Windows 8 and Windows RT include a built-in email app named Mail (also referred to as Windows 8 Mail or the Windows 8 Mail app). The Windows 8 Mail app includes support for IMAP and Exchange ActiveSync (EAS) accounts.

This article includes some key technical details of the Windows 8 Mail app. Use the information to help you support the use of Windows 8 Mail app in your organization. Read this article start to finish, or jump to the topic that interests you. Use the reference links throughout the article for more information.

NOTE Mail, Calendar, People, and Messaging are apps that are built in to Windows 8 and Windows RT. Although this article discusses the Windows 8 Mail app, please note that much of the information in this article also applies to the Calendar, People, and Messaging apps. This is because, when connected to a server that supports Exchange ActiveSync, the Calendar, and People apps may also display data that was downloaded over the Exchange ActiveSync connection.

Protocol Support

The Windows 8 Mail app lets users connect to any service provider that supports either of the following two protocols:

• Exchange ActiveSync
• IMAP/SMTP

POP is not currently supported.

Exchange ActiveSync

Exchange ActiveSync can be used to sync data for email, contacts, and calendar. The Windows 8 Mail app supports EAS versions 2.5, 12.0, 12.1, and 14.0. For detailed protocol documentation, see Exchange Sever Protocol Documents on MSDN.

NOTE All Windows Communications apps (Mail, Calendar, and People) can use the data that is synchronized with Exchange ActiveSync. After a user connects to their account in the Windows 8 Mail app, their contacts and calendar data are available in the other Windows Communications Apps and vice versa.

The Mail app does not support certificate-based authentication of clients for Exchange ActiveSync.

IMAP/SMTP

The Windows 8 Mail app supports the following IMAP and SMTP standards:

• IMAP4 rev1 RFC 3501
• SMTP RFC 5321
• IMAP4 IDLE command (push email) RFC 2177
• IMAP LIST Extension for Special Folders RFC 6154
• XLIST extension of the LIST command (identifies special folders). See Extension of the LIST command: XLIST in Google Apps Platform documentation.

IMAP/SMTP can be used to send and receive email only. Contacts data and calendar data is not synchronized when IMAP/SMTP is used. Microsoft Exchange does not support Public Folders via IMAP. For more details about IMAP support in Exchange, see POP3 and IMAP4 (for Exchange 2010, see Understanding POP3 and IMAP4).

Sync Configuration

The Windows 8 Mail app can be configured to synchronize data at different times as follows:

• Push email (default)
• Polling at fixed intervals
• Manually

If a push email connection can’t be established, it will automatically switch to poll at fixed intervals.

Push Email

Push email requires that accounts are either Exchange ActiveSync (which all support Push) or IMAP with the IDLE extension. Not all IMAP servers support IDLE, and it is supported only for the Inbox folder.

When a push connection can’t be established, Mail will change to polling on 30 minute intervals. Push email on Exchange ActiveSync requires that HTTP connections must be maintained for up to 60 minutes, and IMAP IDLE requires TCP connections to be maintained for up to 30 minutes.

Account Setup Features

Windows 8 and Windows RT users can add email accounts to the Windows 8 Mail app using the Settings charm. The Settings charm is always available on the right side of the Windows 8 and Windows RT screen. (For more visual details about Charms & the Windows 8 user interface, see Search, share & more.)

NOTE This section provides an overview of Windows 8 Mail app account setup. For step-by-step procedures for setting up an account in the Windows 8 Mail app, see What else do I need to know? at the end of this guide.

To make it as easy as possible to add accounts, account setup only prompts the user to enter the email address and password for the account they want to set up. From that data, Mail attempts to automatically configure the account as follows:

• The domain portion of the email address is matched against a database of well-known service providers. If it’s a match, its settings are automatically configured.
• The domain portion of the email address is used to execute Exchange ActiveSync Autodiscover processes. For detailed information, see Autodiscover HTTP Service Protocol Specification on MSDN.
• If still not configured, the user is prompted to provide detailed settings for their server.

Exchange ActiveSync

Figure 1: Exchange ActiveSync (EAS) configuration in Windows Mail

Full details needed to connect to an Exchange server – needed only if Autodiscover failed

The information required to connect to a server via Exchange ActiveSync is:

• Email address
• Server address
• Domain
• Username
• Password

IMAP/SMTP

Figure 2: IMAP/SMTP configuration in Windows Mail

The information required to connect to a server via IMAP/SMTP is:

• Email address
• Username
• Password
• IMAP email server
• IMAP SSL (if your IMAP server requires SSL encryption)
• IMAP port
• SMTP email server
• SMTP SSL (if your SMTP server requires SSL encryption)
• SMTP port
• Whether SMTP server requires authentication
• Whether SMTP uses the same credentials as IMAP (If not, user must also provide SMTP credentials)

Security Features

Mail provides administrators with some level of security through Exchange ActiveSync policies. It doesn’t support any means of managing or securing PCs that are connected via IMAP.

Policy Support

Exchange ActiveSync devices can be managed using Exchange ActiveSync policies. Windows 8 Mail supports the following EAS policies. :

• Password required
• Allow simple password
• Minimum password length (to a maximum of 8 characters)
• Number of complex characters in password (to a maximum of 2 characters)
• Password history
• Password expiration
• Device encryption required (on Windows RT and editions of Windows that support BitLocker. See What's New in BitLocker for details about BitLocker improvements in Windows 8.)
• Maximum number of failed attempts to unlock device
• Maximum time of inactivity before locking

Note that if AllowNonProvisionableDevices is set to false in an EAS policy and the policy contains settings are not part of this list, the device won’t be able to connect to the Exchange server.

