Microsoft has released new updates for Exchange Server 2016 and 2019 today. The CU21 now released for Exchange 2016 is the last CU to be released for Exchange 2016. From now on, there will only be security updates for Exchange 2016.
Click here to download the CUs directly:
The CU10 for Exchange 2019 can now be downloaded directly from Microsoft without the need for VLSC access, Action Pack or Visual Studio subscription. Previously this was not possible, but Microsoft has apparently rethought its strategy here and now offers the download directly.
Details on the fixed problems can be found under the following links (possibly not yet directly available):
- Exchange Server 2019 Cumulative Update 10 (KB5003612)
- Exchange Server 2016 Cumulative Update 21 (KB5003611)
The CUs contain all previously published security updates.
With the June CUs for Exchange, both versions get a new feature. The Windows Antimalware Scan Interface (AMSI) is now also integrated into Exchange Server. AMSI is available on Windows Server 2016 and 2019. If Exchange 2016 is still installed on Server 2012R2, the AMSI integration cannot be used.
AMSI integration allows AMSI compatible software to scan and block HTTP connections to Exchange Servers for malicious traffic. The AMSI integration in Exchange Server works with any AMSI-capable antivirus/antimalware solution. If no AMSI-compatible anti-malware software is installed on the Exchange Server, Microsoft Defender Antivirus (MDAV) takes over the scanning of the traffic. MDAV is already pre-installed in Windows Server 2016 and Server 2019, but is deactivated as soon as another antivirus solution is installed. It should be checked here whether the antivirus software used is AMSI-compatible so that the new feature can be used. Important: The AMSI integration is not an integration into a virus scanner in the classic sense. AMSI makes it possible to examine the HTTP traffic of an Exchange server, i.e. protocols such as MAPIoverHTTP, ActiveSync, EWS and OWA. It does not scan mails for viruses, malware or SPAM, but rather the client connections to the Exchange server.
The Exchange AMSI integration is probably a reaction to the HAFNIUM vulnerability at the beginning of the year, as a corresponding signature update could have quickly mitigated the effects.