Today Exchange Team announce the quarterly servicing updates, cumulative and update rollups, for all supported versions of Exchange Server. There are some important changes.
What changes in Exchange Web Services Push Notifications
The update to EWS Push Notifications is considered a critical security update and customers should deploy the update as soon as they understand and accept any potential impact. The change in Push Notification authentication is a permanent change to the product and necessary to protect the security of an Exchange Server.
As outlined in KB4490060 the fundamental change is the authentication between EWS clients and Exchange server. This only affects Push notificationsan and leaves Pull and Streaming Notifications unaffected and its applicable to all EWS clients.
Also a computer reset of Exchange server credentials is required in Active Directory as a best practice.
Decreasing Exchange Rights in the Active Directory
The Team has also made a change in the Active Directory rights granted to Exchange Servers reducing the items that exchange is able to write security descriptors as outlined in KB4490059.
Removing Legacy Auth protocols from Exchange Servers
In Exchange Server 2019 Cumulative Update 1, there is a new cmdlet that restrict legacy authentication protocols on a per protocol and user by user basis. This change came from Office365 which already has the same functionality implemented.
The KB articles are the following:
- Exchange Server 2019 Cumulative Update 1 (KB4471391)
- Exchange Server 2016 Cumulative Update 12 (KB4471392)
- Exchange Server 2013 Cumulative Update 22 (KB4345836)
- Exchange Server 2010 Service Pack 3 Update Rollup 26 (KB4487052)