzeqXPukEDYxr1fpi940e7NrP1aURP0oxpqoVjD1xZ1wXT4C5eV2IRKGmAFAqNc8y1ErRgrR2ZBEF2jNl7Fah7e5h2YitVTwTJAVahZzhLrCqjfLmEQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="688" data-original-width="802" height="549" src="https://blogger.googleusercontent.com/img/a/AVvXsEhwJk6rNGO7cVAaHJodFn4CR4ubmfa7Nvj_L5C-ZGsAdoj_eDXiWm6EqS8VLdUfW1w3MC8uPeAYzeqXPukEDYxr1fpi940e7NrP1aURP0oxpqoVjD1xZ1wXT4C5eV2IRKGmAFAqNc8y1ErRgrR2ZBEF2jNl7Fah7e5h2YitVTwTJAVahZzhLrCqjfLmEQ=w640-h549" width="640" /></a></div><br />Now domain joined computers will run the batch file to remove Internet Explorer 11 the next time they are shutdown or restarted. You will see Windows being updated the next time the computer or server starts up. This is when IE is actually being removed and only takes a few seconds. If IE 11 is already removed, the shutdown script will do nothing, so no impact there.</div><div><br /></div><div>Keep in mind that if you remove IE 11 and have not already installed Edge or another browser, you will need to do so and set it to be the default app for Web Browser in Settings.</div><div><br /></div><p></p></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-62512530629657128982023-01-13T10:14:00.002-08:002023-01-13T10:14:40.121-08:00ProTip: Scheduled Task to Start Stopped Services in Exchange Server<p>As a best practice, I've always created a scheduled task on my Exchange Servers that starts all stopped services 1 minute after server startup. This is useful for virtualized environments where servers restart much faster than physical environments. Often the VM comes back up before the network has fully initialized. When this happens, some of the Exchange services do not start properly.</p><p>This scheduled task is becoming important with the release of the <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808" target="_blank">January 2023 Exchange Server Security Updates</a>. There is a known issue that Microsoft Exchange AD Topology service may not start properly on Exchange 2016 servers running on Windows Server 2012 R2. Microsoft is investigating.</p><p>I've seen this happen on several of my customers' environments. Since almost all Exchange services rely on the AD Topology service, none of the Exchange services will start. You are required to start all the services manually after every reboot. Instead, you can install the scheduled task that does this for you.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjIN-Z6ZelJ_X3voqRBhxOu_LME5x3lBxFwWOe3TbFcm8xdoN6TwQ7GRUaAhTmKYePWJsH8qP33J56nc-qmcgosp88yFgC2pKcd7JwBJRADKi94CrG63C29IfNEQnPn-uDFxSQR94dcJ9J4uOfHS3hxcacDK8dnEyytQGbFaS-nPZtvY4zZl5iu2a-ntg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="485" data-original-width="638" height="486" src="https://blogger.googleusercontent.com/img/a/AVvXsEjIN-Z6ZelJ_X3voqRBhxOu_LME5x3lBxFwWOe3TbFcm8xdoN6TwQ7GRUaAhTmKYePWJsH8qP33J56nc-qmcgosp88yFgC2pKcd7JwBJRADKi94CrG63C29IfNEQnPn-uDFxSQR94dcJ9J4uOfHS3hxcacDK8dnEyytQGbFaS-nPZtvY4zZl5iu2a-ntg=w640-h486" width="640" /></a></div><br />Run the following from an elevated PowerShell or EMS prompt:<p></p><p></p><blockquote><p><span style="font-family: courier;">$TaskProgram = "$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe"</span></p><p><span style="font-family: courier;">$TaskArguments = '-NoProfile -command "gwmi win32_service | where {$_.StartMode -eq ''Auto'' -and $_.State -eq ''Stopped''} | Start-Service"'</span></p><p><span style="font-family: courier;">$TaskAction = New-ScheduledTaskAction -Execute $TaskProgram -Argument $TaskArguments</span></p><p><span style="font-family: courier;">$TaskTrigger = New-ScheduledTaskTrigger -AtStartup -RandomDelay 00:01:00</span></p><p><span style="font-family: courier;">Register-ScheduledTask -TaskName "Start Stopped Services" -Action $TaskAction -Trigger $TaskTrigger -RunLevel Highest -User "system" -Description "Starts all stopped services 1 minute after startup due to slow network initialization."</span></p></blockquote><p></p><p>It's safe to install this on any Exchange server.</p><p><br /></p><div><br /></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-82194549034201071232022-11-17T09:31:00.000-08:002022-11-17T09:31:08.732-08:00Turning off Basic Authentication for Autodiscover in Exchange Online<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjALtI-rMuhk5wjXZplWmCeJOc8GyTInBE-2H3C5bBwoVPS1RtRfbMoY3Z18vUkr-ndp3bJ9lKgURkOWi-ZxH_Hlvi8njd8KFHpdWwYPfEzMuILD4AW3bFo9mwOltW8LswFvMnwcJr7qgHhL3KfRztSX29ioGTyZouz5tJFa0ErPZefbZRIAXteYuNaew" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="387" data-original-width="912" height="272" src="https://blogger.googleusercontent.com/img/a/AVvXsEjALtI-rMuhk5wjXZplWmCeJOc8GyTInBE-2H3C5bBwoVPS1RtRfbMoY3Z18vUkr-ndp3bJ9lKgURkOWi-ZxH_Hlvi8njd8KFHpdWwYPfEzMuILD4AW3bFo9mwOltW8LswFvMnwcJr7qgHhL3KfRztSX29ioGTyZouz5tJFa0ErPZefbZRIAXteYuNaew=w640-h272" width="640" /></a></div><p>Much has been said and written about disabling Basic Authentication in Exchange Online, and for good reason. Basic Auth is insecure and makes it easy for bad guys to hack your accounts and access your organization's data.</p><p>Microsoft disabled Basic Auth for most Exchange Online protocols in October of this year. Those protocols include Outlook, EWS, RPS, POP, IMAP, and EAS. SMTP Auth was also be disabled in your tenant if it is not being used. Modern Authentication is the secure way to authenticate for these protocols. <b>Congratulations to Microsoft for pulling off such a monumental achievement to help keep customers' data safe!</b></p><p>Read <a href="https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online">Deprecation of Basic authentication in Exchange Online | Microsoft Learn</a> for more information.</p>Next up, Microsoft is going to disable Basic Auth for the Autodiscover protocol. I would argue this is one of the most significant changes to deprecating Basic Auth, since it is continuously used by Outlook and whenever you configure a mail profile on a mobile device that uses ActiveSync. Because of this, it's easy to ignore this traffic when monitoring for Basic Auth usage. It's also a fairly easy protocol for the bad guys to use for password guessing or dictionary attacks.<p></p><p>As with all the other impacted protocols, Microsoft is not turning off the protocol itself, only the ability to authenticate to the protocol using nothing more than a username and password.</p><p><br /></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-20129237849882435462022-11-04T12:13:00.004-07:002022-11-11T08:56:32.726-08:00Azure AD Connect version 2.1.20.0 released with a new ability you probably can't use yet<p><b style="background-color: #fcff01;"></b></p><blockquote><span style="background-color: #fcff01;"><b>UPDATE</b>: Hot on the heels of the last update, Microsoft released <a href="https://www.microsoft.com/download/details.aspx?id=47594" target="_blank">Azure AD Connect version 2.1.20</a> (6 days later) which apparently <a href="We fixed a bug where the new employeeLeaveDateTime attribute was not syncing correctly in version 2.1.19.0. Note that if the incorrect attribute was already used in a rule, then the rule must be updated with the new attribute and any objects in the AAD connector space that have the incorrect attribute must be removed with the "Remove-ADSyncCSObject" cmdlet, and then a full sync cycle must be run." target="_blank">fixes</a> a bug in the new sync feature described below. If you implemented the custom sync rule described earlier, you'll need to undo it and do it again. <facepalm></span></blockquote><p></p><p>Microsoft updated Azure AD Connect to version 2.1.19.0 today. </p><p>According to the release notes, "<i><b>We added a new attribute 'employeeLeaveDateTime' for syncing to Azure AD. To learn more about how to use this attribute to manage your users' life cycles, please refer to <a href="https://learn.microsoft.com/en-us/azure/active-directory/governance/how-to-lifecycle-workflow-sync-attributes" target="_blank">this article</a></b></i>".</p><p>Let's break this down.</p><p>First, the support article the release notes refer to is for Azure AD Connect cloud sync, not Azure AD Connect. At this time, syncing the <b>employeeLeaveDateTime </b>is still not supported in Azure AD Connect.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgGDJGcTtaFqMr8RS6KkC6uESIe-OMKN6cy_5Hw6QTUrnYydZywlTJmFAfBSDLZEWIcYnbspNSRfVKNRc0AH1ZzZoI9Xs3vNytC8voK1TtcDNOShMdH4bxz70sEoBI02g6iipPG9ZXn0tYFd5_wuMIw5fwG3w4G4EyKYDvlamVXifIXlgui3FkRQCjZxg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="271" data-original-width="772" height="224" src="https://blogger.googleusercontent.com/img/a/AVvXsEgGDJGcTtaFqMr8RS6KkC6uESIe-OMKN6cy_5Hw6QTUrnYydZywlTJmFAfBSDLZEWIcYnbspNSRfVKNRc0AH1ZzZoI9Xs3vNytC8voK1TtcDNOShMdH4bxz70sEoBI02g6iipPG9ZXn0tYFd5_wuMIw5fwG3w4G4EyKYDvlamVXifIXlgui3FkRQCjZxg=w640-h224" width="640" /></a></div><br /><span style="font-family: inherit;">Since AAD cloud sync doesn't support Exchange hybrid at this time, AAD cloud sync is of no value for hybrid customers. However, the AD Connect team is working on adding Exchange hybrid support in the future. </span><p></p><p></p><p style="-webkit-text-stroke-width: 0px; color: black; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-decoration-thickness: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></p><p></p><p style="-webkit-text-stroke-width: 0px; color: black; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-decoration-thickness: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span style="font-family: inherit;">The support table shows that syncing the <b>employeeHireDate </b>attribute is already supported in Azure AD Connect, so I expect that suspect the configuration is the same. I could not find a similar support article for Azure AD Connect.</span></p><p><span style="font-family: inherit;">Second,</span> the <b>employeeHireDate </b>and <b>EmployeeLeaveDateTime </b>attributes only exist in Azure AD. The on-premises Active Directory schema is not extended to add these two attributes, so the recommendation is to use one of the existing <b>extensionAttribute*</b> attributes an AD to hold these values.</p><p>At this time, Microsoft recommends using the <b>extensionAttribute1 </b>attribute for <b>employeeHireDate</b>, but the documentation makes no mention of how to handle the <b>EmployeeLeaveDateTime</b> attribute. See <a href="https://learn.microsoft.com/en-us/azure/active-directory/governance/how-to-lifecycle-workflow-sync-attributes">How to synchronize attributes for Lifecycle workflows - Microsoft Entra | Microsoft Learn</a>. I hope this documentation will be updated soon with the missing info and how to handle it if this attribute is already in use in your organization.</p><p>Last, if you want to update the <b>employeeLeaveDateTime </b>attribute directly in Azure AD using the Graph API, please see <a href="https://learn.microsoft.com/en-us/graph/tutorial-lifecycle-workflows-set-employeeleavedatetime?tabs=http">Set employeeLeaveDateTime - Microsoft Graph | Microsoft Learn</a>.</p><p><br /></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-33504959006704904752022-11-03T14:52:00.000-07:002022-11-03T14:52:49.317-07:00Fix for "Online - Data retrieval failures occurred" on Exchange DAG members<p>You may find that when you add an Exchange server to a DAG that Server Manager shows multiple errors.</p><p>The Notification flag at the top indicates "Refresh failed" and Manageability for <b>All Servers</b> shows an error for the remote DAG member saying, "<b>Online - Data retrieval failures occurred</b>".</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjLnSwo1OsxXbp7gQc0DcYVIflzNvN6dCnCTajKlrSbjC82pPkxLNK2uLIFTAk6pycfNvjrCV4-uM0SS5acapgZgKw0zBYuOyXhA8Phn-jhgNq58nsxx5W0Pn8TMOKAaPJXAfhSPzzk2KWWsplR94NCXSMYdfMLutq5INC0na_qn0fiaKxWnuSebCHs4g" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="605" data-original-width="819" height="472" src="https://blogger.googleusercontent.com/img/a/AVvXsEjLnSwo1OsxXbp7gQc0DcYVIflzNvN6dCnCTajKlrSbjC82pPkxLNK2uLIFTAk6pycfNvjrCV4-uM0SS5acapgZgKw0zBYuOyXhA8Phn-jhgNq58nsxx5W0Pn8TMOKAaPJXAfhSPzzk2KWWsplR94NCXSMYdfMLutq5INC0na_qn0fiaKxWnuSebCHs4g=w640-h472" width="640" /></a></div><br /><p></p><p>You may also see errors that say, "<b>Configuration refresh failed with the following error: The WS-Management service cannot process the request. The computed response packet size (517916) exceeds the maximum envelope size that is allowed (512000).</b>"</p><p></p><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjyzSS7ohomDUjq37cte8lqdHxFwfh_KAiuQHs-j9whr1UdoPJUzxk1J9EmPEmCJhrE-ToqrnLsyePC7epZ1qzKxY5hLEkfgj6yLqpPlmYlp2vUa02FRRPgBBH0BH27vCtnRhdRB0WFfqTVerSBzNZ84LCns-HTsoRUDgV4zZL_agoG0bbImNhDL9gzDg" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="497" data-original-width="890" height="358" src="https://blogger.googleusercontent.com/img/a/AVvXsEjyzSS7ohomDUjq37cte8lqdHxFwfh_KAiuQHs-j9whr1UdoPJUzxk1J9EmPEmCJhrE-ToqrnLsyePC7epZ1qzKxY5hLEkfgj6yLqpPlmYlp2vUa02FRRPgBBH0BH27vCtnRhdRB0WFfqTVerSBzNZ84LCns-HTsoRUDgV4zZL_agoG0bbImNhDL9gzDg=w640-h358" width="640" /></a></div><br />These errors occur when the Failover Clustering feature is installed on the DAG member. I've usually only seen this for Exchange 2019 installed in Windows Server 2019 or Windows Server 2022. This is a Windows Server issue, not an Exchange issue, so this fix should also apply to any Windows cluster experiencing this problem.<p></p><p>The fix is to increase the WSMAN <b>maxEnvelopeSize </b>in the registry on all DAG members.