The estimated reading time 2 minutes
Microsoft released a new security Update for Exchange in January 2023. Installation is the known process using same methods as former updates. One difference comparing former updates is that Exchange 2016 CU23 is exclusivly supported, so upgrade your old exchanges. Some information about the update can be found here.
Download links can be found here:
- Exchange Server 2013 CU23 (note that support and updates end on April 11, 2023)
- Exchange Server 2016 CU23
- Exchange Server 2019 CU11 and CU12
The brandnew PowerShell security feature has to be enabled manually on your Exchange.
UPDATE 25.01.2023: If you are suffering from dead services in Exchange 2016 on Windows Server 2012R2, please use this workaround from Microsoft
Certificate signing of PowerShell serialization payload in Exchange Server
Serialization is the process of converting the state of an object into a form (stream of bytes) that can be persisted or transmitted to memory, a database, or a file. PowerShell, for example, uses serialization (and its counterpart deserialization) when passing objects between sessions. To defend Exchange servers against attacks on serialized data we’ve added certificate-based signing of PowerShell serialization payloads
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808
In order to be able to use that new feature the Exchange Auth Certificate need to be valid. There are different methods to check this BEFORE enabling Certificate signing of PowerShell serialization payload. This is the way admins don’t prefere (manually): https://learn.microsoft.com/de-de/Exchange/plan-and-deploy/integration-with-sharepoint-and-skype/maintain-oauth-certificate?view=exchserver-2019
The lazy guys use the powershell script doing the magic for them. MonitorExchangeAuthCertificate.ps1 . But there are some requirements using the script. You need to be member of “Organization Management” Group in AD. Maybe it looks like this.
If there is no error, you can enable Certificate signing of PowerShell serialization payload with the following powershell oneliner. There is another requirement ALL Server need to have the new Update January 2023 installed.
Now let’s activate it finally.
New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true") -Reason "Enabling Signing Verification"
Another onliner here to check if it worked.
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
After checking the Server where you set up the feature needs an Webserver restart, so let’s do this with PowerShell.
Restart-Service -Name W3SVC, WAS -Force
Have a look at the FAQs, it’s worth it.
Happy updating your Exchange Systems, and if you liked this article, please click on “Helpful”.
[…] With November Update so called PowerShell serialization payload is enabled by default. This feature could be enabled already manually with January Update 2023. See this article. […]
[…] is NOT enabled by default, after installing this patch. You have to manually enable it. See the blogpost January 2023 or Microsoft […]