Exchange Server through 2025
Holding Back
Microsoft has broken the triennial update cycle for Exchange and does not expect to release a new version until the second half of 2025. By then, seven years will have passed since the release of Exchange 2019 in 2018. According to the people in Redmond, this postponement is mainly the result of the large number of security problems. For example, the Hafnium exploit in early 2021 exposed a vulnerability that affected many on-premises Exchange servers and highlighted how important it still is to maintain your on-premises Exchange installation. It took some time to eliminate the vulnerability on the majority of servers.
To close security gaps more quickly in the future, at least temporarily, Microsoft decided to integrate the Exchange Emergency Mitigation Service (EEMS) directly with Exchange. Moreover, the Antimalware Scan Interface (AMSI), already included in Windows 2016 and 2019, was added to Exchange 2016 and 2019, allowing AMSI-enabled antivirus software to scan the content of HTTP requests sent to Exchange servers and block malicious requests before they are processed.
Additionally, Microsoft has repeatedly released security updates (SUs), which led to a change in 2022 in the way SUs are installed [1]. All told, substantial resources have gone into stabilizing Exchange, ultimately at the expense of developing the next version.
Route to the New Exchange
Companies still using Exchange 2013 that had hoped to switch to the new version right away will now have to switch to Exchange 2019 very quickly because support for Exchange 2013 ended in April 2023. Exchange 2016 left mainstream support and moved to extended support in October 2021, meaning that Exchange 2016 also should not be used any longer. During this phase, Exchange will not see cumulative updates, but security updates will continue to be released. Exchange 2019 will move to extended support as early as January 2024. For both versions (i.e., 2016 and 2019), this support will then expire at the same time in October 2025. Therefore, Exchange 2019 has a shorter release time of just seven years compared with 10 years for other versions. The release of the next Exchange Server, vNext, in the second half of 2025 does not allow for much leeway when upgrading (Figure 1). The time window to keep support in place is very short.
However, the announcement that an in-place upgrade will again be possible with Exchange 2019 is good news. The update should be possible without the need for new hardware or to move mailboxes. Microsoft plans to announce more specific details on requirements, features, and prices in early 2024. Until the new Exchange is released, the recommendation from Microsoft is that all customers migrate to Exchange 2019. Redmond will release feature updates for 2019 in the near future that are no longer available for previous versions.
In the announcement, Microsoft not only refers to the next version, but goes one step further, because with the new release, Exchange is moving to the Modern Lifecycle Policy, with no end-of-life date and support for as long as market demand exists. Development therefore continues after Exchange vNext – a forced switch to Exchange Online because of a lack of on-premises versions is off the table.
Feature Updates for Exchange 2019
Microsoft is not talking about the new features for vNext but points to 2024. However, the group goes into far more detail about the functions it wants to implement in Exchange 2019 before the new version arrives.
One important point is modern authentication (MA), which is now fully implemented in Exchange Online – after basic authentication was disabled in October 2022 – and is the only way to log in. This feature ensures an essentially more secure login and supports the use of multifactor authentication, smart cards, and client certificates. For hybrid environments, Microsoft has also enabled MA. In 2019, however, it was determined that MA would not be supported for on-premises-only installations and that a hybrid environment would be the only option for (partially) on-premises use. Microsoft has now moved away from this statement and work is already underway to implement MA in Exchange-only setups. A more detailed timeline is expected to be released later this year.
When it comes to security, TLS also plays an important role. For example, Windows 2022, as the underpinning of Exchange 2019, natively supports TLS 1.3, but not Exchange itself. Support is now firmly scheduled for 2023 and contributes to greater security in communications.
By now, every Exchange admin should be aware of the importance of keeping Exchange up to date. That said, checking the patch level has been difficult in the past, and PowerShell scripts have often been used as an aid. In the future, administrators will be able to see which servers need to be updated directly in the Exchange Admin Center from a Software Updates Dashboard. Exchange Online got the ball rolling at the end of 2022 with an overview of servers in hybrid environments. Availability of this feature is also expected for on-premises Exchange environments in early 2023.
The EEMS service mentioned at the beginning of this article has also been updated. Although administrators now have to undo rules triggered by EEMS manually, it should be possible in the future to delete rules that are no longer needed with a script. The script also is expected in 2023.
The update process itself is being improved to help avoid changing security postures. Whereas changes to the web.config
or sharedweb.config
file were overwritten in the past by installing a cumulative update (CU) and needed to be updated again, Exchange will keep the changes in the future. This adjustment was already announced for the end of 2022 or the first half of 2023. Constantly changing settings (e.g., for the email size limit in Outlook on the web (OWA)) should therefore be a thing of the past.
The Hybrid Configuration Wizard (HCW) also sees a minor function update. Thus far, when you re-run the HCW, it has gone through all the steps and prompted you for settings that were defined during the initial configuration. When you reconfigure, settings made in the meantime could be lost. In the future, the wizard will let you skip unnecessary steps.
Conclusions
The hook tempting admins to migrate to Exchange 2019 has been cast, with some interesting features in the works for the current version. Updates through the end of 2023 tend to focus on security. Whether there will only be security updates from 2024, meaning that no feature updates will appear for the only available Exchange products over an extended period of time, remains unclear. Admins can also look forward to the new functions that Exchange vNext 2025 will introduce. However, with the possibility of in-place updates and the full pipeline for Exchange 2019, expectations should not be set too high.
Infos
Buy this article as PDF
(incl. VAT)