</p><p></p><ol style="text-align: left;"><li>On the DAG member, launch <b>regedit.exe</b> and navigate to <b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client.</b></li><li>Create a new <b>DWORD (32-bit) value </b>named <b>maxEnvelopeSize</b>, or modify it if it already exists.</li><li>Set the value data to <b>2000 </b>hexadecimal (<b>8192 </b>decimal).</li></ol><div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjyXdWBHqsP3_oc0vDRD2Gom8aVCBAVnrTub-CDXZQThgy6ejaEPMXNzBJyDfnqq64o5aJnMP2atBcNWtdqarD5sjUf1kZ9o1vJ_Hn9F4md8cB6Dm1Dl7fusI1xIXnLmRh2VaiNsSfysaP6QpYGQE_gEMbbNk1YmD78zONzX5ciixTHQAtZp92-Wy0A7w" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="378" data-original-width="801" height="302" src="https://blogger.googleusercontent.com/img/a/AVvXsEjyXdWBHqsP3_oc0vDRD2Gom8aVCBAVnrTub-CDXZQThgy6ejaEPMXNzBJyDfnqq64o5aJnMP2atBcNWtdqarD5sjUf1kZ9o1vJ_Hn9F4md8cB6Dm1Dl7fusI1xIXnLmRh2VaiNsSfysaP6QpYGQE_gEMbbNk1YmD78zONzX5ciixTHQAtZp92-Wy0A7w=w640-h302" width="640" /></a></div></div><br />Finally, restart the <b>Windows Remote Management (WS-Management)</b>, aka <b>WinRM</b>, service on the server.</div><div><br /></div><div>When you refresh Server Manager, the error should go away.</div><div><br /></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-88406707090091590632022-10-27T09:16:00.005-07:002022-10-27T09:16:29.067-07:00Bug when moving Public Folders to Exchange 2019<p>There's a bug in Exchange 2019 CU12 and earlier that causes New-MoveRequests for Public Folders to fail. </p><p>The move request will fail with the error: <b><span style="font-family: courier;">StalledDueToMRS_Quarantined</span></b>, which means that the Mailbox Replication Service (MRS) on the target Exchange 2019 server has crashed repeatedly due to the bug and has quarantined the move request (not the mailbox).</p><p>If you check the move request report with the <b><span style="font-family: courier;">Get-MoveRequestStatistics <i><PFMailbox></i> -IncludeReport | FL Report</span></b> cmdlet you will see the error:</p><p></p><p class="MsoNormal"><span style="font-family: courier;">StatusDetail : StalledDueToMRS_Quarantined<br />
Message : Request was quarantined because of following error: Object of type
"Microsoft.Exchange.Data.Storage.PublicFolderSession" cannot be
converted to object of type
"Microsoft.Exchange.Data.Storage.MailboxSession"</span><o:p></o:p></p>or<p></p><p class="MsoNormal"><span style="font-family: courier;">InvalidCastExceptionException:<br />Unable to cast object of type
'Microsoft.Exchange.Data.Storage.PublicFolderSession' to type
'Microsoft.Exchange.Data.Storage.MailboxSession'</span></p><p class="MsoNormal"><o:p></o:p></p><p>Microsoft is aware of the problem, which will be fixed in an upcoming Exchange 2019 Cumulative Update. It's unknown at this time if the fix will be included in Exchange Server 2019 CU13.</p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-85806160109808843632022-10-17T09:43:00.000-07:002022-10-17T09:43:12.163-07:00Support for Windows Active Directory 2022 Environments<p>As Scott Schnoll mentioned at MEC 2022, Microsoft now supports Active Directory environments running on Windows Server 2022 beginning with Exchange Server 2013 CU23 and Exchange Server 2016 CU23.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjJekohLshdvfl6KfDXhYxshE_CM47xZ-6LOcDJiC-O_DgHkpXwD8WJrTLlBXNutskeGzYM5ASiuooKgPny6G1HU5Q8i9JhxqMVvyRH98r-lGxAXaOo4-9j1yiADgA5cEVxBolK_zdNYbFSqIpfBSnlVzNepeK_uHQG5v9zjDqEm6tl4mvHjPCLs2x-kw" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="500" data-original-width="874" height="366" src="https://blogger.googleusercontent.com/img/a/AVvXsEjJekohLshdvfl6KfDXhYxshE_CM47xZ-6LOcDJiC-O_DgHkpXwD8WJrTLlBXNutskeGzYM5ASiuooKgPny6G1HU5Q8i9JhxqMVvyRH98r-lGxAXaOo4-9j1yiADgA5cEVxBolK_zdNYbFSqIpfBSnlVzNepeK_uHQG5v9zjDqEm6tl4mvHjPCLs2x-kw=w640-h366" width="640" /></a></div><br />It's interesting to note that Exchange 2013 CU23 does not support Windows Server 2019 Active Directory, so if you're running Windows Server 2016 AD or earlier you should plan accordingly. There are no issues upgrading AD directly from a previous version to 2022, bypassing 2019 AD.<p></p><p>The highest Active Directory forest functional level supported by all supported versions of Exchange Server is still Windows Server 2016.</p><p>View the <a href="https://learn.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019">Exchange Server supportability matrix | Microsoft Learn</a> here.</p><p><br /></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-35469095410652398022022-10-14T10:14:00.003-07:002023-01-03T15:16:32.672-08:00How to Setup Exchange Management Tools in Environments without Exchange Server<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEja7GVdrZgmqO3jLHkCGK0HCYHfLhBwbPOKjPIYpWATr3_91G-9ZQZd_fOoo2iJG78CrMcmjMAjy9mLFSnk0KDbmKRqAH3663pgzkqu-MmXetlEpVl3LVVA68K9KljRnJW42867hcQUFJKb7ZUzW6W_VcdAzFzwZxCRamHHdEJnitOSn1bFcwPwtTMqsQ" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="1056" data-original-width="1176" height="240" src="https://blogger.googleusercontent.com/img/a/AVvXsEja7GVdrZgmqO3jLHkCGK0HCYHfLhBwbPOKjPIYpWATr3_91G-9ZQZd_fOoo2iJG78CrMcmjMAjy9mLFSnk0KDbmKRqAH3663pgzkqu-MmXetlEpVl3LVVA68K9KljRnJW42867hcQUFJKb7ZUzW6W_VcdAzFzwZxCRamHHdEJnitOSn1bFcwPwtTMqsQ" width="267" /></a></div>Some Exchange Online customers have an Active Directory on-premises, but never had Exchange Server on-prem. For example, customers who migrated their email from an Exchange hosted environment or from a different email system, such as Notes.<p></p><p>In some environments, these customers are having to manage user accounts and groups in both AD and Azure AD. This leads to confusion since accounts and passwords are not synced, so usernames and passwords can be different. Those customers may be looking for a way to master accounts, groups, and mailboxes from AD on-prem so they have a single source of authority, similar to the way that hybrid customers do.</p><p>In other environments, customers are using Azure AD Connect to sync users from AD on-premises to the cloud. Here, user accounts and groups are managed on-premises, but mailboxes are managed in Exchange Online. These customers may be looking for a way to manage mailboxes and groups from AD, so they also have a single source of authority.</p><p>The following steps will let you install the Exchange 2019 Exchange Management Tools (EMT) in an AD environment without having to install Exchange Server. </p><p><b>Keep in mind that this solution is not supported by Microsoft, since manual configurations must be made in AD using ADSI Edit. </b>The Microsoft supported way to do this is to install an Exchange Server in the org. The solution below does not require this.</p><h2 style="text-align: left;">Prerequisites</h2><p></p><ul style="text-align: left;"><li>Active Directory is installed and the Forest Functional Level is Windows Server 2012 R2 or higher.</li><li>The Exchange Management Tools (EMT) must be installed on a domain-joined computer. Azure AD-joined by itself is not enough, since we need to be able to update Active Directory.</li><li>EMT can be installed on Windows 10, Windows 11, or any Windows Server 2016+ server.</li><li>You will need the <a href="https://www.microsoft.com/en-us/download/details.aspx?id=a149e06c-62f4-4b62-adf8-7d382223a239" target="_blank">Exchange Server 2019 CU12</a> or later media.</li><li>The AD schema will be updated during EMT installation. These procedures assume the installation is being performed by a Domain Admin.</li></ul><div><br /></div><h2 style="text-align: left;">Steps for Installing the Exchange Management Tools</h2><div><ul style="text-align: left;"><li>Logon to the domain-joined computer or server where you want to install the EMT as a Domain Admin. For ease of installation, it is recommended that this computer be in the same AD site as the AD Schema Master.</li><li>Install the <a href="https://dotnet.microsoft.com/en-us/download/dotnet-framework/thank-you/net48-web-installer" target="_blank">.NET Framework 4.8</a>.</li><li>Install the <a href="https://www.microsoft.com/download/details.aspx?id=30679" target="_blank">Visual C++ 2012 Runtime</a>.</li><li>Install <b>Windows Remote Server Administration Tools (RSAT)</b> for Windows 10 or Windows 11. On Windows Server add the AD DS Tools from Server Manager.</li><li>Install the <b>IIS 6 Metabase Compatibility</b> component using the following command:</li><ul><li><span style="font-family: courier;"><b>dism /online /Enable-Feature /FeatureName:IIS-IIS6ManagementCompatibility /all</b></span></li></ul><li>Restart the management computer <u>twice</u> to ensure all files and installations are up-to-date.</li><li>Run <b>Setup </b>from the <a href="https://www.microsoft.com/en-us/download/details.aspx?id=a149e06c-62f4-4b62-adf8-7d382223a239" target="_blank">Exchange 2019 CU12+ media</a></li><ul><li>Select only <b>Management Tools</b> in the <b>Server Role Selection</b></li><li>You will be prompted to add the Exchange Organization Name (i.e., <i>Contoso</i>)</li><li>Restart the computer after EMT installation</li></ul><li>Run the <b>C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Add-PermissionForEMT.ps1</b> script from an elevated PowerShell prompt to create the <b>Recipient Management EMT</b> security group in the Users container.</li><li>Add admin accounts to the new <b>Recipient Management EMT</b> group. Domain Admins already have rights to run the EMT and do not need to be added.</li><li>Create a shortcut on the Desktop to the EMT:</li><ul><li><span style="font-family: courier;"><b>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "Add-PSSnapin *RecipientManagement"</b></span></li><li><span style="font-family: inherit;">Configure the shortcut to run as Administrator</span></li></ul></ul><div><b>Note:</b></div><div>All mailbox management will be done using the EMT PowerShell cmdlets. The Exchange Management Shell (EMS) will also be installed, but you will never use it because you have no Exchange Server to connect to.</div><div><br /></div><div>There is no built-in GUI for EMT recipient management, but fellow Office Apps & Services MVP <a href="https://practical365.com/about/" target="_blank">Steve Goodman</a> wrote one on <a href="https://github.com/spgoodman/ExchangeRecipientAdmin" target="_blank">GitHub</a>. You may want to check it out. </div><div><br /></div><div>Also, be aware that the EMT does not support roles based access controls (RBAC) and there is no auditing available. For complete Microsoft EMT documentation see <b><a href="https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/post-installation-tasks/install-management-tools?view=exchserver-2019" style="font-family: Roboto;">Install
the Exchange management tools | Microsoft Learn</a>.</b></div></div><div><br /></div><h2 style="text-align: left;">Microsoft Exchange System Objects (MESO) Configuration</h2><div>In order for admins to create remote mailboxes, you need to add a remote domain to the Exchange configuration partition in Active Directory. This is done using ADSI Edit. The usual disclaimer applies - Don't use this tool unless you know what you're doing. I accept no responsibility. Yada yada yada.</div><div><ul style="text-align: left;"><li>Begin by getting your Microsoft 365 tenant's remote routing domain.</li><ul><li>Open <a href="https://admin.exchange.microsoft.com/#/accepteddomains" target="_blank">Exchange Admin Center</a></li><li>Navigate to <b>Mail Flow</b> > <b>Accepted Domains</b></li><li>Record the accepted domain of the domain that looks like <i><b>domain.mail.onmicrosoft.com</b></i></li></ul></ul><ul style="text-align: left;"><li>Open <b>ADSIEdit.msc</b> from the management computer. This was installed when you installed the Windows Remote Server Administration Tools (RSAT).</li><li>Connect to the <b>Configuration </b>Naming Context.</li><li>Navigate to <b>CN=Configuration</b> > <b>CN=Services</b> > <b>CN=Microsoft Exchange</b> > <b>CN=<i>domain</i></b><i> </i>> <b>CN=Global Settings</b> > <b>CN=Internet Message Formats</b></li><li>Right-click <b>CN=Internet Message Formats </b>and select <b>New </b>> <b>Object...</b></li><li>Select the class <b>msExchDomainContentConfig </b>and click Next</li><li>Enter <b>Hybrid Domain - <i>domain</i>.mail.onmicrosoft.com</b> for the value, using the value recorded above. Click <b>Next </b>and <b>Finish</b>.</li><li>Edit the Hybrid Domain you just created and set the following values:</li><ul><li>contentType: <b><span style="font-family: courier;">0</span></b></li><li>domainName: <b><span style="font-family: courier;"><i>domain</i>.mail.onmicrosoft.com</span></b>, using the value recorded above</li><li>msExchContentByteEncoderTypeFor7BitCharsets: <b><span style="font-family: courier;">15</span></b></li><li>msExchContentPreferredInternetCodePageForShiftJis: <b><span style="font-family: courier;">0</span></b></li><li>msExchDomainContentConfigFlags: <b><span style="font-family: courier;">1</span></b></li><li>msExchMinAdminVersion: <b><span style="font-family: courier;">-2147453113</span></b></li><li>msExchResolveP2: <b><span style="font-family: courier;">2147483647</span></b></li><li>msExchRoutingAcceptMessageType: <b><span style="font-family: courier;">351</span></b></li><li>msExchRoutingDisplaySenderEnabled: <b><span style="font-family: courier;">True</span></b></li><li>msExchVersion: <b><span style="font-family: courier;">4535486012416</span></b></li><li>sendTNEF: <b><span style="font-family: courier;">True</span></b></li></ul><li>Close ADSI Edit.</li></ul><div><br /></div>Add the remote routing domain as an accepted domain.