Getting into Compliance

Most of the policies listed above can be automatically enabled by Mail, but there are certain cases where the user has to take action first. These are:

• Server requires device encryption:
  • User has a device that supports BitLocker but BitLocker isn’t enabled. User must manually enable BitLocker.
  • User has a Windows RT device that supports device encryption but it is suspended. User must reboot.
  • User has a Windows RT device that supports device encryption, but it isn’t enabled. User must sign into Windows with a Microsoft account.
• An admin on this PC doesn’t have a strong password: All admin accounts must have a strong password before continuing.
• The user’s account doesn’t have a strong password: User must set a strong password before continuing.

ActiveSync Policy v/s Group Policy on domain-joined Windows 8 devices

If a Windows 8 PC is joined to an Active Directory domain and controlled by Group Policy, there may be conflicting policy settings between Group Policy and an Exchange ActiveSync policy. In the event of any conflict, the strictest rule in either policy takes precedence. The only exception is password complexity rules for domain accounts. Group policy rules for password complexity (length, expiry, history, number of complex characters) take precedence over Exchange ActiveSync policies – even if group policy rules for password complexity are less strict than Exchange ActiveSync rules, the domain account will be deemed in compliance with Exchange ActiveSync policy.

Remote Wipe

Mail supports the Exchange ActiveSync remote wipe directive, but unlike Windows Phones, the data deleted by this directive is scoped to the specified Exchange ActiveSync account. The user's personal data is not deleted. For example, if a user has an Outlook.com account for personal use and a Contoso.com account for work use, a remote wipe directive from the Contoso.com server would impact Windows 8 and Windows Phone 7 as follows:

Account Roaming

To make it as easy as possible for users to have all of their accounts set up on all of their devices, Windows 8 uploads vital account information to the user’s Microsoft account. This information includes email address, server, server settings, and password. When a user signs into a new PC with their Microsoft account, their email accounts are automatically set up for them.

Passwords are not uploaded from a PC for any accounts which are controlled by any Exchange ActiveSync policies. Users will have to enter their password to begin syncing a policy-controlled account on a new PC.

Microsoft Accounts

Users are required to have a Microsoft Account, formerly known as Windows Live ID, to use the Windows Communications apps. This will usually be the Microsoft account that the user is signed into Windows with, but if they have not done so, they will be prompted to provide one before proceeding.

Microsoft accounts will automatically sync to Microsoft services using Exchange ActiveSync 14.0 when Mail starts. This will synchronize:

• Email, if the user’s Microsoft account is also their Hotmail or Outlook.com account
• Contacts from Windows Live
• Calendar events

If the user’s Microsoft account is not a Outlook.com or Hotmail account (for example, dave@contoso.com), Mail will prompt the user to provide the password for their email account, which will be added automatically.

Data Consumption

By default, Mail only downloads the last two weeks of email. This is user configurable and can potentially download the user’s entire mailbox. For Exchange ActiveSync accounts, all contacts are downloaded and calendar events are downloaded only for three months behind the current date and 18 months ahead.

Additionally, messages are only partially downloaded to reduce bandwidth use as follows:

• Message bodies are truncated to the first 100KB (20KB on metered networks). For more details see Engineering Windows 8 for mobile networks.
• Attachments are not downloaded automatically.

Embedded images in email messages are downloaded on-demand as the user reads them, and attachments are downloaded on-demand as the user attempts to open them.

By default, Mail only downloads the user’s Inbox and Sent folders. Other folders are downloaded once the user accesses them for the first time.

Mail does not enforce any limits on how many or large of attachments users can send.

Limitations

The following features are currently not supported by Mail:

• Mailbox connections using POP:  IMAP and EAS are supported.

  (Note, this does not mean that Windows 8 does not support POP3. This post is about the Windows 8 Mail app. )

• Servers that require self-signed certificates: Users can work around the self-signed certificate limitation by manually installing the certificate on their Windows 8 or Windows RT device. For additional information about the self-signed certificates, see Self-Signed Certificates section below.

• Opaque-Signed and Encrypted S/MIME messages: When S/MIME messages are received in Windows 8 Mail, it displays an email item with a message body that begins with “This encrypted message can’t be displayed.”

  To view email items in the S/MIME format, users must open the message using Outlook Web App, Microsoft Outlook, or another email program that supports S/MIME messages. For more information, see Opaque-Signed and Encrypted S/MIME Message on MSDN.

Self-Signed Certificates

Users may experience connectivity errors when trying to connect to an Exchange servers that require self-signed certificates. The user may receive the following error messages.

Unable to connect. Ensure the information entered is correct.

<Email address> is unavailable

NOTE This issue may occur because the Mail app cannot connect to Exchange by using self-signed certificates.

Consider the following options to resolve this issue.

1. Option 1: Install a certificate that is signed by a Microsoft-trusted root certification authority (CA) on the server

   This enables Exchange to work for all clients without prompting. For more information about the trust root CAs, see the following topics on TechNet:

   • Windows Root Certificate Program overview
   • Windows Root Certificate Program - Members List (All CAs)

2. Option 2: Install a server’s self-signed certificate on a device

   This enables Exchange to work for Windows 8 devices that have the certificate installed.

Note To install a self-signed certificate for a domain’s certification authority, the administrator must provide a certificate file (.cer). The certificate can be installed to the trusted root certificate authority store for either of the following options:

• For the current user This option does not require admin rights but must be completed for each user on the device.
• For the local device This option requires administrator rights and needs to be done only one time for a device.

