From dbc0d810c2427f90a21afadbe5e2c19d5dac48d4 Mon Sep 17 00:00:00 2001 From: Lukas Sassl Date: Thu, 12 Jan 2023 18:08:55 +0100 Subject: [PATCH 1/2] Handle Test-ScriptVersion failures --- .../MonitorExchangeAuthCertificate.ps1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 b/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 index 6c65cfaded..636ba4064b 100644 --- a/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 +++ b/Admin/MonitorExchangeAuthCertificate/MonitorExchangeAuthCertificate.ps1 @@ -159,6 +159,8 @@ function Main { $versionsUrl = "https://aka.ms/MEAC-VersionsUrl" Write-Host ("Monitor Exchange Auth Certificate script version $($BuildVersion)") -ForegroundColor Green + $currentErrors = $Error.Count + if ($ScriptUpdateOnly) { switch (Test-ScriptVersion -AutoUpdate -VersionsUrl $versionsUrl -Confirm:$false) { ($true) { Write-Host ("Script was successfully updated") -ForegroundColor Green } @@ -174,6 +176,8 @@ function Main { return } + Invoke-ErrorCatchActionLoopFromIndex $currentErrors + if ($PrepareADForAutomationOnly) { Write-Host ("Mode: Prepare AD account to run the script as scheduled task") $newAuthCertificateParamsAccountOnly = @{ From 4f11d7d5e4f6f748ba2b2bf6160f7054e769a8aa Mon Sep 17 00:00:00 2001 From: Lukas Sassl Date: Thu, 12 Jan 2023 18:09:24 +0100 Subject: [PATCH 2/2] Exchange 2013 no SerializedDataSigning HC update --- .../Analyzer/Invoke-AnalyzerKnownBuildIssues.ps1 | 9 +++++++++ ...Invoke-AnalyzerSecuritySerializedDataSigningState.ps1 | 4 ++-- .../HealthChecker/SerializedDataSigningCheck.md | 2 ++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerKnownBuildIssues.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerKnownBuildIssues.ps1 index 0cea1902d3..71a31f45d6 100644 --- a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerKnownBuildIssues.ps1 +++ b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerKnownBuildIssues.ps1 @@ -186,6 +186,15 @@ function Invoke-AnalyzerKnownBuildIssues { -InformationUrl (GetKnownIssueInformation ` "Exchange Service Host service fails after installing March 2022 security update (KB5013118)" ` "https://support.microsoft.com/kb/5013118") + + Write-Verbose "Working on January 2023 Security Updates - Management issues after SerializedDataSigning is enabled on Exchange Server 2013" + TestForKnownBuildIssues -CurrentVersion $currentVersion ` + -KnownBuildIssuesToFixes @( + (GetKnownIssueBuildInformation "15.0.1497.45" $null) + ) ` + -InformationUrl (GetKnownIssueInformation ` + "Management issues after SerializedDataSigning is enabled on Exchange Server 2013" ` + "https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2023-exchange-server-security-updates/ba-p/3711808") } catch { Write-Verbose "Failed to run TestForKnownBuildIssues" Invoke-CatchActions diff --git a/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecuritySerializedDataSigningState.ps1 b/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecuritySerializedDataSigningState.ps1 index ee8ff6d9a9..738fc910ec 100644 --- a/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecuritySerializedDataSigningState.ps1 +++ b/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecuritySerializedDataSigningState.ps1 @@ -115,10 +115,10 @@ function Invoke-AnalyzerSecuritySerializedDataSigningState { Write-Verbose "Checking Registry Value for SerializedDataSigning configuration state" if ($serializedDataSigningInformation -eq 1) { Write-Verbose "SerializedDataSigning enabled via Registry Value" - $serializedDataSigningWriteType = "Green" - $serializedDataSigningState = $true + $serializedDataSigningState = ("$($true) - We recommend not to turn on this feature on Exchange 2013 for now") } else { Write-Verbose "SerializedDataSigning not configured or explicitly disabled via Registry Value" + $serializedDataSigningWriteType = "Grey" $serializedDataSigningState = $false } } diff --git a/docs/Diagnostics/HealthChecker/SerializedDataSigningCheck.md b/docs/Diagnostics/HealthChecker/SerializedDataSigningCheck.md index 12430bf087..0ba7f94538 100644 --- a/docs/Diagnostics/HealthChecker/SerializedDataSigningCheck.md +++ b/docs/Diagnostics/HealthChecker/SerializedDataSigningCheck.md @@ -12,6 +12,8 @@ The HealthChecker check validates that the feature is enabled on supported Excha ### Important + > :warning: **If you have an Exchange Server 2013 in your environment**: Turning on the signing of serialization payload feature might lead to several issues impacting management in your organization. We recommend not to turn on this feature for now. We will address this in the future update. Customers with Exchange Server 2016 / 2019 only can proceed with using the certificate signing of PowerShell serialization payload feature. + Ensure all the Exchange Servers (Exchange Server 2019, 2016 and 2013) in the environment are running the January 2023 (or later) SU before turning the feature on. Enabling the feature before all servers are updated might lead to failures and errors when managing your organization. This features uses the `Exchange Server Auth Certificate` to sign the serialized data. Therefore, it's very important that the certificate which is configured as Auth Certificate is valid (not expired) and available on all Exchange Servers (except Edge Transport role and Exchange Management Tools role) within the organization.