Today we are announcing the availability of the 2023 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU13). CU13 includes fixes for customer reported issues along with all previously released Security Updates (SUs), including updates in the March 2023 SU.
A full list of fixes is contained in the KB article for the CU, but we also want to highlight two exciting new features in the CU.
Historically, Exchange Server has used Basic authentication (also known as legacy authentication) for client/server and server/server connections. Basic authentication is an outdated industry standard, we have been working to help organizations transition to something more secure: OAuth 2.0-based authentication, or what we call Modern authentication (aka Modern auth). OAuth 2.0 is the industry-standard protocol for authorization.
For Exchange Server customers that are purely on-premises (e.g., no cloud or hybrid), there was no off-the-shelf solution to use Modern auth. As we announced in our Exchange Server roadmap update last year, we are bringing Modern auth to pure on-premises Exchange Server environments in stages.
Today we are excited to announce the availability of Modern auth support for Outlook on Windows in Exchange Server 2019 starting with 2023 H1 CU. Support for the other Outlook clients (Mac OS, Android, and iOS) is expected later this year. Outlook on the web and ECP already support claims-based authentication with ADFS, which is a form of Modern auth.
With the 2023 H1 CU and the required Outlook version (please see documentation), we have added Modern auth support to Outlook on Windows for authentication against Exchange 2019 using Active Directory Federation Services (ADFS) as the on-premises security token service (STS). This enables you to use stronger authentication features like MFA, smart cards and cert-based auth, and third-party security identity providers. While the direct use of a 3rd party identity provider as an STS is not supported, it can be used in conjunction with ADFS.
Moreover, while CU13 is only for Exchange Server 2019, customers who have backend servers running Exchange Server 2016 CU23 are also supported for Modern auth (provided Exchange Server 2019 CU13 exists and is front ending the client traffic in the environment, and the correct Outlook version is in use).
To help customers gradually roll out this feature in a non-disruptive way, we have also provided the ability to enable and disable Modern auth at the user level. For more information about this feature and how to deploy it, see Enabling Modern Auth in Exchange On-Premises.
To enable changes in cmdlet parameters (required for Modern auth support), admins should explicitly run /PrepareAD using this CU. See our documentation here.
Configuration backup and restore
To make it easier to install CUs, we’ve made some improvements to the installation experience. A common issue for many customers is that CUs overwrite various configuration files (for example, web.config and sharedweb.config) that contain custom settings such as client-specific message size limits. Historically, after a CU is installed, these customizations are lost, and an admin must reapply them. Because of this, admins often backup and restore their custom settings or use scripts to recreate custom settings after installing a CU.
To address this, Setup now backs up the most common configuration settings and then restores them to the state they were in before Setup was started. Starting with the 2023 H1 CU, Setup preserves about 70 different configuration settings across multiple files.
For more information about this feature, see Exchange Server custom configuration preservation.
The KB article that describes the fixes in this release and product downloads is:
Out of support reminders
As a reminder, the following products/versions are now unsupported:
- Exchange Server 2013 (any version) – Exchange 2013 reached end of life and went out of support on April 11, 2023. No further updates will be released for Exchange 2013. We also no longer perform any (possible) vulnerability testing on or security validation for Exchange 2013.
- Exchange Server 2016 CU22 (and earlier) – CU23 is the only supported version of Exchange Server 2016. Any future SUs released for Exchange Server 2016 will be only for CU23.
- Exchange Server 2019 CU11 (and earlier) – With the release of the 2023 H1 CU for Exchange Server 2019, Exchange Server 2019 CU11 is no longer supported. Any future SUs will be only for CU12 and CU13.
Microsoft recommends that all customers test the deployment of an update in a lab environment to determine the proper installation process for your production environment.
When installing, ensure that the Windows PowerShell Script Execution Policy is set to Unrestricted on the server. To verify the policy settings, run Get-ExecutionPolicy from PowerShell on the Exchange server. If the policy is NOT set to Unrestricted, use these steps to set it to Unrestricted.
If you plan to install the update in unattended mode from PowerShell or a command prompt, make sure you specify either the full path to Setup.exe, or use a “.” in front of the command when running Setup directly from the folder containing the CU. If you do not do either of these, Setup may indicate that it completed successfully when it did not. Read more here.
Customers in Exchange hybrid deployments and those using Exchange Online Archiving with an on-premises Exchange deployment are required to deploy the latest CU for product support.
Documentation may not be fully available at the time this post is published.
The Exchange Server team