The user or the system administrator can use the .cer file to install the certificate. To do this, use one of the following methods:

• Command-line tool

  At an elevated command prompt, run the following command:

  certutil.exe -f -addstore root <name_of_certificatefile>.cer

  NOTE The command installs the certificate for all users on the device.

• User interface

  1. Double-click the certificate file. A certificate dialog opens.
  2. Click Install Certificate. A Certificate Import Wizard window opens.
  3. Select the option to install the certificate for only the current user or for the local device.
  4. Select Place all certificates in the following store
  5. Click Browse to open the store selection dialog. Select Trusted Root Certification Authorities.
  6. Select the store, and then click Ok. You are returned to Certificate Import Wizard dialog, and the certificate store and certificate to be installed into that store are displayed.

Troubleshooting Windows 8 Mail Client Connectivity

If Windows 8 Mail users can't successfully connect to their accounts, consider the following:

• Verify that the user is using the latest version of the Windows 8 Mail app. A user can check for updates to the Windows 8 Mail app by doing the following: from the Start screen, go to Store > Settings > App updates > Check for updates.
• The user should wait a few minutes and try again.
• If the account is a cloud-based email account that requires registration (for example, a Microsoft Office 365 account), the user must register their account before they can set up their account in Windows 8 Mail. If the user is a Microsoft Office 365 user, they register their account when they sign in to Office 365 for the first time. If the user is not an Office 365 user, the user registers their account when they sign in to their account using Microsoft account or Outlook Web App.

TIP The user will see the following message if they haven't registered their account. In Windows 8 Mail, you will see the following message:
“We couldn’t find the settings for. Provide use with more info and we’ll try connecting again.”

For information about signing into Outlook Web App or the Office 365 Portal, see Sign In to Outlook Web App.

After the user signs in to your account using Outlook Web App, the user should sign out, and then try to connect using Windows 8 Mail.

What else do I need to know?

• Set up email in Windows 8 Mail
• Mail: Frequently asked questions
• 2784275 How to configure an Exchange account and how to troubleshoot Exchange account connectivity issues in the Mail app in Windows 8 and Windows RT
• 2792112 80070057 error, and Windows Phone 8 cannot sync with Microsoft Exchange
• 2464593Error 85010013, 8600C2B, or 86000C29 when you try to synchronize a Windows Phone-based device to an Exchange server
• You may also find Building the Mail app on the Building Windows 8 blog of interest.

Recently Apple released iOS 4 (the new name for the operating system that runs on iPhones, iPod touches, and iPads). Since its release there have been numerous reports (link, link, link) of a number of issues with new iPhone 4s (and older iPhone models running the updated software version) when using Exchange ActiveSync (EAS) for mobile email. I wanted to put up a quick posting about what issues users may be seeing and what we’re doing about it.

Issues:

1. Exchange administrators are seeing heavier than normal loads on their servers from users with iOS devices: We are in contact with Apple’s engineering team and are trying to help them fix this issue. In the meantime Apple has released a support article (link) which directs administrators who are experiencing this issue to push an iOS profile (link) that changes the timeout their Exchange ActiveSync connection uses to their users to four minutes which should be long enough for the vast majority of users. Those that need longer can edit the XML file in any text editor by searching for ‘240.0’ (no quotes) and changing it to the desired number of seconds, or you can use Apple’s configuration utility editor (link) to make this change.
   Update 7/15: Apple has released iOS 4.0.1, which includes the iOS profile change discussed earlier in this post.
   

   Update 7/1 1:10 PM: We had suggested using Apple's configuration utility to make this change. Apple has informed us that you should not use the configuration utility to edit or install the update. Use a text editor such as Notepad to change the timeout value in the update, if required. The configuration utility doesn't know about the timeout key used in the update.

2. Email, calendar, or contacts are not syncing: We believe this is the same issue as #1. The support article and solution listed above are the current recommendation from Apple while a fix is being worked on.
3. iPhone is not working with Google Apps over Exchange ActiveSync: Google licenses the server portion of Exchange ActiveSync from Microsoft (link) but Google wrote their own software to implement the protocol. Google is responsible for making sure their implementation of Exchange ActiveSync runs correctly and in this case Google claims that they had a server issue (link).

We have been in contact with Apple about each of these issues (as well as some others that seem to not be directly related to EAS but are more email related in general). Apple has assured us that a fix is being worked on though they have not commented on a release timeline for the fix. We will be continuing to work with Apple to help resolve the current issues relating to iOS 4 using Exchange ActiveSync.

Adam Glick
Sr. Technical Product Manager

We're wrapping up our Beta of Exchange 2007 SP1 (to be released through TechNet plus this April), and as always we wanted to discuss it publicly here first. We are targeting final release with Longhorn Server 2nd half of this year.

Our work in this service pack is purely in response to your feedback on earlier releases of Exchange 2007. A partial list of what you'll find included in this SP is:

Standby Continuous Replication (SCR)

Such a great feature obviously needed its own name!

With Exchange 2007, we introduced Cluster Continuous Replication (CCR) for replication of data between 2 servers within a cluster.  With SCR, data can be replicated on a per-storage group basis to standby servers or clusters.  The SCR target, whether a single mailbox server or a cluster, can be placed inside the primary datacenter or in a remote location, ready to be manually activated if the primary server or datacenter fails.

OWA

SP1 will fill in the feature holes that we just didn't have time to complete by RTM:

• Personal distribution lists
• S/MIME
• Rules
• Monthly calendar view
• Deleted items recovery
• Public folder access

OWA 2007 SP1 spell checking will add support for:

• Arabic
• Korean

OWA 2007 SP1 will add support for viewing Office 2007 file formats as HTML.

