[German]August 2022 security updates for Microsoft Exchange (on-premises solution) requires, to enable Extended Protection (EP) to close all vulnerabilities. The activation is done via script, which Microsoft provided – but this script caused isses. Now Microsoft has released an updated script. However, there are also errors in this script, a fix should be made with the "next update".
Windows Extended Protection in Exchange Server
Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019, effective August 9. These updates are intended to address vulnerabilities reported to Microsoft by external security partners and found through Microsoft's internal processes. I had reported on security updates for Exchange in the blog post Exchange Server Security updates (August 9, 2022).
As part of that update, Microsoft pointed out that administrators must enable Windows Extended protection on their Exchange servers (in IIS). Only then all patched vulnerabilities would be really closed. Microsoft has provided a script to enable this feature (see here).
Before activating Extended Protection (EP) on production systems, it should be checked if the prerequisites are met. The activation of Extended Protection (EP) is only supported by certain Exchange versions. For example, a German blog reader reported here that he could not enable Windows Extended Protection via PS script because the SU raised the Exchange Server 2019 build only to 15.02.1118.012 instead of 15.02.1118.010, but the script considered that incompatible. The background was that Microsoft had released an outdated version of the CU. The numerous "Known Issues" mentioned in the prerequisites also became a problem. In the comments to the German post Exchange Server Sicherheitsupdates (9. August 2022) there is some reader feedback.
An updated script
German blog reader DW has left this comment to my German blog post, Exchange: Extended Protection, Checkliste und Probleme (thanks for that), pointing out the new Techcommunity post An update to the Exchange Server Extended Protection script is now available from Sept. 15, 2022. The message is that Microsoft has released an update to the script for enabling Extended Protection on Exchange servers. This is because the script is required to enable EP after installing the August 2022 Exchange Server security updates.
The post says this script update includes an interim fix to address a known issue with archive mailboxes when using retention tags. Customers using a retention policy with retention tags that perform a move to archive can now configure extended protection (EP) with this script update.
Microsoft says in the Techcommunity post that they are working on a permanent fix to address this issue. Once this fix is ready, administrators will need to re-run this script and revert the changes.
The script ExchangeEPScript provided should allow customers affected by known issues to enable advanced protection. However, one user has already come forward and reported that the script contains an error and trows the error message:
This script requires to be run inside of Exchange Management Shell. Please run on an Exchange Management Server or an Exchange Server with Exchange Management Shell.
The script fails because an uninitialized $exchangeShell object is checked in the code, causing the execution to end with an error. Microsoft wants to iron out this bug with the "next update of the script". So: new game, new luck.
Cookies helps to fund this blog: Cookie settings