</div><div><ul style="text-align: left;"><li>Run the following from an elevated EMT prompt, using the value you recorded above:</li><ul><li><span style="font-family: courier;"><b>New-AcceptedDomain <i>domain</i>.mail.onmicrosoft.com -DomainName <i>domain</i>.mail.onmicrosoft.com</b></span></li></ul></ul></div><div><div><br /></div><div>Update the email address policy that was created when the EMT was installed.</div></div><div><ul style="text-align: left;"><li>Run the following from an elevated EMT prompt:</li><ul><li><span style="font-family: courier;"><b>Get-EmailAddressPolicy | Set-EmailAddressPolicy -EnabledEmailAddressTemplates "SMTP:@<i>domain.com</i>","smtp:@<i>domain</i>.mail.onmicrosoft.com"</b></span></li><li>Replace the domains with the correct values.</li><ul><li><b><span style="font-family: courier;">SMTP:@<i>domain.com</i></span></b> (SMTP in all caps) is the primary SMTP address for your organization.</li><li><b><span style="font-family: courier;">smtp:@<i>domain</i>.mail.onmicrosoft.com</span></b> is the remote routing domain that you recorded above.</li></ul></ul></ul><div><br /></div></div><div>Now you can run all the EMT cmdlets to update your on-prem user accounts, mailboxes, and groups.</div><div><br /></div><h2 style="text-align: left;">Configure AD Synchronization with Azure AD</h2><div>Now that you have a way to update Exchange attributes in AD, the final step is to configure Azure AD Connect to sync the AD objects with Azure AD. </div><div><br /></div><div>If your environment already has AAD Connect installed and configured, you only need to update the AAD Connect configuration to use <b>Exchange Hybrid Deployment </b>in <b>Optional Features</b>.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiIh68MhJ8963cOr4I9i5m3_fqJ0cjriBci5MLVwAEfgWtNvquZWq6w0ndDHtkQXfvhdWsh4HWP4wN_n5o_81SXkfBKj4foD3hb40QMoP1In0HReRVxaJXgYhzyYQipT4Y2Sm6FLG2mGu-k1LhVoe1DJaM49b2t02-iq23uVtpNK6Y9ROBuZNKKsRL0SA" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="628" data-original-width="888" height="452" src="https://blogger.googleusercontent.com/img/a/AVvXsEiIh68MhJ8963cOr4I9i5m3_fqJ0cjriBci5MLVwAEfgWtNvquZWq6w0ndDHtkQXfvhdWsh4HWP4wN_n5o_81SXkfBKj4foD3hb40QMoP1In0HReRVxaJXgYhzyYQipT4Y2Sm6FLG2mGu-k1LhVoe1DJaM49b2t02-iq23uVtpNK6Y9ROBuZNKKsRL0SA=w640-h452" width="640" /></a></div><br /><br /></div><div>If your environment doesn't already have Azure AD Connect installed and configured, you will need to do so and perform a soft match of the AD accounts to Azure AD. That's beyond the scope of this article. </div><div><br /></div><div>If you need help please reach out to me at <a href="mailto:jguillet@expta.com?subject=Help with EMT deployment" target="_blank"><b>EXPTA Consulting</b></a>.</div><div><br /></div><p></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-45606646387543229302022-07-07T07:22:00.003-07:002022-07-07T07:25:57.940-07:00New Version of AAD Connect Fixes Vulnerability<p>Microsoft released <a href="https://www.microsoft.com/en-us/download/details.aspx?id=47594" target="_blank"><b>Azure AD Connect version 2.1.15.0</b></a> today. This version fixes a vulnerability that was discovered in the Azure AD Connect Admin Agent. If you have installed the Admin Agent previously it is important that you update your Azure AD Connect server(s) to this version to mitigate the vulnerability.</p><p>The Azure AD Connect Admin Agent collects specific data from your Active Directory environment that helps a Microsoft support engineer to troubleshoot issues when you open a support case. See <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-aadc-admin-agent">What is the Azure AD Connect Admin Agent - Azure AD Connect - Microsoft Entra | Microsoft Docs</a> for more information.</p><p>Be aware that installing this version will cause AAD Connect to perform an Initial (Full) sync.</p><p>This update will roll out soon automatically if your configuration is enabled for auto-upgrade.</p><p>In addition to fixing the vulnerability, there are some functional changes and bug fixes. See <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#21150">Azure AD Connect: Version release history - Microsoft Entra | Microsoft Docs</a> for full details.</p><h3 class="heading-anchor" id="functional-changes" style="background-color: white; box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: clamp(1.3125rem, 15.4737px + 1.15132vw, 1.75rem); line-height: 1.3; margin: 30px 0px 18px -1.875rem; outline-color: inherit; padding: 0px 0px 0px 1.875rem; position: relative;">Functional changes</h3><ul style="background-color: white; box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; list-style: none; margin: 16px 0px 16px 38px; outline-color: inherit; padding: 0px;"><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We have removed the public preview functionality for the Admin Agent from Azure AD Connect. We will not provide this functionality going forward.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We added support for two new attributes: employeeOrgDataCostCenter and employeeOrgDataDivision.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We added CerificateUserIds attribute to AAD Connector static schema.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">The AAD Connect wizard will now abort if write event logs permission is missing.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We updated the AADConnect health endpoints to support the US government clouds.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We added new cmdlets “Get-ADSyncToolsDuplicateUsersSourceAnchor and Set-ADSyncToolsDuplicateUsersSourceAnchor“ to fix bulk "source anchor has changed" errors. When a new forest is added to AADConnect with duplicate user objects, the objects are running into bulk "source anchor has changed" errors. This is happening due to the mismatch between msDsConsistencyGuid & ImmutableId. More information about this module and the new cmdlets can be found in <a data-linktype="absolute-path" href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-adsynctools" style="background-color: transparent; box-sizing: inherit; cursor: pointer; outline-color: inherit; outline-style: initial; outline-width: 0px; overflow-wrap: break-word; text-decoration-line: none;">this article</a>.</li></ul><h3 class="heading-anchor" id="bug-fixes" style="background-color: white; box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: clamp(1.3125rem, 15.4737px + 1.15132vw, 1.75rem); line-height: 1.3; margin: 30px 0px 18px -1.875rem; outline-color: inherit; padding: 0px 0px 0px 1.875rem; position: relative;"><a aria-labelledby="bug-fixes" class="anchor-link docon docon-link" href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#bug-fixes" style="-webkit-font-smoothing: antialiased; background-color: transparent; border: 0px; box-sizing: inherit; clip-path: inset(50%); clip: rect(1px, 1px, 1px, 1px); cursor: pointer; direction: ltr; display: inline-block; font-family: docons; font-size: 1rem; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; height: 1px; left: 0px; line-height: 16px; margin: -1px; opacity: 0; outline-color: inherit; outline-style: initial; outline-width: 0px; overflow-wrap: normal; overflow: hidden; padding: 0px; position: absolute; speak: none; text-align: center; text-decoration-line: none; top: 1.1375rem; transform: translateY(-50%) scale(1); transition: opacity 0.1s linear 0s; width: 1px;"></a>Bug fixes</h3><ul style="background-color: white; box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; list-style: none; margin: 16px 0px 16px 38px; outline-color: inherit; padding: 0px;"><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We fixed a bug that prevented localDB upgrades in some Locales.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We fixed a bug to prevent database corruption when using localDB.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We added timeout and size limit errors to the connection log.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We fixed a bug where, if child domain has a user with same name as parent domain user that happens to be an enterprise admin, the group membership failed.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We updated the expressions used in the "In from AAD - Group SOAInAAD" rule to limit the description attribute to 448 characters.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We made a change to set extended rights for "Unexpire Password" for Password Reset.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We modified the AD connector upgrade to refresh the schema – we no longer show constructed and non-replicated attributes in the Wizard during upgrade.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">We fixed a bug in ADSyncConfig functions ConvertFQDNtoDN and ConvertDNtoFQDN - If a user decides to set variables called '$dn' or '$fqdn', these variables will no longer be used inside the script scope.</li><li style="box-sizing: inherit; list-style: outside none disc; margin: 0px; outline-color: inherit; outline-style: initial; outline-width: 0px; padding: 0px;">Multiple accessibility fixes (see <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#21150" target="_blank">article</a> for details).</li></ul><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-67125755672321307612022-04-20T11:40:00.006-07:002022-04-20T11:40:55.823-07:00Big Exchange News!<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmCnCdHX1fMjzEX86OooddQZn3pilm8_wA0bHYNPDLbXdGUr_oES_d8TfXYQFUIS7WlfeUqNCA-pfSmg32oKyaSzP3nifoYsuUGF2bvO8_4FAzA38iYRZ139IZrbAKq0aH81YaZuPCWbHuejGvhd08VsowVLc31UeBu_mz_SsgAzDJbtcg4jh7HRvmFA/s1600/announcement-sticker-announcement-sticker-announcement-square-sign-announcement-153949349.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="762" data-original-width="1600" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmCnCdHX1fMjzEX86OooddQZn3pilm8_wA0bHYNPDLbXdGUr_oES_d8TfXYQFUIS7WlfeUqNCA-pfSmg32oKyaSzP3nifoYsuUGF2bvO8_4FAzA38iYRZ139IZrbAKq0aH81YaZuPCWbHuejGvhd08VsowVLc31UeBu_mz_SsgAzDJbtcg4jh7HRvmFA/w640-h304/announcement-sticker-announcement-sticker-announcement-square-sign-announcement-153949349.jpg" width="640" /></a></div><p></p><p><u>Lots</u> of exciting announcements are being made today about Exchange Server on the <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2022-h1-cumulative-updates-for-exchange-server/ba-p/3285026" target="_blank">EHLO Blog</a>.</p><p></p><ul style="text-align: left;"><li><b>Free Exchange 2019 hybrid keys are being made available. </b>This, along with the <a href="https://blog.expta.com/2022/04/yes-virginia-you-can-buy-exchange-2019.html" target="_blank">public availability of Exchange Server 2019 bits</a>, means that customers can deploy Exchange 2019 hybrid management servers for free!</li></ul><ul style="text-align: left;"><li>A<b> new Exchange Management Tools update is being announced.</b> This will allow customers who have completed their migration to Microsoft 365 Exchange Online an option to turn off (not remove!) their last Exchange Server. There are several large caveats to this -- The solution is PowerShell only, it does not support RBAC, and there is no auditing available. I'm working on a blog article that does a walkthrough and explains all the details.</li></ul><ul style="text-align: left;"><li><b>The Hybrid Configuration Wizard is making several improvements</b>, including MFA support.</li></ul><ul style="text-align: left;"><li><b>Microsoft is changing the updates delivery model for Exchange Server to bi-annually, rather than (roughly) every quarter. </b>This will allow customers more time for testing and deployment between releases.</li></ul><ul style="text-align: left;"><li><b>Exchange Server 2019 is adding Windows Server 2022 support.</b> Exchange 2019 CU12 and above can be installed on Windows Server 2019 or Windows Server 2022.</li></ul><ul style="text-align: left;"><li><b>With the latest CUs, Exchange Server 2013/2016/2019 now supports Windows Server 2022 Active Directory environments.</b> Exchange customers no longer need to put off upgrading their Domain Controllers.</li></ul><ul style="text-align: left;"><li><b>New Microsoft Bounty Program for Exchange Server.</b> A security vulnerability bounty program for Microsoft Exchange Server is being launched to help keep Exchange Server secure for all customers.</li></ul><div>Read all about these exciting changes here: <b>Released: 2022 H1 Cumulative Updates for Exchange Server</b></div><div><b><br /></b></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-51346606442765461452022-04-18T08:46:00.004-07:002022-04-26T05:12:56.092-07:00Yes, Virginia, You Can Buy Exchange 2019!<h3 style="text-align: left;">In the Beginning</h3><p>When Exchange 2019 was announced at Microsoft Ignite 2019, it was also announced that Exchange Server 2019 and its Cumulative Updates would be available only through the <a href="https://www.microsoft.com/Licensing/servicecenter/default.aspx" target="_blank">Volume Licensing Service Center</a> (VLSC). It was explained that large enterprise customers were asking for security, reliability, and dependability. They want all the things that mean Exchange runs as a mission critical application.</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://youtu.be/91-IU2oUhSA?t=210" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="552" data-original-width="986" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinpm9WT5GFFwSOIkO82S7e6dIiQ3UsOXibk035ubwcm87bigcIi1TVBEsPlRh9-OeQgs8bd7k0DReH7t6FX_ecv3pPTAJug2iPrOHJsPqzLdgm_jHjgBO_WKYUuXS8X1-nTMBrdOqgQyOxnZFHhwmwvvyvfB5F9OAwn43Q1aaznOmUPWAHNxz7WbHU7Q/w640-h358/Exchange%202019%20VLSC%20Only.