Exchange Management Console

SP1 will fill in the GUI holes that we just didn't have time to complete by RTM, including:

• Public folder configuration
• POP and IMAP configuration
• SendAs permission configuration
• Delegation wizard scenarios

Web Services

New web service coverage will include:

• Public folder access 
• Delegate management
• Folder permission management

IPv6

On Longhorn Server, we will support Exchange 2007 on native IPv6 networks.

Move Mailbox

This vital tool administrator tool has been beefed up to include import and export to a .pst

Over the next few months, people throughout the team will be posting about their SP1 work. Your feedback means everything to us.

Thank you for choosing Exchange,

- Terry

As many of you know, there will be a change next year in the transition dates for US daylight saving time. I won't go into all the gory details here, but if you want them follow this link http://www.microsoft.com/windows/timezone/dst2007.mspx This site will be updated to provide all the latest information about daylight saving time, including updates from Microsoft products affected by daylight saving time, as well as links to KB articles when they are available.

The Exchange team, along with Windows and Office have been giving this a lot of attention. We will be providing, free of charge, a solution for Exchange products in mainstream support. This solution will consist of changes in CDO to support these new dates as well as rebasing tool for calendar items that are already existent in users calendars. This rebasing tool is a server side tool. There will also be a client side tool available from Outlook. For products that are no longer under Mainstream support, these non-security updates will only be offered to customers that have an Extended Hotfix Agreement. For more information on the current support status of your Microsoft products and the Support Lifecycle Policy, please visit http://support.microsoft.com/lifecycle.

- Elizabeth Scott

Earlier today the Exchange CXP team released Update Rollup 1 for Exchange Server 2010 SP2 to the Download Center.

This update contains a number of customer-reported and internally found issues since the release of SP2. See KB 2645995: Description of Update Rollup 1 for Exchange Server 2010 Service Pack 2' for more details.

Note: If some of the following KB articles do not work yet, please try again later.

We would like to specifically call out the following fixes which are included in this release:

• New updates for Dec DST - Exchange 2010 - SP2 RU1 - Display name for OWA.
• 2616230 Exchange 2010 CAS server treats UTF-7 encoding NAMESPACE string from CHS Exchange 2003 BE server as ASCII, caused IMAP client fails to login.
• 2599663 RCA crashes when recipient data is stored in bad format.
• 2492082 Freebusy publish to Public Folders fails with 8207 event.
• 2557323 "UseLocalReplicaForFreeBusy" functionality needed in Exchange 2010.
• 2621266 Exchange 2010 Mailbox Databases not reclaiming space.
• 2543850 Exchange 2010 GAL based Outlook rule not filtering emails correctly.

General Notes:

For DST Changes: http://www.microsoft.com/time.

Note for Forefront Protection for Exchange users  For those of you running Forefront Protection for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup's installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.

Exchange Team

Update 4/11/11: Please note that the E2010 SP1 RU3 will be available via Microsoft Update on 4/24/11.

On March 14^th we posted an announcement to the EHLO blog about removing Update Rollup 3 for Exchange Server 2010 SP1 due to an issue related to Blackberry devices.

The Exchange Servicing team has fixed the reported issue with E2010 SP1 RU3 and is making available a new version of RU3 for our customers, version 14.01.289.007, (KB2529939). We strongly advise all customers install this newly released version of Microsoft Exchange Server 2010 SP1 Update Rollup 3 and to discard any prior version of RU3 (KB2492690) which you may have.

RU3 Installation Guidance:

• Customers with RU3 already installed within your Exchange environment

  It is not necessary for you to uninstall the existing RU3 within your environment. The new RU3 package can be installed over the top of the existing package installed on your servers.

• Customers with previous SP1 RUs installed within your Exchange environment

  You can simply install the new version of the RU3 package.

General RU Installation Guidance

• Note for deployments that leverage Forefront Security for Exchange: For those of you running Forefront Security for Exchange perform these important steps from the command line in the Forefront directory before and after this rollup's installation. Without these steps, Exchange services for Information Store and Transport will not start back up. You will need to disable Forefront via "fscutility /disable" before installing the patch and then re-enable after the patch by running "fscutility /enable" to start it up again post installation.

We deeply regret the impact that these issues have had on you, our customers, and as always, we continue to identify ways to better serve your needs through our regular servicing releases.

Kevin Allison
General Manager
Exchange Customer Experience

Today, we released Exchange Server 2013 RTM Cumulative Update 2 (CU2) to the Microsoft Download Center. In addition to this article, the Exchange 2013 RTM release notes (updated for CU2) are also available.

The final build number for Exchange 2013 RTM CU2 is 15.0.712.24.  If you previously installed the 712.22 build, please upgrade to 712.24 to ensure you are not affected by the following issue.

Note: Some article links may not be available at the time of this post's publication. Updated Exchange 2013 documentation, including Release Notes, will be available on TechNet soon.

Servicing Model Update

In the new Exchange servicing model customers will continue to receive assistance from Microsoft Support for the lifecycle of the Exchange server product - a customer is not required to be at the most current CU to receive assistance. There are two scenarios that we would like to clarify though:

1. If during the course of a support incident it is determined that the solution is available in a published CU (e.g., CU2), the customer will be required to install the update that contains the fix. We will not be building a new fix to run on top of a CU published earlier (e.g., CU1).
2. If during the course of a support incident it is determined that you have discovered a new problem for which we confirm a fix is required, that fix will be published in a future CU that you can then install to correct the problem reported.

