Skip to main content
Uncategorized

August 2022 Exchange Server Security Updates

By March 25, 2024No Comments

Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.

Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

Exchange Server Security Updates

Microsoft has released Security Updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These Security Updates are available for the following specific versions of Exchange:

Vulnerabilities addressed in the August 2022 Security Updates were responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

Manual enablement of Windows Extended Protection

Addressing some of CVEs released this month requires admins to enable Windows Extended protection on your Exchange servers. To help you enable this feature, we have developed a script for this process. Please carefully evaluate your environment and review all known issues mentioned in the script documentation before enabling Windows Extended protection on your Exchange servers.

Please note that enabling Extended Protection (EP) is only supported on specific versions of Exchange (please see documentation for full list of prerequisites).

The current version of this script can be found at https://aka.ms/ExchangeEPScript and the documentation is at https://aka.ms/ExchangeEPDoc. For script and documentation changes and suggestions, please engage with us via GitHub to ensure proper issue and change tracking. The script provided to enable Extended Protection will automatically perform an automatic update if the computer on which it is executed has an internet connection (direct or via proxy). However, if you don’t have internet access, make sure to download the latest version of the script as we are continuously improving it.

Note: It is important that you fully understand Windows Extended Protection prerequisites and all known issues before running the script in your environment. Enabling Extended Protection affects communication between your Exchange servers and between clients and servers.

FAQs

The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one?
The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only.

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the August 2022 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on “Exchange Management Tools only” workstations?
Install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.

We skipped installation of May 2022 SU. Do we need to run /preparealldomains after we install the August SU?
When May 2022 SU was released, the /preparealldomains switch needed to be run manually to address a particular CVE. If you skipped the May 2022 SU and are going straight to August 2022 SU, you will still need to run /preparealldomains to address that particular CVE. Please see the May 2022 SU release post for more details. When in doubt, run HealthChecker which will tell you what you need to do!

Further information

Leave a Reply