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Welcome to Exchange Server 2019! - BRK2176</td></tr></tbody></table><p>As Greg Taylor, then Director of Product Marketing for Exchange Server/Online, <a href="https://youtu.be/91-IU2oUhSA?t=210" target="_blank">said</a> at the time, "<i>For those customers who still want to stay on premises, that's the reason we built Exchange 2019. And that's also the reason why we are only going to distribute Exchange 2019 to those customers through Volume Licensing.</i>"</p><p>As anticipated, Exchange Server 2019 RTM and CUs 1-8 were only available through the VLSC and to developers for testing and application development through <a href="https://my.visualstudio.com" target="_blank">MSDN</a>. And for the first time ever, the current version of Exchange Server was no longer available on the <a href="https://www.microsoft.com/en-in/evalcenter/evaluate-office-servers" target="_blank">Office Servers Evaluation Center</a>.</p><div><p>To access Exchange Server 2019 through the VLSC, customers must have an active agreement in one of the following Microsoft Volume Licensing programs:</p><p></p><ul><li>Microsoft Enterprise Agreement (500+ seats)</li><li>Microsoft Products and Services Agreement (250+ seats)</li><li>Microsoft Open Value Agreement (5-499 seats)</li></ul>See the <a href="https://download.microsoft.com/download/1/F/5/1F5357DD-F7C8-4CC8-8C5F-7F6B1569ECF0/Transactional_Licensing_Comparison_Chart.pdf" target="_blank">Compare Microsoft Volume Licensing Programs</a> resource document for full details.<div><br /></div><div>I've found that most small-midsize customers mistakenly think that access to the VLSC requires an Enterprise Agreement or large minimum spend requirement. Plus, most of these customers buy licenses through a third-party license provider, like a Cloud Solution Provider or <a href="https://partner.microsoft.com/en-us/Licensing/distributors" target="_blank">licensing distribution partners</a>. Few of the customers I speak with have actually entered into a licensing agreement directly with Microsoft.</div><p>The VLSC requirement imposed a barrier that prevented these customers from accessing Exchange Server 2019. And if non-VLSC customers cannot get Exchange 2019, it means that Exchange 2016 is the latest version they could use for hybrid management after they have completed their migration to the cloud.</p><p>As we know, an Exchange server is still required for Exchange recipient management even after all mailboxes have been moved to Microsoft 365 since Active Directory is still the Source of Authority for hybrid customers.</p><h3 style="text-align: left;">Then HAFNIUM happened...</h3><p>In March 2021 a state-sponsored hacking group called <a href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" target="_blank">HAFNIUM</a> targeted Exchange Servers around the world by exploiting zero-day vulnerabilities. Threat actors gained access to email servers and installed malware to facilitate long-term access to victim environments and to perform data exfiltration.</p><p>Microsoft quickly responded to HAFNIUM by releasing Security Updates (SUs) that patched the Exchange Server vulnerabilities and a short time later included these fixes in the <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-quarterly-exchange-updates/ba-p/2205283" target="_blank">March 2021 Quarterly Exchange Updates</a>. In an effort to ensure that all customers could get and stay up-to-date, it was decided to publish Exchange Server 2019 CU9 and future CUs to the Microsoft Download Center in addition to the VLSC.</p><h3 style="text-align: left;">What This Means to Hybrid Customers</h3><p>Exchange hybrid customers who have completed their migration to the cloud can now use Exchange Server 2019 as their hybrid management server. All customers can now run the latest version of Exchange server with the most recent CUs and SUs by downloading them from the <a href="https://www.microsoft.com/en-us/search/explore?q=download+exchange+server+2019" target="_blank">Download Center</a>, even with a Volume Licensing agreement.</p><p>CU's are build-to-build upgrades and contain a full server installation, so the latest CU can be used for a fresh installation. Always check the <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/bg-p/Exchange" target="_blank">Exchange Team Blog</a> for details on the latest CU. All customers, including hybrid customers, should keep their Exchange servers up to date using the N-1 support statement (the current and previous CUs and SUs are supported).</p><p><strike>Keep in mind that currently there is no free Exchange hybrid license available for Exchange 2019 like there is for Exchange 2013/2016, so customers will need to license their Exchange Server 2019. </strike>See <a href="https://blog.expta.com/2022/04/big-exchange-news.html" target="_blank">Big Exchange Announcements</a>!</p><p>Customers with Exchange Server 2010 must keep in mind that Exchange Server 2019 will not install if Exchange 2010 is in the environment. Those customers must transition to Exchange Server 2016 and decommission Exchange 2010 before installing Exchange 2019.</p><p><br /></p></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-2382694344376365612022-01-16T20:03:00.006-08:002022-01-18T11:04:43.992-08:00Windows Server Reboot Loop After Installing January 2022 Security Updates<div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;">It seems all my blog posts are about Microsoft update failures lately: (</div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;">I've seen several reports of Windows Server 2012 R2, 2019, and 2022 getting stuck in a reboot loop after installing the January Windows Updates. Specifically, these updates:</div><div class="separator" style="clear: both;"><ul style="text-align: left;"><li>KB5009624 for Windows Server 2012 R2</li><li>KB5009557 for Windows Server 2019</li><li>KB5009555 for Windows Server 2022</li></ul><div>Microsoft is currently aware of the issue.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjK1oWNBsDKJr9de2UcFofEY4Xei6AMHeB-XkUq3MYImIdAOUbVF34tfrxtRy9FqCqGtsUUAi4Wp3W22kthByej05Ni8vF9aCIiGz9vlbjz_D-g-pmvNWnuSJgRt2bEFuYFvi8hUEhfbo1lRR7x_JiinK1Jy3ilQMGSh_4RZgZPy9iH5x0m4_sIvQRFxQ=s1055" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="329" data-original-width="1055" height="200" src="https://blogger.googleusercontent.com/img/a/AVvXsEjK1oWNBsDKJr9de2UcFofEY4Xei6AMHeB-XkUq3MYImIdAOUbVF34tfrxtRy9FqCqGtsUUAi4Wp3W22kthByej05Ni8vF9aCIiGz9vlbjz_D-g-pmvNWnuSJgRt2bEFuYFvi8hUEhfbo1lRR7x_JiinK1Jy3ilQMGSh_4RZgZPy9iH5x0m4_sIvQRFxQ=w640-h200" width="640" /></a></div><br /><div>To fix the issue, restart the computer in <b>Safe Mode</b> which will allow you to login and remove the offending update from Windows Update. You can normally get into Safe Mode by pressing F8 <i>immediately </i>after the server starts.</div><div><br /></div><div>Domain Controllers are a little more tricky, since there isn't a local user account to login with. For DCs you should restart in <b>Safe Mode with Networking</b>. This will allow you to login with a Domain Admin account.</div><div><br /></div><div>To remove the update from the command line, run the the appropriate command for your operating system:</div><div><br /></div><div>Windows Server 2012 R2:</div><div><span style="font-family: courier;"><b style="background-color: #cccccc;">wusa /uninstall /kb:5009624</b></span></div><div><br /></div><div>Windows Server 2019:</div><div><b><span style="background-color: #cccccc; font-family: courier;">wusa /uninstall /kb:5009557</span></b></div><div><br /></div><div>Windows Server 2022:</div><div><span style="font-family: courier;"><b style="background-color: #cccccc;">wusa /uninstall /kb:5009555</b></span></div><div><br /></div><div>I found that if the server is configured to automatically download and install updates it will reinstall the errant update all over again. Grrrr. To prevent this, you can hide the update from reinstalling.</div><div><ul style="text-align: left;"><li>Uninstall the update and then run run <b>Check for Updates</b> from Windows Update in the server.</li><li>Right-click the update and select <b>Hide Update</b> to prevent it from being reinstalled.</li></ul></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEinY_cL1b44LXKXAqVmznzQqnP8Hq-h8dQAg_mMDd6ZWWD2IG0Gi-yb-stiMTrNbA4_pYblUO7qZyXiXsEznXAoe_FKBFLPpWlcBGBbsf7X4JYxXs-C6YdQCP6v9phxg2cEXK_asi89TnK7stwp1J2HSpsrm-2ZWBUkZi3mmotxpRIIBRdP84t9fwZyUw=s1162" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="673" data-original-width="1162" height="370" src="https://blogger.googleusercontent.com/img/a/AVvXsEinY_cL1b44LXKXAqVmznzQqnP8Hq-h8dQAg_mMDd6ZWWD2IG0Gi-yb-stiMTrNbA4_pYblUO7qZyXiXsEznXAoe_FKBFLPpWlcBGBbsf7X4JYxXs-C6YdQCP6v9phxg2cEXK_asi89TnK7stwp1J2HSpsrm-2ZWBUkZi3mmotxpRIIBRdP84t9fwZyUw=w640-h370" width="640" /></a></div><br /><div>I, for one, am really getting tired of poor quality of updates coming from Microsoft these days. There's simply no excuse for this.</div><div><br /></div><h3 style="text-align: left;">UPDATE - January 17, 2022</h3><div><p class="MsoNormal"><o:p></o:p></p>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; mso-padding-alt: 0in 0in 0in 0in; mso-yfti-tbllook: 1184;">
<tbody><tr>
<td style="border: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 467.5pt;" valign="top" width="623">
<p class="MsoNormal" style="background: white;"><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Microsoft is releasing Out-of-band (OOB) updates today,
January 17, 2022, for some versions of Windows. This update addresses issues
related to <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Frelease-health%2Fstatus-windows-11-21h2%232773msgdesc&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wpieX3qAMIBOWk3QiBczM9Po0Aqfnnp11OzLXRFOYU8%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">VPN
connectivity</span></a>, <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Frelease-health%2Fstatus-windows-server-2022%232775msgdesc&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TtKcmYiZOrQyZt%2BbE9z0hbzbLMfr6AaNpqeoRBMGpxc%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">Windows
Server Domain Controllers restarting</span></a>, <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Frelease-health%2Fstatus-windows-8.1-and-windows-server-2012-r2%232776msgdesc&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Mr2nMt9y%2FS0bR2CbXexUy3McHyxvxmGYKRR3relzrGc%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">Virtual
Machines start failures</span></a>, and <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Ftopic%2Fkb5010691-refs-formatted-removable-media-may-fail-to-mount-or-mounts-as-raw-after-installing-the-january-11-2022-windows-updates-7a959f37-91b6-4baf-a797-829b0ee86c65&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6uEJaeMXgCu8bkAyfs8PclzszoviMmqITT9aQv7Tsrs%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">ReFS-formatted
removable media failing to mount</span></a>. All updates are available on the
Microsoft Update Catalog, and some are also available on <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fwindows%2Fupdate-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a%23WindowsVersion%3DWindows_11&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=654EkdDRSu8KsOKOYifb4HMTHV8m0IBZsoKYMVQ0m6k%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">Windows
Update</span></a> as an optional update. Check the release notes for
your version of Windows for more information.</span></p>
<p class="MsoNormal" style="background: white;"><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Updates for the following Windows versions are available on
Windows Update as an optional update. For instructions, see the KB for your
OS listed below:<u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 11, version 21H1 (original release): <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010795&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HLVObVpUQQz%2FOhHhpLbaXqVZsc4jNxZzG9uhl%2FSQneI%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010795</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows Server 2022: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010796&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ukuVk1QZ5KIYl%2BR6aycDZQVNv1v%2FzDMI4%2Bm%2FgVBpFuQ%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010796</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 10, version 21H2: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010793&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GZM8CAeC8S6L3wMANBAGXJbi9mdxdCqX3Y83UkVj96s%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010793</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 10, version 21H1: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010793&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GZM8CAeC8S6L3wMANBAGXJbi9mdxdCqX3Y83UkVj96s%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010793</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 10, version 20H2, Windows Server, version 20H2: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010793&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GZM8CAeC8S6L3wMANBAGXJbi9mdxdCqX3Y83UkVj96s%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010793</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 10, version 20H1, Windows Server, version 20H1: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010793&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GZM8CAeC8S6L3wMANBAGXJbi9mdxdCqX3Y83UkVj96s%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010793</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 10, version 1909, Windows Server, version 1909: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010792&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qnREUHbGvn0IcABOEyeA3BKfSsUdXE6LIHk2gSDDKNI%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010792</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 10, version 1607, Windows Server 2016: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010790&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VFwMJECrcHZoi74GUC9RnPCdJPJEIvo9Ca9dO24Gnbc%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010790</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 10, version 1507: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010789&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aXCYCGBTE%2FCsoXiswxFBne3TkFsNRmvpWBf9vM8rFOo%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010789</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 7 SP1: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010798&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=x2axZM%2FC07p9fWrOeW8Bnredw6S363b54g0bsvQ2lPQ%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010798</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l0 level1 lfo1; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows Server 2008 SP2: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010799&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8MIwBLiZZpHth6dnNhkqTZhZHpCXdDQYrcbrbjit9dc%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010799</span></a></span></p>