An important benefit of the Exchange servicing model is that it provides the ability to receive independent security releases outside of the CU or Service Pack (SP) process. What this means for you is that future security fixes will not require you to install a CU to get the individual fix for a reported vulnerability. This allows you to quickly validate and install a security update with confidence knowing that only the fixes which address a particular security problem will be included as part of that release.

Exchange Server Cumulative Updates are scheduled to be released quarterly. We realize that some customers spend several months validating environments, third-party products, etc., and require more time for testing. Therefore, we will continue to ship a Service Pack which provides all of the updates included in prior cumulative updates in one installation and acts as a logical milestone for updating your servers.

Customers who are using Exchange Server 2013 and Office 365 together in an Exchange Hybrid scenario get a rich set of capabilities to manage and run mailboxes on-premises and in the cloud. Updates come to Office 365 frequently and thus customers in hybrid scenarios are strongly recommended to stay current as Cumulative Updates are released. Keeping current will allow your on-premises Exchange Server to be running the same code as the Office 365 Exchange servers. This helps keep consistency between on-premises and Office 365 users and puts you in the best position to take advantage of new features as they are made available in the service. This always updated approach is available for everyone and is the recommend approach for all customers to obtain fixes and new features as soon as they become available.

Overall, the new Exchange Server servicing strategy provides a predictable pattern for releases and provides customer control options for on-premises customers. Each CU receives extensive validation as the builds released in a CU have been deployed in the Office 365 service – you can deploy a CU knowing it has already had datacenter scale validation in the world’s largest and most demanding Exchange environment.

Upgrading/Deploying Cumulative Update 2

Unlike previous versions, cumulative updates do not use the rollup infrastructure; cumulative updates are actually full builds of the product, meaning that when you want to deploy a new server, you simply use the latest cumulative update build available and do not necessarily need to apply additional Exchange Server updates.

Active Directory Preparation

Prior to upgrading or deploying the new build onto a server, you will need to update Active Directory. For those of you with a diverse Active Directory permissions model you will want to perform the following steps:

1. Exchange 2013 RTM CU2 includes schema changes. Therefore, you will need to execute setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms.
2. Exchange 2013 RTM CU2 includes enterprise Active Directory changes (e.g., RBAC roles have been updated to support new cmdlets and/or properties). Therefore, you will need to execute setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms.

Note: If your environment contains only Exchange 2007, and you upgrade to Exchange 2013, keep in mind you cannot deploy Exchange 2010 in that environment at a later time. If you foresee a need to deploy Exchange 2010 servers into your environment, deploy an Exchange 2010 multi-role server (with all four servers roles) prior to executing Exchange 2013 setup.exe /PrepareAD. As long as you retain at least one role of each legacy server, you will continue to be able to install additional servers of that version into your coexistence environment. Once you remove the last server role of a legacy version, you will no longer be able to reintroduce that version into the environment.

Server Deployment

Once the preparatory steps are completed, you can then deploy CU2 and start your coexistence journey. If this is your first Exchange 2013 server deployment, you will need to deploy both an Exchange 2013 Client Access Server and an Exchange 2013 Mailbox Server into the organization. As explained in Exchange 2013 Client Access Server Role, CAS 2013 is simply an authentication and proxy/redirection server; all data processing (including the execution of remote PowerShell cmdlets) occurs on the Mailbox server. You can either deploy a multi-role server or each role separately (just remember if you deploy them separately, you cannot manage the Exchange 2013 environment until you install both roles).

If you already deployed Exchange 2013 RTM code and want to upgrade to CU2, you will run setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms from a command line after completing the Active Directory preparatory steps or run through the GUI installer. Deploying future cumulative updates will operate in the same manner.

Changes in Exchange 2013 RTM CU2

In addition to bug fixes, Exchange 2013 RTM CU2 introduces enhancements in the following areas.

• Per-server database support
• OWA Redirection
• High Availability
• Managed Availability
• Cmdlet Help
• OWA Search Improvements
• Malware Filter Rules

Per-Server Database Support

As mentioned previously, Exchange 2013 RTM CU2 increases the per-server database support from 50 databases to 100 databases in the Enterprise Edition of the product. Please note that this architectural change may not provide any additional scalability as CPU may be a bottleneck, thereby limiting the number of mailboxes you can deploy per-server.

As promised, the Exchange 2013 Server Role Requirements Calculator has been updated for this architectural change.

OWA Redirection

Depending on your deployment model, Exchange 2013 RTM CU1 supported the following redirection or proxy scenarios:

1. In environments where Exchange 2013 and Exchange 2010 coexist, Exchange 2013 CAS proxies OWA requests to Exchange 2010 CAS for Exchange 2010 mailboxes.
2. In environments where Exchange 2013 and Exchange 2007 coexist, Exchange 2013 CAS redirects the request to the Exchange 2007 CAS infrastructure’s ExternalURL. While this redirection is silent, it is not a single sign-on event.
3. In native Exchange 2013 environments:
   1. Exchange 2013 CAS proxies the OWA request directly to the Exchange 2013 Mailbox server when in a single site.
   2. Exchange 2013 CAS proxies the OWA request directly to the Exchange 2013 Mailbox server when the Mailbox server exists in a different site and the CAS infrastructure in the target site has no ExternalURL defined.
   3. Exchange 2013 CAS proxies the OWA request directly to the Exchange 2013 Mailbox server when the Mailbox server exists in a different site and the CAS infrastructure in the target site has an ExternalURL that matches the source site’s ExternalURL.
   4. Exchange 2013 CAS redirects the OWA request to the CAS infrastructure in the target site when the target site’s ExternalURL does not match the source site’s ExternalURL. While this redirection is silent, it is not a single sign-on event.

