Skip to main content

Starting in the January 2023 Security Updates (SU) for Microsoft Exchange Server, Microsoft introduced a new feature that enables admins to configure certificate-based signing of PowerShell serialization payloads. This feature is enabled by default since November 2023 Security Updates (SU) on all Exchange Server 2016/2019. In this article, you will learn how to enable certificate-based signing of PowerShell serialization data in Exchange Server.

PowerShell Serialization Payload Signing

Certificate-based signing of PowerShell Serialization Payload is a Defense-in-Depth security feature to prevent malicious manipulation of serialized data exchanged in Exchange Management Shell (EMS) sessions.

The Serialized Data Signing feature was introduced with the January 2023 Exchange Server Security Updates (SU) and is available on:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

The Serialized Data Signing feature is now enabled by default since November 2023 Exchange Server Security Updates (SU) and higher on:

  • Exchange Server 2016
  • Exchange Server 2019

Note: You don’t have to do anything if you are on November 2023 Exchange Server Security Updates or higher because it’s enabled by default. You can verify that it’s enabled by running the Exchange Health Checker script (the last part in the article). If you have Exchange Server 2013, you must manually enable this feature.

PowerShell Serialization Payload Signing prerequisites

Before you start to enable PowerShell Serialization Payload Signing, ensure that you have the below prerequisites in place.

Install Exchange Server January 2023 SU or later

Ensure all the Exchange Servers (Exchange Server 2019, 2016, and 2013) in the environment run the January 2023 SU (or later).

Do that before turning the feature on. Enabling the feature before all servers are updated might lead to failures and errors when managing your organization.

Important: Don’t forget to keep the Exchange Server up to date with the latest Exchange Cumulative Update and Exchange Security Update. Subscribe to the newsletter, and don’t miss out on the Exchange Server updates.

Check Microsoft Exchange Server Auth certificate

This feature uses the Exchange Server Auth Certificate to sign the serialized data. Therefore, it’s very important that the certificate configured as Auth Certificate is valid (not expired) and available on all Exchange Servers (except Edge Transport role and Exchange Management Tools role) within the organization.

Option 1: Check that the Microsoft Exchange Server Auth certificate exists and is valid.

Option 2: Download MonitorExchangeAuthCertificate.ps1 PowerShell script and check that the Microsoft Exchange Server Auth certificate exists and is valid.

Note: To run the script, you must be a member of the Organization Management role group. The script must be run from an elevated Exchange Management Shell (EMS) command prompt on an Exchange Server running the Mailbox role. The script cannot be run on an Exchange Management Tools-only machine.

In our example, we will place the script in the folder C:\scripts and run the below command.

C:\Scripts\.\MonitorExchangeAuthCertificate.ps1

The output shows that the Exchange Server Auth certificate is valid.

Monitor Exchange Auth Certificate script version 23.03.03.1320
The script was run without parameter therefore, only a check of the Auth Certificate configuration is performed and no change will be made

Current Auth Certificate thumbprint: 91A2B6CBB1BEB5B5E8F2F56F0CEE06F2575D1K74
Current Auth Certificate is valid for 1571 day(s)
Exchange Hybrid was detected in this environment

Test result: No renewal action is required

Log file written to: C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuthCertificateMonitoring\AuthCertificateMonitoringLog_20230324194706.txt

Check PowerShell Serialization Payload Signing status

Run the Exchange Health Checker script and search in the report for SerializedDataSigning Enabled.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

In our example, the value is False. It means that it’s not enabled, and we have to enable it.

Enable PowerShell serialization payload SerializedDataSigning not enabled

Note: If you have not installed the January 2023 Security Update (SU) for Microsoft Exchange Server or later, you will not see the SerializedDataSigning Enabled data and value in the health checker report.

How to enable PowerShell Serialization Payload Signing

To enable PowerShell Serialization Payload Signing, follow the below steps:

Exchange Server 2016/2019

Run Exchange Management Shell and run the below commands.

Note: This cmdlet enables the signing verification on all Exchange Servers, and you don’t have to run the cmdlet on every Exchange Server.

Set a new settings override.

New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true") -Reason "Enabling Signing Verification"

Refresh the VariantConfiguration argument.

Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

Restart the World Wide Web Publishing service and the Windows Process Activation Service (WAS) to apply the new settings.

Note: It’s sufficient to restart the services on the Exchange Server where the change was made.

Restart-Service -Name W3SVC, WAS -Force

Exchange Server 2013

Create a registry key.

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name "EnableSerializationDataSigning" -Value 1 -Type String

Restart the World Wide Web Publishing service and the Windows Process Activation Service (WAS) to apply the new settings.

Note: It’s required to restart these services on all Exchange 2013 servers whenever the registry value is updated.

Restart-Service -Name W3SVC, WAS -Force

Verify your work

Run the Exchange Health Checker script.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

Verify that SerializedDataSigning Enabled has the value True.

Enable PowerShell serialization payload SerializedDataSigning enabled

That’s it!

Leave a Reply