<p class="MsoNormal" style="background: white;"><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Updates for the following Windows versions are available only
on Microsoft Update Catalog. For instructions, see the KB for your OS listed
below:<u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l1 level1 lfo2; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows 8.1, Windows Server 2012 R2: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010794&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HJ223VNJCBHer4DznSJ7FfOkDrsdnnMIXo81ysr8XFY%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010794</span></a><u5:p></u5:p></span><o:p></o:p></p>
<p class="MsoNormal" style="background: white; margin-left: 64.5pt; mso-list: l1 level1 lfo2; tab-stops: list .5in; text-indent: -.25in;"><!--[if !supportLists]--><span style="font-family: Symbol; font-size: 10.0pt; mso-bidi-font-family: Symbol; mso-bidi-font-size: 10.5pt; mso-fareast-font-family: Symbol;">·<span style="font-family: "Times New Roman"; font-size: 7pt; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]--><span style="color: #171717; font-family: "Segoe UI",sans-serif;">Windows Server 2012: <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5010797&data=04%7C01%7CJeff.Guillet%40Office365ExchangeBook.com%7Cf09155ce67494caa31da08d9da974707%7Cb662313f14fc43a29a7ad2e27f4f3478%7C0%7C0%7C637781165576553599%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lJ0ELiCWWdofCROOgrNGx66GMtb7tgPkp1Z257IzblA%3D&reserved=0" target="_blank"><span style="text-decoration-line: none;">KB5010797</span></a></span></p>
</td>
</tr>
</tbody></table>
<p class="MsoNormal"><span style="font-family: "Calibri",sans-serif; font-size: 11.0pt;"> </span><o:p></o:p></p>
<u5:p></u5:p></div></div></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-77515596008536287782021-12-21T14:14:00.013-08:002021-12-22T14:04:43.982-08:00AAD Connect 2.0.88.0 breaks Shared Mailboxes for Exchange hybrid customers<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg2YFiJ3C0IpmIjd3ldsRDf-RVsvC23IDD7tFaHE_8e_jLBp1arjLE5ojYEbFCqBidKspc1u7pP2KGatIoA6mOOiCy4Mbat9aj0Nb_cxpSmoj8eIeJSx2VZuML3kTsEgPsJI-bI9je3bNrfbboDiPkyQg-FqvvytQYO1rso0UNjxXB94QoUWS_0Cf5X1g=s768" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="559" data-original-width="768" height="146" src="https://blogger.googleusercontent.com/img/a/AVvXsEg2YFiJ3C0IpmIjd3ldsRDf-RVsvC23IDD7tFaHE_8e_jLBp1arjLE5ojYEbFCqBidKspc1u7pP2KGatIoA6mOOiCy4Mbat9aj0Nb_cxpSmoj8eIeJSx2VZuML3kTsEgPsJI-bI9je3bNrfbboDiPkyQg-FqvvytQYO1rso0UNjxXB94QoUWS_0Cf5X1g=w200-h146" width="200" /></a></div><p>Microsoft released Azure AD Connect version 2.0.88.0 as a download-only version on 12/16/2021. This update includes several bug fixes and introduces support for <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#public-preview-each-object-multiple-times-in-an-azure-ad-tenant">syncing AD objects from a single forest to multiple tenants</a>.</p><p><b>However, this version contains a new potentially devastating bug that removes disabled user accounts in AD from Azure AD</b>. </p><p>Because shared mailboxes use disabled user accounts this means those mail users are also deleted from Exchange Online. Cloud users will no longer see on-prem shared mailboxes in the GAL or be able to access them. Inbound mail flow will also be affected for these mailboxes since they no longer exist from an Exchange Online Protection perspective.</p><p>Luckily, version 2.0.88.0 is not being pushed as an auto upgrade version, so only customers who download and install it are affected.</p><p><b>AAD Connect version 2.0.89.0 has been released</b>. If you are affected by this bug, you should update to the <a href="https://www.microsoft.com/en-us/download/details.aspx?id=47594" target="_blank">latest version</a>. See my other updates below.</p><p><strike>The workaround is to remove AAD Connect 2.0.88.0 and reinstall the previous AAD Connect version 2.0.28.0. Since Microsoft removes all but the most current version, I've made AAD Connect 2.0.28.0 available on my blog <a href="https://expta.com/AzureADConnect2.0.28.0.msi"><b>here</b></a>.</strike></p><p><strike>I recommend exporting your current AAD Connect configuration first, then importing it when installing version 2.0.28.0. Be sure to uncheck the "Enable staging mode" when completing the installation.</strike> </p><p>During the first sync you will see that the disabled accounts in AD are being synced again to Azure AD.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjApRtqJ2_SWSKAjHkBBuiq6MI5lgkZ5LRJNf_9xNwqkTe-37iPLJuJicpqVj2NEMeCYR-yqhQ6antjntP-4uu7xrzEFbIoeMvxK9wPK2DCsZg606wJN2ELhfRq4fMCffZ_LEan-pbZHyQ4ogsQM7LKuGadbrtxvJdAE6Na3RC19WWet4oJnMAeKaD2lQ=s803" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="634" data-original-width="803" height="506" src="https://blogger.googleusercontent.com/img/a/AVvXsEjApRtqJ2_SWSKAjHkBBuiq6MI5lgkZ5LRJNf_9xNwqkTe-37iPLJuJicpqVj2NEMeCYR-yqhQ6antjntP-4uu7xrzEFbIoeMvxK9wPK2DCsZg606wJN2ELhfRq4fMCffZ_LEan-pbZHyQ4ogsQM7LKuGadbrtxvJdAE6Na3RC19WWet4oJnMAeKaD2lQ=w640-h506" width="640" /></a></div><br /><h3 style="text-align: left;">Update #1 - Dec 22, 2021</h3><p>The <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#20890" target="_blank">Azure AD Connect Version History</a> website was updated yesterday after my blog post to say that version 2.0.89.0 has been released which addresses this issue. However, at this time only 2.0.88.0 is still available from the <a href="https://www.microsoft.com/en-us/download/details.aspx?id=47594" target="_blank">AAD Connect download website</a>.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhTtb_HODo_Il2wY1-KHwW78proj0DNr3YZ1gq7_AFLtsTj0T5IS30zbehh2-fGYG4IKucGX_nIMlfy1B0NmOs3P0N-VJZ6eHY8gg6fRkzXsnBupIZuJrk1YuEd1_RIWWy2pbPmB-McKXjsxO9F6cELyYGn8ZXTtzsC4teADWRL-SeU-h_EwB9bs8irdA=s673" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="305" data-original-width="673" height="290" src="https://blogger.googleusercontent.com/img/a/AVvXsEhTtb_HODo_Il2wY1-KHwW78proj0DNr3YZ1gq7_AFLtsTj0T5IS30zbehh2-fGYG4IKucGX_nIMlfy1B0NmOs3P0N-VJZ6eHY8gg6fRkzXsnBupIZuJrk1YuEd1_RIWWy2pbPmB-McKXjsxO9F6cELyYGn8ZXTtzsC4teADWRL-SeU-h_EwB9bs8irdA=w640-h290" width="640" /></a></div><h3>Update #2 - Dec 22, 2021</h3><p><b>AAD Connect version 2.0.89.0</b> is now available for <a href="https://www.microsoft.com/en-us/download/details.aspx?id=47594" rel="nofollow">download</a>. Strangely, this new version is no longer listed in the version history. <b>:-/ </b></p><p>I have confirmed that the bug has been squashed.</p><p><br /></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-6795232781531915112021-11-25T13:01:00.002-08:002021-11-25T13:01:40.919-08:00November 2021 Windows Security Updates break OWA published with Azure App Proxy<p>If you use Azure App Proxy to publish Outlook Web App (OWA) your may find that it suddenly stopped working. This is due to a bug in recent Windows security updates that affects Kerberos delegation.</p><p>Microsoft quietly announced this in the Microsoft 365 Message Center as announcement #2750 - <a href="https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2750" target="_blank">Take action: Out-of-band update to address authentication issues on DCs relating to Kerberos delegation scenarios</a>.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-WT6uyFx7Dhs/YZ_24kb-PQI/AAAAAAAAm-k/czGIJ2kr8rIBgZhb3iQ3tHPBBVKkPnX1gCLcBGAsYHQ/s782/Take%2BAction.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="385" data-original-width="782" height="317" src="https://1.bp.blogspot.com/-WT6uyFx7Dhs/YZ_24kb-PQI/AAAAAAAAm-k/czGIJ2kr8rIBgZhb3iQ3tHPBBVKkPnX1gCLcBGAsYHQ/w640-h317/Take%2BAction.png" width="640" /></a></div><p>There are separate out-of-band updates for all versions of Windows Server from Windows Server 2008 SP2 through Windows Server 2019. Make sure to download the correct update for your version of Windows Server.</p><p>At a minimum, your should apply these updates to all the Domain Controllers that reside in the same AD site as your Exchange Servers. The OOB update requires a restart of the DCs where it is applied.</p><p>Once installed, OWA published through AAD App Proxy will start working again.</p><p>Publishing OWA through Azure App Proxy allows your organization to use Conditional Access and MFA for OWA access. If you would like help with this for your organization, please <a href="https://www.expta.com/contact.html" target="_blank">contact</a> EXPTA Consulting.</p><p><br /></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-87967165581951255852021-11-04T13:55:00.004-07:002021-11-10T07:50:07.126-08:00Azure AD Connect V1.X versions no longer support the V2 endpoint<p>Microsoft introduced the <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-endpoint-api-v2" target="_blank">Azure AD Connect sync V2 endpoint</a> with version 1.6.4.0 in March 2021. Among the improvements, the V2 endpoint includes performance improvements and allows for synchronization of groups with up to 250K members. Enterprise customers with groups of 50K or more were encouraged to move to the new V2 endpoint.</p><p>AAD Connect version 2.0.3.0 was released in July 2021 and was a major upgrade. It supports the V2 endpoint by default, but requires Windows Server 2016 or 2019 due to it's dependency on SQL Server Express 2019 for localDB. There are still many customers running AADC V1.x for this reason.</p><p>Today, Microsoft updated the <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history" target="_blank">AADC version history</a> to say that <b>the V2 endpoint is no longer available for V1.x versions</b>. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-E1_Ia6C7_og/YYRKIvXTo-I/AAAAAAAAm7Q/OWxW1WnYiKEs0n3nmTBedy_luiX9GCgPgCLcBGAsYHQ/s880/AADC.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="554" data-original-width="880" height="402" src="https://1.bp.blogspot.com/-E1_Ia6C7_og/YYRKIvXTo-I/AAAAAAAAm7Q/OWxW1WnYiKEs0n3nmTBedy_luiX9GCgPgCLcBGAsYHQ/w640-h402/AADC.png" width="640" /></a></div><p></p><p>UPDATE - 11/10/2021: Microsoft just added the following information to the AAD Connect version history:</p><blockquote><p><span style="font-family: arial;"><b>Known Issues</b></span></p><p><span style="font-family: arial;">There is an issue where customers who have the V2 endpoint running with an older version and try to upgrade to a newer V1.6 release will see that the 50K limitation on group membership is reinstated. We will not fix this issue in V1.6 and require customers to upgrade to AADConnect V2.0 if this is an issue for them.</span></p></blockquote><p>Azure AD Connect V1.x customers are strongly encouraged to update to V2.x, keeping in mind that this may require installing AADC V2.x on a new Windows 2016 or Windows 2019 server. I wrote a <a href="https://blog.expta.com/2021/07/how-to-migrate-aad-connect-to-new-server.html" target="_blank">step-by-step article on upgrading here</a>.</p><p>In the meantime, if you are still using Azure AD Connect 1.x you should make sure you're using the V1 endpoint using the following steps.</p><p>First, check to see which sync endpoint you're using with these cmdlets, run from the server where Azure AD Connect 1.x is running:</p><p></p><ul style="text-align: left;"><li><span style="font-family: courier;"><b>Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'</b></span></li><li><span style="font-family: courier;"><b>Get-ADSyncAADConnectorExportApiVersion</b></span></li><li><span style="font-family: courier;"><b>Get-ADSyncAADConnectorImportApiVersion</b></span></li></ul><div>If both Get-* cmdlets return the value "<b>1</b>", you're using the V1 endpoint. Nothing more to do here, except plan to upgrade to AAD Connect V2.x as soon as reasonable.</div><div><br /></div><div>If the values returned are "<b>2</b>", you're using the V2 endpoint and need to change it back to V1.