Exchange 2013 RTM CU2 changes this behavior by providing a single sign-on experience when Forms-Based Authentication (FBA) is used on the source and destination OWA virtual directories by issuing back to the web browser a hidden FBA form with the fields populated. This hidden form contains the same information as what the user had originally submitted to the source CAS FBA page (username, password, public/private selector) as well as, a redirect to the target Exchange specific path and query string. As soon as this form is loaded it is immediately submitted to the target URL. The result is the user is automatically authenticated and can access the mailbox data.

Many of you may be familiar with this functionality in Exchange 2010 SP2. However, there are differences in the Exchange 2013 RTM CU2 implementation:

1. Silent redirection is the default behavior in Exchange 2013, meaning that if FBA is enabled on source and target OWA virtual directories, the redirection will also be a single sign-on event.
2. You can disable silent redirection on the source CAS via the web.config file located at <ExchangeSetupDir>\FrontEnd\HttpProxy\owa by adding the following line in the <appSettings>section:

   <add key="DisableSSORedirects" value="true" />

High Availability

Exchange 2013 RTM CU2 introduces a new service, the DAG Management Service. The DAG Management service contains non-critical code that used to reside in the Replication service. This change does not introduce any additional complexities in event reporting, either – events are written into the Application event log with the source of MSExchangeRepl and crimson channel.

Managed Availability

In addition to improvements in various probes and monitors, there have been changes to the responder throttling framework. Prior to Exchange 2013 RTM CU2, many responders were only throttled per-server (e.g., RestartService). Now, these responders are throttled per group. For example, originally RestartService was throttled based on the number of occurrences that occurred on a server; in Exchange 2013 RTM CU2, RestartService can execute every 60 minutes DAG-wide, with a maximum of 4 restarts per day DAG-wide.

Cmdlet Help

Exchange 2013 RTM CU2 introduces the capability for administrators to get updates to Exchange Management Shell cmdlets without needing to deploy a new service pack or cumulative update. Administrators can launch the Exchange Management Shell and run the Update-ExchangeHelp cmdlet to update their local Shell help.

OWA Search Improvements

Previously searching for keywords within OWA did not give indications of the location of the keyword in the search result set. Exchange 2013 RTM CU2 improves OWA’s search results highlighting in three ways:

1. Conversation items are auto-expanded that have hits in them.
2. Whenever you search for a term and select a conversation from the result list, OWA will move the scroll position of the reading pane so that the first item part with that search term is in view.
3. Hit navigation within a conversation – you can jump between search hits quickly using a control built into the reading pane.

Malware Filter Rules

Exchange 2013 RTM CU2 introduces the –MalwareFilterRule cmdlets. You can use the –MalwareFilterRule cmdlets to apply custom malware filter policies to specific users, groups, or domains in your organization. Custom policies always take precedence over the default company-wide policy, but you can change the priority (that is, the running order) of your custom policies.

Looking Ahead

The Exchange Product Group is in the final validation stages to support Windows Azure for Witness Server placement. Specific guidance on using Windows Azure for the Witness Server placement will be available via TechNet at a later date. Support for this scenario will occur once the guidance has been released.

Conclusion

We understand that some features delivered in CU2 were available in Exchange 2010 and haven’t been available until this update. The lack of single sign-on capability in OWA redirection and the reduced per-server database support were due in part to the complete re-write of these components in Exchange 2013. Holding back these features were necessary to meet our code stability and performance criteria for release. It was your feedback which helped prioritize the return of these features. Our new servicing model allows us to add incremental improvements to the product at a faster cadence than the previous model.

As always, we continue to identify ways to better serve your needs through our regular servicing releases. We hope you find these improvements useful. Please keep the feedback coming, we are listening.

Ross Smith IV
Principal Program Manager
Exchange Customer Experience

Hi. I'm DJ Schwend, a product designer working on the OWA team here in Exchange. I've put together this overview of the best new features in our Beta 1 release. We've made huge strides to improve the online experience and our goal is to keep being the best web mail client in the world.

The user interface has been redesigned with a focus on productivity. We've reduced the number of clicks required to get tasks done. When possible, we've incorporated actions and responses in place; we call this "inline task completion" instead of opening multiple dialogs or property sheets. We've removed pop-up notifications to avoid those irritating pop-up blockers. We've enhanced drag and drop functionality, improved and expanded the right-click context menus, and integrated better error strings contextually so they don't get in your way.

Logon screen

If you're an OWA user today, you know how annoying it is that you sometimes (always?) forget to select 'private' logon which will give you a timeout of several hours instead of the few minutes you get with 'public' logon when accessing OWA from home. To fix this, the OWA 2007 logon page will remember your 'private' selection and the username you entered on those trusted machines between OWA sessions so you only have to enter your password the next time you log on. There is also a checkbox here for the 'Light' version of OWA here too, for the Mac and browsers other than IE6 and 7. It's also optimized for Accessibility, making it easier on users with low vision and screen readers. Look for a post on that version of OWA here soon. We've also updated the look and feel of the screen, along with the rest of the product. Check it out:

Mail

E-mail appears automatically as it arrives in your Inbox and the unread counts in the folder tree stay up-to-date so you no longer have to press the "Check Message" button over and over again to see if you have received that important email you've been expecting.

Also in the folder tree, we've enhanced drag and drop functionality from the mail list. You can drag and drop single or multiple items from the mail list into folders and interact with those items by right clicking and choosing actions within the menus. The right-click folder tree context menu now includes:

- New folder creation and in-place folder renaming (no more dialogs). Just choose the type of folder you want (Mail, Calendar, Contacts, Tasks) and right-click to choose "Create New Folder" from the menu.
- "Mark All as Read" action for folders
- "Empty Folder" to delete all items in one click - a new Option to empty the Deleted Items folder on log off is also provided in the new Options pages.
- New integrated Reminders drop down from the folder title area. You can choose to hide these temporarily by one click outside the menu, or dismiss individual or multiple appointments by clicking the Snooze or Dismiss buttons. This isn't a pop-up so it won't be blocked, and you won't miss an appointment.

- Since the browser won't let us render things outside the browser window anymore due to WinXP SP2 security enhancements, the New Item Notifications are also presented integrated into the OWA folder title area (not a pop-up from the Windows taskbar). This appears in a small menu with the subject and sender name shown for 5 seconds before fading out from the main window while you're working in any module (including Mail, Calendar, Contacts, and Tasks). Clicking on the notification will select the newest item in the Mail list, even if you're in another area like Calendar or Contacts. Different notifications exist for each type of item: mail, voice mail and fax. So if you're expecting a fax or a phone call you'll be sure not to miss it. You may turn Notifications and Reminders off completely in the Options pages.

Mail Toolbar

Click New to open and compose a new e-mail. Here, you can add names and addresses easily with the new auto-complete menu that remembers recently-used items so you don't have to:

Right-click on resolved names to view Properties such as: office, phone, e-mail, availability and their position in the organizational structure within the company:

- Access messaging options to set importance, priority, and request read receipts
- Use the HTML editor to change fonts, add color or add a hyperlink to a document
- View message headers for e-mail
- Adjust the Reading Pane that's shown on the right by default. Options include Off, Right and Bottom. Some new Reading Pane Preview features for meeting requests include integrated meeting conflict information and response buttons:

- Change the mail list to single-line view instead of the default double-line view
- Delete items
- Check for new messages
- "Arranged by" control incorporated into the mail list allows for custom sorting. Depending on the sort selected (Date, Conversation, From, To, Size, Subject, Type, Attachments or Importance), the list supports "typedown search" meaning that you can type the first few letters of the "From" name or "Subject" and the list will scroll to that entry.

- Oh, and let's hear it for our new Conversation View: hooray! Almost as good as a thread compressor (almost):

Search

In the Mail module, Search is shown as one field above the mail list that will search across the currently selected folder or user-selected location provided by a drop-down menu. Search scoping choices include: selected folder, selected and subfolders, or all folders and items:

To initiate a search, simply type in the Search field and either press enter or click the Search icon. Hmmm, just like Google. To Clear the Search, press the Clear icon that appears in place of the Search icon after searching or click away to a different folder or module. Search is also included for Contacts, Tasks and the Address Book.

Calendar

The Calendar has been completely redesigned with tons of added functionality and visuals:

- New calendar views for daily, weekly, and work week including a new Reading Pane preview available for all views so you don't have to double click to open an appointment to see the full details

- New visuals with transparency during drag and drop actions and colored free/busy status indicators
- Enhanced Date Picker with current date selection and view settings reflected for daily, weekly, work week
- Improved, integrated date-based navigation including next and previous buttons and hourly timestrip with "now" indicator:

- In-place "Create New Calendar" function for multiple calendar management
- Double-click to create a new appointment at the desired time on the calendar surface
- "Smart" scheduling with integrated free/busy status indicators for each meeting invitee, meeting time and room suggestions, and a room picker with most recently used menu for frequently used meeting locations. No more convoluted searching for rooms!

Options

New Options page format, separated into sections for each feature area. Some new features here include:

- An enhanced Out of Office Assistant that allows you to create messages, set your Out of Office for a specific period of time in the future (this is great, because you can set it up in advance and you don't have to remember to turn it off):

- You also get to choose if you want to send a different message to external recipients. We also have new Out of Office notifications to remind you that you have this feature turned on, or turned on for a specific timeframe:

- Change Password
- Mobile Device Options provide access to active devices through Exchange. You can view your last sync time, access your password or initiate a remote data wipe to protect your information if you leave your phone in a taxi (oops!)
- Voice Mail and telephone access settings:

- About Outlook Web Access: Troubleshooting and product support information helps pinpoint potential problems

These are only some of the best Beta 1 features. Wondering about colors and flags? Junk e-mail management? Document access? Stay tuned for more new OWA features coming this summer, in Beta 2.

From all of us on the OWA team:

We hope you enjoy Exchange 12!

- DJ Schwend

Ask and ye shall receive, mateys!

As we announced in July, we are always looking for new ways to make your work easier - especially when your work involves ending PST proliferation. Today, we are happy to announce that PST Capture is now available as a free download.

PST Capture helps you search your network to discover and then import .pst files across your environment - all from a straightforward admin-driven tool. PST Capture will help reduce risk while increasing productivity for your users by importing .pst files into Exchange Online or Exchange Server 2010 - directly into users' primary mailboxes or archives.

In addition to all the positive feedback you have given us regarding the Archiving, Retention, Legal Hold and Discovery capabilities of Exchange, you made it clear that PST import is an important area for us to focus on moving forward. As we looked at the best ways to address this challenging need, we saw the great work that ISV partner, Red Gate, has done with their stellar solution. We determined that acquiring this product from Red Gate as a starting point was the best strategy to ensuring a quality product for you.