</div><div><ul style="text-align: left;"><li><span style="font-family: courier;"><b>Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Extensions\AADConnector.psm1'</b></span></li><li><span style="font-family: courier;"><b>Set-ADSyncScheduler -SyncCycleEnabled $false</b></span></li><li><span style="font-family: courier;"><b>Set-ADSyncAADConnectorExportApiVersion 1</b></span></li><li><span style="font-family: courier;"><b>Set-ADSyncAADConnectorImportApiVersion 1</b></span></li><li><span style="font-family: courier;"><b>Set-ADSyncScheduler -SyncCycleEnabled $true</b></span></li></ul><div>Be aware that the V1 endpoint cannot sync groups with 50K+ members. You should plan to upgrade to AAD Connect V2.x as soon as possible.</div></div><div><br /></div><p></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-32585933275364378582021-10-11T18:44:00.003-07:002024-01-30T08:18:50.532-08:00CHANGE LOG: View Quarantine add-in for Outlook<p><span style="font-size: large;"><b>View Quarantine add-in for Outlook Change Log</b></span></p><hr /><p><span style="background-color: #fff2cc; font-size: medium;">Please see <a href="https://blog.expta.com/2021/10/how-to-install-outlook-add-in-to-view.html" style="font-weight: bold;" target="_blank">How to install an Outlook add-in to view the Microsoft 365 End-User Quarantine</a> for a full description and installation instructions.</span></p><hr /><p><span style="background-color: white;"><b>Version 1.0.0.0</b><span>: Microsoft won't certify my add-in because they say it "does not provide significant value or benefits to commercial marketplace customers". I think most of you will disagree. I'll keep trying to get it certified, but in the meantime you can always install it from my website using the procedures from my blog article.</span></span></p><div><div class="separator" style="clear: both;"><b>Version 1.0.1.0</b><span style="background-color: white;">: Added automatic localization for 37 languages. Reinstall the add-in to if you need one of these languages. Please let me know if my translations need adjustments.</span></div></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-rQ6bLx1r4-o/YWTlUjjEtyI/AAAAAAAAm5Q/L2TufLjOC1McoLyexBG82bxWxgj7vZRDACLcBGAsYHQ/s872/Languages.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="627" data-original-width="872" height="460" src="https://1.bp.blogspot.com/-rQ6bLx1r4-o/YWTlUjjEtyI/AAAAAAAAm5Q/L2TufLjOC1McoLyexBG82bxWxgj7vZRDACLcBGAsYHQ/w640-h460/Languages.png" width="640" /></a></div><br /><div class="separator" style="clear: both;"><span style="background-color: white;"><b>Version 1.1.1.0 </b><span>: Added new manifest.xml (option 1) and ZIP file (option 2) deployments for GCC (Government Cloud) and GCC High (Government Cloud High) tenants.</span></span></div><div class="separator" style="clear: both;"><span style="background-color: white;"><span><br /></span></span></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-33596643813845049142021-10-07T11:42:00.272-07:002024-01-31T16:32:08.410-08:00Install an Outlook add-in to view the Microsoft 365 End-User QuarantineThis article explains how to install an Outlook add-in called <b>View Quarantine</b> that will open the Microsoft 365 end-user quarantine in a browser with a single click. This makes it really easy to access the quarantine directly from Outlook. And since this is a true Office add-in, it also displays and works in Outlook mobile and Outlook on the web!<div><br /></div><div>I'm happy to announce that the add-in now also works with Microsoft Government Community Clouds (GCC and GCC High)! View the <a href="https://blog.expta.com/2021/10/change-log-view-quarantine-add-in-for.html" target="_blank"><b>change log</b></a> for status and feature updates.</div><div><br /></div><div>The add-in shows in the Outlook ribbon when viewing any folder that contains mail items. </div><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-I151HngV5tQ/YV5V2G102SI/AAAAAAAAm3c/-K2JRnR3UGYkixcim40cUuvGHVeZnWrnACLcBGAsYHQ/s512/View%2BQuarantine%2BAdd-In.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="121" data-original-width="512" height="154" src="https://1.bp.blogspot.com/-I151HngV5tQ/YV5V2G102SI/AAAAAAAAm3c/-K2JRnR3UGYkixcim40cUuvGHVeZnWrnACLcBGAsYHQ/w640-h154/View%2BQuarantine%2BAdd-In.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The <b>View Quarantine</b> add-in for Outlook</td></tr></tbody></table><br />Simply click the button to open the Microsoft Defender Online end-user quarantine in your default browser. You may need to sign-in to view the quarantine.<div><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-SZs_Ls_I9ho/YV5WGJOF4JI/AAAAAAAAm3k/cl0kJxzAkioiYBLKHGgB_nGbzd1tKE7GwCLcBGAsYHQ/s1370/End-User%2BQuarantine.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="494" data-original-width="1370" height="230" src="https://1.bp.blogspot.com/-SZs_Ls_I9ho/YV5WGJOF4JI/AAAAAAAAm3k/cl0kJxzAkioiYBLKHGgB_nGbzd1tKE7GwCLcBGAsYHQ/w640-h230/End-User%2BQuarantine.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">The Microsoft 365 end-user quarantine</td></tr></tbody></table><br /><div>I originally built this add-in using the <a href="https://docs.microsoft.com/en-us/office/dev/add-ins/quickstarts/outlook-quickstart?tabs=yeomangenerator" target="_blank">Build your first Outlook add-in - Office Add-ins</a> documentation. This gave me a good head start to build and customize the add-in.</div><div><br /></div><div style="text-align: left;">The add-in consists of three files plus icons in various sizes for the different platforms.</div><div><br /></div><div><table border="1" cellpadding="0" cellspacing="0" class="MsoTable15Grid4Accent1" style="border-collapse: collapse; border: none; mso-border-alt: solid #8EAADB .5pt; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184;">
<tbody><tr style="height: 18.15pt; mso-yfti-firstrow: yes; mso-yfti-irow: -1; mso-yfti-lastfirstrow: yes;">
<td style="background: rgb(68, 114, 196); border-right: none; border: 1pt solid rgb(68, 114, 196); height: 18.15pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid #4472C4 .5pt; mso-border-bottom-themecolor: accent1; mso-border-left-alt: solid #4472C4 .5pt; mso-border-left-themecolor: accent1; mso-border-themecolor: accent1; mso-border-top-alt: solid #4472C4 .5pt; mso-border-top-themecolor: accent1; padding: 0in 5.4pt; width: 1.45in;" valign="top" width="100%">
<p class="MsoNormal"><b><span face=""Calibri",sans-serif" style="color: white; font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-latin; mso-themecolor: background1;">Source File</span></b><span style="font-family: "Times New Roman", serif; font-size: 12pt;"><o:p></o:p></span></p>
</td>
<td style="background: rgb(68, 114, 196); border-left: none; border: 1pt solid rgb(68, 114, 196); height: 18.15pt; mso-background-themecolor: accent1; mso-border-bottom-alt: solid #4472C4 .5pt; mso-border-bottom-themecolor: accent1; mso-border-right-alt: solid #4472C4 .5pt; mso-border-right-themecolor: accent1; mso-border-themecolor: accent1; mso-border-top-alt: solid #4472C4 .5pt; mso-border-top-themecolor: accent1; padding: 0in 5.4pt; width: 399.2pt;" valign="top" width="532">
<p class="MsoNormal"><b><span face=""Calibri",sans-serif" style="color: white; font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-theme-font: minor-bidi; mso-hansi-theme-font: minor-latin; mso-themecolor: background1;">Description<o:p></o:p></span></b></p>
</td>
</tr>
<tr style="height: 18.15pt; mso-yfti-irow: 0;">
<td style="background: rgb(217, 226, 243); border-top: none; border: 1pt solid rgb(142, 170, 219); height: 18.15pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid #8EAADB .5pt; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 1.45in;" valign="top" width="139">
<p class="MsoNormal"><b><span face="Calibri, sans-serif" style="font-size: 12pt;">commands.html</span></b><b><span face=""Calibri",sans-serif" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><o:p></o:p></span></b></p>
</td>
<td style="background: rgb(217, 226, 243); border-bottom: 1pt solid rgb(142, 170, 219); border-left: none; border-right: 1pt solid rgb(142, 170, 219); border-top: none; height: 18.15pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid #8EAADB .5pt; mso-border-bottom-themecolor: accent1; mso-border-bottom-themetint: 153; mso-border-left-alt: solid #8EAADB .5pt; mso-border-left-themecolor: accent1; mso-border-left-themetint: 153; mso-border-right-themecolor: accent1; mso-border-right-themetint: 153; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 399.2pt;" valign="top" width="532">
<p class="MsoNormal"><span face="Calibri, sans-serif" style="font-size: 12pt;">An
HTML "wrapper" that calls the JavaScript used by the add-in when
the button is clicked.</span><span face=""Calibri",sans-serif" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><o:p></o:p></span></p>
</td>
</tr>
<tr style="height: 17.3pt; mso-yfti-irow: 1;">
<td style="border-top: none; border: 1pt solid rgb(142, 170, 219); height: 17.3pt; mso-border-alt: solid #8EAADB .5pt; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 1.45in;" valign="top" width="139">
<p class="MsoNormal"><b><span face="Calibri, sans-serif" style="font-size: 12pt;">commands.js</span></b><b><span face=""Calibri",sans-serif" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><o:p></o:p></span></b></p>
</td>
<td style="border-bottom: 1pt solid rgb(142, 170, 219); border-left: none; border-right: 1pt solid rgb(142, 170, 219); border-top: none; height: 17.3pt; mso-border-alt: solid #8EAADB .5pt; mso-border-bottom-themecolor: accent1; mso-border-bottom-themetint: 153; mso-border-left-alt: solid #8EAADB .5pt; mso-border-left-themecolor: accent1; mso-border-left-themetint: 153; mso-border-right-themecolor: accent1; mso-border-right-themetint: 153; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 399.2pt;" valign="top" width="532">
<p class="MsoNormal"><span face=""Calibri",sans-serif" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">The JavaScript functions that provide status and open the
end-user quarantine in a browser.<o:p></o:p></span></p>
</td>
</tr>
<tr style="height: 18.15pt; mso-yfti-irow: 2;">
<td style="background: rgb(217, 226, 243); border-top: none; border: 1pt solid rgb(142, 170, 219); height: 18.15pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid #8EAADB .5pt; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 1.45in;" valign="top" width="139">
<p class="MsoNormal"><b><span face="Calibri, sans-serif" style="font-size: 12pt;">manifest.xml</span></b><b><span face=""Calibri",sans-serif" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><o:p></o:p></span></b></p>
</td>
<td style="background: rgb(217, 226, 243); border-bottom: 1pt solid rgb(142, 170, 219); border-left: none; border-right: 1pt solid rgb(142, 170, 219); border-top: none; height: 18.15pt; mso-background-themecolor: accent1; mso-background-themetint: 51; mso-border-alt: solid #8EAADB .5pt; mso-border-bottom-themecolor: accent1; mso-border-bottom-themetint: 153; mso-border-left-alt: solid #8EAADB .5pt; mso-border-left-themecolor: accent1; mso-border-left-themetint: 153; mso-border-right-themecolor: accent1; mso-border-right-themetint: 153; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 399.2pt;" valign="top" width="532">
<p class="MsoNormal"><span face="Calibri, sans-serif" style="font-size: 12pt;">The
real heart of the add-in. It defines the unique ID for the add-in and
describes when to display the View Quarantine button and how the add-in
functions.</span><span face=""Calibri",sans-serif" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><o:p></o:p></span></p>
</td>
</tr>
<tr style="height: 18.15pt; mso-yfti-irow: 3; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: 1pt solid rgb(142, 170, 219); height: 18.15pt; mso-border-alt: solid #8EAADB .5pt; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 1.45in;" valign="top" width="139">
<p class="MsoNormal"><b><span face="Calibri, sans-serif" style="font-size: 12pt;">assets</span></b><span face="Calibri, sans-serif" style="font-size: 12pt;"> folder<o:p></o:p></span></p>
</td>
<td style="border-bottom: 1pt solid rgb(142, 170, 219); border-left: none; border-right: 1pt solid rgb(142, 170, 219); border-top: none; height: 18.15pt; mso-border-alt: solid #8EAADB .5pt; mso-border-bottom-themecolor: accent1; mso-border-bottom-themetint: 153; mso-border-left-alt: solid #8EAADB .5pt; mso-border-left-themecolor: accent1; mso-border-left-themetint: 153; mso-border-right-themecolor: accent1; mso-border-right-themetint: 153; mso-border-themecolor: accent1; mso-border-themetint: 153; mso-border-top-alt: solid #8EAADB .5pt; mso-border-top-themecolor: accent1; mso-border-top-themetint: 153; padding: 0in 5.4pt; width: 399.2pt;" valign="top" width="532">
<p class="MsoNormal"><span face=""Calibri",sans-serif" style="font-size: 12pt; mso-ascii-theme-font: minor-latin; mso-bidi-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Contains six icon files of different sizes and opacity for
Outlook, OWA, and Outlook mobile.<o:p></o:p></span></p>
</td>
</tr>
</tbody></table></div><div><div><br /></div><div>I'm currently in the process of publishing this add-in to the <a href="https://appsource.microsoft.com/en-us/marketplace/apps" target="_blank">AppSource</a> marketplace via the Microsoft Partner Center. Please see the <a href="https://blog.expta.com/2021/10/change-log-view-quarantine-add-in-for.html" target="_blank"><b>change log</b></a>. In the meantime, there are two ways you can install the <b>View Quarantine</b> add-in now.</div><div><br /></div><h2 style="text-align: left;">Option 1 -- Install via the Web</h2></div><div>You can install the add-in from my website until Microsoft publishes it on AppSource.</div><div><div class="separator" style="clear: both; text-align: left;"><ul style="text-align: left;"><li>Open Outlook and click the <b>Get-Add-ins</b> button in the ribbon. Alternatively, click <b>File</b> and click the <b>Manage Add-Ins </b>button at the bottom.</li><li>Click <b>My add-ins</b> in the top left.</li><li>Click the <b>+ Add a custom add-in</b> dropdown at the bottom of the window under <b>Custom add-ins</b>, then select <b>Add from URL...</b></li><li>Enter the following URL: <b><span style="color: #2b00fe;">https://www.expta.com/quarantine/manifest.xml</span></b> and click <b>OK</b>.</li><ul><li>If your mailbox is in a <b>GCC</b> tenant use the following URL: <b><span style="color: #2b00fe;">https://www.expta.com/quarantine-gcc/manifest.xml</span></b></li><li>If your mailbox is in a <b>GCC High</b> tenant use the following URL: <b><span style="color: #2b00fe;">https://www.expta.com/quarantine-gcch/manifest.xml</span></b></li></ul></ul><div class="separator" style="clear: both; text-align: left;"><a href="https://1.bp.blogspot.com/-hyl6cUEtD30/YWCX70jG4BI/AAAAAAAAm4s/Y3Ap64vvd5kqHOyzoq__fXDbJjUoArOrQCLcBGAsYHQ/s935/Add%2Bcustom%2Badd-in.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="297" data-original-width="935" height="204" src="https://1.bp.blogspot.com/-hyl6cUEtD30/YWCX70jG4BI/AAAAAAAAm4s/Y3Ap64vvd5kqHOyzoq__fXDbJjUoArOrQCLcBGAsYHQ/w640-h204/Add%2Bcustom%2Badd-in.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><ul><li style="text-align: left;">You will see a warning before installation. Click <b>Install </b>to install the add-in.</li></ul></div><div class="separator" style="clear: both; text-align: left;"><a href="https://1.bp.blogspot.com/-WLjQh_a-ZtQ/YV5wrctDFnI/AAAAAAAAm38/98nWLjnBkIQJqJ6l0Bm_B5dHWyMcNRNlQCLcBGAsYHQ/s935/Warning.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="298" data-original-width="935" height="204" src="https://1.bp.blogspot.com/-WLjQh_a-ZtQ/YV5wrctDFnI/AAAAAAAAm38/98nWLjnBkIQJqJ6l0Bm_B5dHWyMcNRNlQCLcBGAsYHQ/w640-h204/Warning.png" width="640" /></a></div><br /></div><ul style="text-align: left;"><li>The add-in will now be listed under <b>Custom add-ins</b>. Note: To remove the <b>View Quarantine</b> add-in at any time, click the ellipses (<b>...</b>) and select <b>Remove</b>.</li></ul><div class="separator" style="clear: both; text-align: left;"><a href="https://1.bp.blogspot.com/-r1LQaKW1x_8/YV5xd8snzaI/AAAAAAAAm4E/wxEI2oHRqIwxjyqx5ot1Wa9TjqNf3ftfgCLcBGAsYHQ/s462/Add-in.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="270" data-original-width="462" height="234" src="https://1.bp.blogspot.com/-r1LQaKW1x_8/YV5xd8snzaI/AAAAAAAAm4E/wxEI2oHRqIwxjyqx5ot1Wa9TjqNf3ftfgCLcBGAsYHQ/w400-h234/Add-in.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;"><ul style="text-align: left;"><li>Close the Add-ins window to add it to the Outlook ribbon.</li></ul></div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2>Option 2 -- Install from Source Files</h2><div>You can also install the add-in using the manifest.xml file in my source files.</div><div><ul style="text-align: left;"><li>Download the correct source files from my <a href="https://expta.com" target="_blank">website</a>:</li><ul><li><a href="https://www.expta.com/quarantine/View_Quarantine_add-in.zip" style="font-weight: bold;">View Quarantine</a> for most world-wide tenants</li><li><a href="https://www.expta.com/quarantine-gcc/View_GCC_Quarantine_add-in.zip" target=""><b>View GCC Quarantine</b></a> if your tenant is GCC</li><li><a href="https://www.expta.com/quarantine-gcch/View_GCCH_Quarantine_add-in.zip" target=""><b>View GCC-High Quarantine</b></a> if your tenant is GCC High</li></ul><li>Extract the ZIP file to a local drive or network share.</li></ul><div class="separator" style="clear: both;"><a href="https://1.bp.blogspot.com/-xS1zjVS02Og/YWCVJ-fn9YI/AAAAAAAAm4k/M7wmcpi_10ARutlxTB0SOSTgrUsGdtugwCLcBGAsYHQ/s655/Source%2BFiles.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="213" data-original-width="655" height="208" src="https://1.bp.blogspot.com/-xS1zjVS02Og/YWCVJ-fn9YI/AAAAAAAAm4k/M7wmcpi_10ARutlxTB0SOSTgrUsGdtugwCLcBGAsYHQ/w640-h208/Source%2BFiles.png" width="640" /></a></div><div><ul><li>Open Outlook and click the <b>Get-Add-ins</b> button in the ribbon (shown above).</li><li>Click <b>My add-ins</b> in the top left.</li><li>Click the <b>+ Add a custom add-in</b> dropdown at the bottom of the window under <b>Custom add-ins</b>, then select <b>Add from file...</b></li><li>Browse to the <b>manifest.xml</b> file and click <b>Open</b>.</li><li style="text-align: left;">You will see a warning before installation. Click <b>Install </b>to install the add-in.</li></ul><div style="margin-left: 1em; margin-right: 1em; text-align: left;"><a href="https://1.bp.blogspot.com/-WLjQh_a-ZtQ/YV5wrctDFnI/AAAAAAAAm38/98nWLjnBkIQJqJ6l0Bm_B5dHWyMcNRNlQCLcBGAsYHQ/s935/Warning.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="298" data-original-width="935" height="204" src="https://1.bp.blogspot.com/-WLjQh_a-ZtQ/YV5wrctDFnI/AAAAAAAAm38/98nWLjnBkIQJqJ6l0Bm_B5dHWyMcNRNlQCLcBGAsYHQ/w640-h204/Warning.png" width="640" /></a></div><br /><ul><li>The add-in will now be listed under <b>Custom add-ins</b>.</li></ul></div><div class="separator" style="clear: both;"><a href="https://1.bp.blogspot.com/-r1LQaKW1x_8/YV5xd8snzaI/AAAAAAAAm4I/nVi3dsePudA6MxwveDWoSvOZxuExi3ehQCPcBGAYYCw/s462/Add-in.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="270" data-original-width="462" height="234" src="https://1.bp.blogspot.com/-r1LQaKW1x_8/YV5xd8snzaI/AAAAAAAAm4I/nVi3dsePudA6MxwveDWoSvOZxuExi3ehQCPcBGAYYCw/w400-h234/Add-in.png" width="400" /></a></div></div><div class="separator" style="clear: both;"><ul><li>Close the Add-ins window to add it to the Outlook ribbon.</li></ul></div><div class="separator" style="clear: both;"><br /></div><h2 style="clear: both; text-align: left;">Deploying to All Users in the Organization</h2><div class="separator" style="clear: both; text-align: left;">Once you're satisfied that the add-in is installed and working properly, you can deploy it to all users in your organization. Here's how to do that:</div><div class="separator" style="clear: both; text-align: left;"><ul style="text-align: left;"><li>Open the <b><a href="https://admin.microsoft.com/Adminportal/Home#/Settings/AddIns" target="_blank">Microsoft Admin Center</a></b> and navigate to <b>Settings </b>> <b>Integrated Apps </b>><b> Add-Ins</b>.</li><li>Click <b>Deploy Add-In</b> and <b>Next</b>.</li><li>Click the <b>Upload Custom Apps</b> button.</li><li>Select <b>I have a URL for the manifest file</b> and enter one of the following URLs:</li><ul><li>For standard M365 use <b>https://www.expta.com/quarantine/manifest.xml</b></li><li>For GCC use<b> </b><b>https://www.expta.com/quarantine-gcc/manifest.xml</b></li><li>For GCC High use<b> </b><b>https://www.expta.com/quarantine-gcch/manifest.xml</b></li></ul><li>Select whether to install the add-in for everyone or specific users.</li><li>Select a Deployment Method.</li><ul><li><b><b>Fixed (Default).</b><span style="font-weight: 400;"> </span></b>The add-in will be automatically deployed to the assigned users and they will not be able to remove it from their ribbon.</li><li><b>Available</b>. Users may install this add-in by clicking the Get More add-ins button on the home ribbon in Outlook and going to Admin-managed.</li><li><b>Optional</b>. The add-in will be automatically deployed to the assigned users but they can choose to remove it from their ribbon.</li></ul></ul><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgd3YZC1wq8YLz08kjqMzYjgzwDrVYFn4puShmu-Zssap3i8wc5zpfwj0ntKadrv_ffJQV2mQdysKs61YoshL6ccDknZQSmTriqh8H0oio0P470lpgOgZAV68YjNq7ahQujx1YA4RNKcf8yG7hQ4_Kc-inDvLH-fVDPH6Tc--yY8ttKR28-EpbFXDFnzo9e" style="margin-left: 1em; margin-right: 1em;"><img data-original-height="667" data-original-width="1575" height="272" src="https://blogger.googleusercontent.com/img/a/AVvXsEgd3YZC1wq8YLz08kjqMzYjgzwDrVYFn4puShmu-Zssap3i8wc5zpfwj0ntKadrv_ffJQV2mQdysKs61YoshL6ccDknZQSmTriqh8H0oio0P470lpgOgZAV68YjNq7ahQujx1YA4RNKcf8yG7hQ4_Kc-inDvLH-fVDPH6Tc--yY8ttKR28-EpbFXDFnzo9e=w640-h272" width="640" /></a></div><br /></div><div>I hope you enjoy this free Outlook add-in and you find it useful!</div><div><br /></div></div></div></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-3292845461979651812021-10-06T14:19:00.001-07:002021-10-06T21:30:21.825-07:00Notes and details on the eradication of Basic Authentication in Exchange Online<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-h0cPzgDhmgc/YVy2iiG8HQI/AAAAAAAAm2k/NOjLKZUGv7omAeqqvcC-9JuqMruwMMKTACLcBGAsYHQ/s457/BASIC.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="397" data-original-width="457" height="557" src="https://1.bp.blogspot.com/-h0cPzgDhmgc/YVy2iiG8HQI/AAAAAAAAm2k/NOjLKZUGv7omAeqqvcC-9JuqMruwMMKTACLcBGAsYHQ/w640-h557/BASIC.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div><p>Unless you've been living under a rock, or are just blissfully unaware, Microsoft has been making a concerted push to remove Basic authentication from Exchange Online for some time.<br /> <br />There's a very good reason for this. Basic auth is a single factor authentication method (username/password), which is just too easy for the bad guys to guess and exploit. Modern Authentication, on the other hand, supports MFA and is much more secure. Disabling Basic auth in your tenant requires you to use Modern Auth for all authentication requests.<br /><br />The trouble is that some legacy apps and clients still only use Basic auth. Fortunately, that list is getting shorter. As you may have read in the <a href="https://admin.microsoft.com/AdminPortal/home#/MessageCenter/:/messages/MC286990" target="_blank">Microsoft Message Center</a> or the <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210" target="_blank">Exchange Team Blog</a>, Microsoft is currently disabling Basic auth in tenants that they've determined are not using it. I applaud this endeavor.</p><p>At a recent MVP meeting we discussed how this effort is being undertaken. Here are some notes and details on certain aspects that you might find useful or interesting.</p><p></p><ul style="text-align: left;"><li>Microsoft is examining tenants for actual Basic auth usage. They are <u>not</u> checking to see if the tenant has an <a href="https://docs.microsoft.com/en-us/powershell/module/exchange/new-authenticationpolicy?view=exchange-ps" target="_blank">Authentication Policy</a> set or is using Conditional Access to block Basic authentication.</li><li>Basic auth is being disabled in the tenant configuration for all protocols except Autodiscover. Basic auth is required by Autodiscover for legacy (read, old) Outlook clients like Outlook 2013 and earlier. This alone is one of the best reasons to get off these old clients ASAP. See <a href="https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-minimum-outlook-for-windows-version-requirements-for/ba-p/2684142" target="_blank">New minimum Outlook for Windows version requirements for Microsoft 365 starting November 1, 2021</a>.</li><li>Basic auth for SMTP is being disabled for customers that don't use it by using the Set-<b><span style="font-family: courier;">TransportConfig -SmtpClientAuthenticationDisabled:$true</span></b> command. Admins can reenable it by setting the value to <b><span style="font-family: courier;">$false</span></b>. This setting can also be configured as a per-user setting, which is recommended. The user setting overrides the tenant setting.</li><li>Authentication Policies are the preferred way to disable Basic auth, rather than Conditional Access policies. CA policies only apply AFTER the user has already signed in.</li><li>You can use Authentication Policies to disable Basic auth for Autodiscover (and all other protocols). That means that if you may have two areas to check if you need to reenable Basic auth for a protocol -- the Auth Policy and the tenant configuration settings that Microsoft is using.</li><li>For a limited time, tenant admins can use the Basic Auth troubleshooter to run diagnostics and provide self-service options to reenable Basic auth for Exchange Online protocols such as POP3, IMAP4, Exchange ActiveSync, Exchange Web Services, Offline Address Book, MAPI, RPC and Remote PowerShell. Simply click the <b>Help & Support </b>button on any O365 portal and type <b>Diag: Enable Basic Auth in EXO</b>.</li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-2qxfDXWS8FQ/YVy__NG9JOI/AAAAAAAAm2s/tL24SI_zNIs95wBCYFzxd_V9SW7c7710wCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="883" data-original-width="481" height="640" src="https://lh3.googleusercontent.com/-2qxfDXWS8FQ/YVy__NG9JOI/AAAAAAAAm2s/tL24SI_zNIs95wBCYFzxd_V9SW7c7710wCLcBGAsYHQ/w349-h640/image.png" width="349" /></a></div><br /><ul style="text-align: left;"><li>So far, they have disabled Basic auth in thousands of tenants since they started. Only 0.06% of tenants have reenabled Basic auth for a specific protocol, and all of them using the self-help troubleshooter.</li><li>Tenant admins can tell if Basic auth has been disabled in their tenant by connecting to Exchange Online PowerShell and running <b><span style="background-color: #eeeeee; font-family: courier;">Get-OrganizationConfig | fl basic*</span></b>. The <b>BasicAuthBlockedApps</b> property value will be <b>0</b> if Basic auth is still enabled or <b>255 </b>if it's been fully disabled. This value is a bit mask for each of the following protocol values, totaling 255. Thanks to <a href="https://1.bp.blogspot.com/-bTYjSJIeh10/YVzE8rD3cII/AAAAAAAAm20/BA4xs863R54WJIceZzWuddNudrE2XcKTQCLcBGAsYHQ/s16000/Greg.png" target="_blank">Greg Taylor</a> for the secret decoder ring. 😊</li></ul></div><p></p><div align="center">
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; mso-padding-alt: 0in 0in 0in 0in; mso-yfti-tbllook: 1184;">
<tbody><tr style="mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td style="background: rgb(91, 155, 213); border-right: none; border: 1pt solid rgb(91, 155, 213); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b><span style="color: white;">Protocol<o:p></o:p></span></b></p>
</td>
<td style="background: rgb(91, 155, 213); border-bottom: 1pt solid rgb(91, 155, 213); border-left: none; border-right: none; border-top: 1pt solid rgb(91, 155, 213); padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal"><b><span style="color: white;">Action<o:p></o:p></span></b></p>
</td>
<td style="background: rgb(91, 155, 213); border-left: none; border: 1pt solid rgb(91, 155, 213); padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal"><b><span style="color: white;">Value<o:p></o:p></span></b></p>
</td>
</tr>
<tr style="mso-yfti-irow: 1;">
<td style="background: rgb(222, 234, 246); border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b><span style="color: black;">ActiveSync</span><o:p></o:p></b></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal"><span style="color: black;">Block Basic for Exchange
ActiveSync</span><o:p></o:p></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal"><span style="color: black;">1</span><o:p></o:p></p>
</td>
</tr>
<tr style="mso-yfti-irow: 2;">
<td style="border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b>WebServices<o:p></o:p></b></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal">Block Basic for Exchange Web Services<o:p></o:p></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal">2<o:p></o:p></p>
</td>
</tr>
<tr style="mso-yfti-irow: 3;">
<td style="background: rgb(222, 234, 246); border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b><span style="color: black;">POP</span><o:p></o:p></b></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal"><span style="color: black;">Block Basic for POP3 Clients</span><o:p></o:p></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal"><span style="color: black;">4</span><o:p></o:p></p>
</td>
</tr>
<tr style="mso-yfti-irow: 4;">
<td style="border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b>IMAP<o:p></o:p></b></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal">Block Basic for IMAP4 Clients<o:p></o:p></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal">8<o:p></o:p></p>
</td>
</tr>
<tr style="mso-yfti-irow: 5;">
<td style="background: rgb(222, 234, 246); border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b><span style="color: black;">PowerShell</span><o:p></o:p></b></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal"><span style="color: black;">Block Basic for PowerShell</span><o:p></o:p></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal"><span style="color: black;">16</span><o:p></o:p></p>
</td>
</tr>
<tr style="mso-yfti-irow: 6;">
<td style="border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b>MAPI<o:p></o:p></b></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal">Block Basic for MAPI Protocol<o:p></o:p></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal">32<o:p></o:p></p>
</td>
</tr>
<tr style="mso-yfti-irow: 7;">
<td style="background: rgb(222, 234, 246); border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b><span style="color: black;">OAB</span><o:p></o:p></b></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal"><span style="color: black;">Block Basic for Offline Address
Book</span><o:p></o:p></p>
</td>
<td style="background: rgb(222, 234, 246); border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal"><span style="color: black;">64</span><o:p></o:p></p>
</td>
</tr>
<tr style="mso-yfti-irow: 8; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: 1pt solid rgb(156, 194, 229); padding: 0in 5.4pt; width: 85.25pt;" valign="top" width="114">
<p class="MsoNormal"><b>RPC<o:p></o:p></b></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 193.5pt;" valign="top" width="258">
<p class="MsoNormal">Block Basic for RPC Protocol<o:p></o:p></p>
</td>
<td style="border-bottom: 1pt solid rgb(156, 194, 229); border-left: none; border-right: 1pt solid rgb(156, 194, 229); border-top: none; padding: 0in 5.4pt; width: 112.5pt;" valign="top" width="150">
<p class="MsoNormal">128<o:p></o:p></p>
</td>
</tr>
</tbody></table>
</div><ul style="text-align: left;"><li>Be aware that if you've configured a client to connect using Basic auth (Outlook for Mac, for example), it will likely require you to reconfigure the client profile to use Modern Auth after Basic is disabled.</li></ul><div>This information should be helpful in your "Death to Basic Auth" journey.</div><p></p></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-68174424762991313972021-10-06T10:05:00.000-07:002021-10-06T10:05:58.937-07:00Time is running out for Comms vNext 2021Do you manage the exciting Microsoft Teams collaboration workspace? Are you tired of the thin content of virtual conferences? Do you miss the in-person collaboration and relationship-building that only an in-person conference can bring? Then you should come to <b><a href="https://www.commsvnext.com/" target="_blank">Comms vNext Reconnect</a></b> on October 25-26, 2021 in Denver, CO!<div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://www.commsvnext.com/" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="560" data-original-width="991" height="362" src="https://1.bp.blogspot.com/-Ng-v5qAQ3zg/YV3RlPn-JMI/AAAAAAAAm3A/xHgfiPqs0wQuy4HIzaREyzW5Tl9AyYQIQCLcBGAsYHQ/w640-h362/CommsvNext.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div></div><div>Comms vNext is an independent, Community-led event, created and fashioned with the Community in mind.</div><div><br /></div><div>Here, you will meet with leaders in the Microsoft Teams community to learn best practices and how to be successful in your engagements. This in-person event will be held at the Renaissance Denver Central Park Hotel in Denver, Colorado, with special pricing for Comms vNext attendees.</div><div><br /></div><div><b><span style="color: red; font-size: large;"><a href="https://events.justattend.com/events/conference-hub/a21b7a9a/" target="_blank">Register for Comms vNext here before it's too late!</a></span></b></div><div><br /></div><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0tag:blogger.com,1999:blog-798194812750898417.post-17028921596512100572021-08-27T09:34:00.001-07:002021-08-27T09:39:27.228-07:00IMPORTANT: AAD Connect versions 1.x will retire August 31, 2022<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-U1zEl5jqMaY/YSkVHZuK3SI/AAAAAAAAm1A/eqz322Ds8s0Cve3RdoHAIp7GCdRyw9WTwCLcBGAsYHQ/s512/image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="172" data-original-width="512" height="216" src="https://1.bp.blogspot.com/-U1zEl5jqMaY/YSkVHZuK3SI/AAAAAAAAm1A/eqz322Ds8s0Cve3RdoHAIp7GCdRyw9WTwCLcBGAsYHQ/w640-h216/image.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>Microsoft released AAD Connect version 2.0.8.0 on August 10, 2021 which included many important changes. Not the least of which is that the localDB database used by AADC was changed to SQL Server 2019. This means that AAD Connect version 2.x can only run on Windows Server 2016 or later, since that's a requirement for SQL Server 2019.<p></p><p>Today, Microsoft posted in the <a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history" target="_blank">Azure Active Directory Connect version history</a> that all 1.x versions of AAD Connect will be retired August 31, 2022, roughly one year after version 2.x was released.</p><blockquote><p class="alert-title" style="box-sizing: inherit; color: var(--theme-primary-dark); font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; font-weight: 600; margin: 0px; max-width: 100%; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="background-color: #cfe2f3;"><span aria-hidden="true" class="docon docon-status-info-outline" style="-webkit-font-smoothing: antialiased; box-sizing: inherit; direction: ltr; display: inline-block; font-family: docons; font-size: inherit; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; line-height: 16px; outline-color: inherit; speak: none; text-align: center;"></span>Important</span></p><p style="box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1rem 0px 0px; max-width: 100%; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="background-color: #cfe2f3;"><span style="box-sizing: inherit; font-weight: 600; outline-color: inherit;">On 31 August 2022, all 1.x versions of Azure Active Directory (Azure AD) Connect will be retired because they include SQL Server 2012 components that will no longer be supported.</span> Either upgrade to the most recent version of Azure AD Connect (2.x version) by that date, or <a data-linktype="absolute-path" href="https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync" style="box-sizing: inherit; cursor: pointer; font-weight: 600; outline-color: inherit; outline-style: initial; outline-width: 0px; overflow-wrap: break-word; text-decoration-line: none;">evaluate and switch to Azure AD cloud sync</a>.</span></p><p style="box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1rem 0px 0px; max-width: 100%; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="background-color: #cfe2f3;">You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience.</span></p><p style="box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1rem 0px 0px; max-width: 100%; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="background-color: #cfe2f3;">If you run a retired version of Azure AD Connect it may unexpectedly stop working and you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements. Moreover, if you require support we may not be able to provide you with the level of service your organization needs.</span></p><p style="box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1rem 0px 0px; max-width: 100%; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="background-color: #cfe2f3;">Go to this article to learn more about <a data-linktype="relative-path" href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect-v2" style="box-sizing: inherit; cursor: pointer; font-weight: 600; outline-color: inherit; outline-style: initial; outline-width: 0px; overflow-wrap: break-word; text-decoration-line: none;" target="_blank">Azure Active Directory Connect V2.0</a>, what has changed in V2.0 and how this change impacts you.</span></p><p style="box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1rem 0px 0px; max-width: 100%; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="background-color: #cfe2f3;">Please refer to <a data-linktype="relative-path" href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version" style="box-sizing: inherit; cursor: pointer; font-weight: 600; outline-color: inherit; outline-style: initial; outline-width: 0px; overflow-wrap: break-word; text-decoration-line: none;">this article</a> to learn more about how to upgrade Azure AD Connect to the latest version.</span></p><p style="box-sizing: inherit; color: #171717; font-family: "Segoe UI", SegoeUI, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 1rem 0px 0px; max-width: 100%; outline-color: inherit; overflow-wrap: break-word; padding: 0px;"><span style="background-color: #cfe2f3;">For version history information on retired versions, see <a data-linktype="relative-path" href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history-archive" style="box-sizing: inherit; cursor: pointer; font-weight: 600; outline-color: inherit; outline-style: initial; outline-width: 0px; overflow-wrap: break-word;" target="_blank">Azure AD Connect version release history archive</a></span></p></blockquote><p>A few notes on this announcement:</p><p></p><ol style="text-align: left;"><li>"Retired" doesn't necessarily mean it won't work anymore, but I suspect Microsoft will eventually block it in the future. You should <b>ALWAYS</b> keep AAD Connect up-to-date for the best features, performance, and security.</li><li>Although the announcement mentions evaluating and switching to Azure AD cloud sync, be aware that AAD cloud sync is not compatible with Exchange. See my article, <b><a href="https://practical365.com/how-to-decide-between-azure-ad-connect-and-azure-ad-connect-cloud-sync/" target="_blank">How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync</a></b> on the Practical365 blog. I also recorded a <a href="https://www.youtube.com/watch?v=5D70AyFx_rw" target="_blank">video podcast </a>about AAD cloud sync with Steve Goodman from Practical365 <a href="https://www.youtube.com/watch?v=5D70AyFx_rw" target="_blank">here</a>.</li><li>Refer to my article, <b><a href="https://blog.expta.com/2021/07/how-to-migrate-aad-connect-to-new-server.html" target="_blank">How to migrate AAD Connect to a new server</a></b> for step-by-step instructions how to move AAD Connect to a new Windows 2016 Server using the latest version of AADC. There's really no better time to do it than now.</li></ol><p></p><div class="blogger-post-footer">Did you find this information useful? Post a comment and share it with others!</div>Jeff Guillet - @exptahttp://www.blogger.com/profile/05278298222887921824noreply@blogger.com0