We put Red Gate’s tool through further feature development and a rigorous testing process that included beta testing with customers, passing through our internal product security gates, and overall quality assurance. It’s now ready for prime time and available as a free download here! For even more insight, watch the video below

And thus, we offer you PST Captarrrrrrrrrgh - or PST Capture, for those more refined than I.

As always, keep the feedback coming!

Ankur Kothari

Red Gate creates ingeniously simple software tools used by more than 500,000 IT professionals worldwide. The company works to uplift the market it serves through free web community sites, technical publications and conference sponsorships that reach millions annually.

Update 7/14/11: When contacting Microsoft Customer Support to obtain the Interim Update, you can reference KB 2581545 (please note that the article will be available at a later date on support.microsoft.com).
7/27/2011: Exchange 2010 SP1 RU4 has been re-released. See Announcing the re-release of Exchange 2010 SP1 Rollup 4. We also provide more details on what actually happened and what improvements we're making to prevent this in the future, in An Update on Exchange Server 2010 SP1 Rollup Update 4.

We have discovered an issue impacting some customers who have installed Exchange 2010 SP1 RU4 into their Exchange environment and as a result have removed SP1 RU4 from Download Center and recommend customers do not proceed with any planned deployments of SP1 RU4.

A small number of customers have reported when the Outlook client is used to move or copy a folder that subfolders and content for the moved folder are deleted. After investigation we have determined that the folder and item contents do not appear in the destination folder as expected but may be recovered from the Recoverable Items folder (what was previously known as Dumpster in older versions of Exchange) from the original folder. This behavior occurs due to a customer requested change in SP1 RU4 which allowed deleted Public Folders to be recovered. Outlook and Exchange are not correctly processing the folder move and copy operations causing the folder contents to appear to be deleted. OWA and Exchange Web Services clients are not affected by this change and process the folder move or copy actions correctly.

We will be providing a fix in Exchange 2010 SP1 RU5, scheduled for release in August, which prevents the content loss in the target location during the move/copy process. In addition, we are also working with the Outlook development team to examine their code for proper behavior and identify if a fix is necessary from the client. If you have already deployed SP1 RU4, we recommend obtaining an Interim Update that resolves this issue.

If you are a customer seeing this issue or would like to receive the Interim Update, please contact Microsoft Customer Support.  When contacting Microsoft Customer Support, you can reference KB 2581545 (please note that this article will be available at a later date on support.microsoft.com).  When installing the Interim Update, you need to install this on all Client Access and Mailbox servers that have SP1 RU4 installed.

We are commencing an internal review of our processes to determine how we can best prevent issues such as this one arising in future.

Once again, on behalf of the Exchange Product Group, I want to thank you for the patience you continue to show us while we work through these issues. We deeply regret the impact that this issue has had on you, our customers, and as always, we continue to identify ways to better serve your needs through our regular servicing releases.

Kevin Allison
General Manager, Exchange Customer Experience

EDIT 8/22/2008: We have updated the troubleshooting section.

Download information for Update Rollup 3 for Exchange 2007 SP1

The update is live at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=63E7F26C-92A8-4264-882D-F96B348C96AB&displaylang=en

Related KB article:
http://support.microsoft.com/?kbid=949870

Download information for Update Rollup 7 for Exchange 2007 RTM

The update is live at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=086A2A13-A1DE-4B1D-BD12-B148BFD2DAFA&displaylang=en

Related KB article:
http://support.microsoft.com/?kbid=953469

The above update Rollups will also be released to Microsoft update.

Fixes for security issue detailed in MS08-039

A security issue has been identified in Exchange Server 2007 as documented in http://www.microsoft.com/technet/security/bulletin/MS08-039.mspx.

• Customers running Exchange Server 2007 RTM need to apply Update Rollup 7 for Exchange 2007 RTM to address the security issue.
• Customers running Exchange Server 2007 SP1 need to apply Update Rollup 3 for Exchange 2007 SP1 to address the security issue.

Rollup installation troubleshooting

Seeing that those Rollups contain security fixes, we expect that a lot of people will be applying them. There are a few possible issues that we would like you to be aware of:

• Exchange 2007 managed services might time out during certificate revocation checks
• During the installation of the Rollup, you might encounter a message that you have to wait until the disk space calculation is completed. This message will clear by itself and then you will be able to proceed further. We will permanently resolve this in the future.
• When installing a Rollup, we recommend you use the same account that you used to install Exchange Server. If you are using a different account, that account needs to have Local Administrator rights as well as rights to read Active Directory on Exchange object as well as server level (as the update needs to determine which roles are installed on the server). Not having required permissions can lead to OWA not being updated correctly and displaying a blank page after update has completed.
• If you have modified the logon.aspx file, it will not be patched by the Update Rollup installer. As a result Outlook Web Access may not be updated correctly and it may display a blank page after the update has finished. In order to avoid this problem, rename the logon.aspx file before applying the update rollup. After you apply an update rollup package, you must re-create Outlook Web Access customization in logon.aspx.

- Nino Bilic

Share this post :

It certainly has been an exciting couple of months with the UC Launch and hearing a lot of great feedback and excitement from customers and press about the work we've done in Exchange Server 2007 Service Pack 1 (SP1).  Today we are announcing the release of SP1 to the web for existing Exchange Server 2007 customers and the update of our trial package for customers looking at deploying Exchange Server 2007 for the first time. 

I would like to thank our Technical Adoption Program (TAP) customers who have really shaped this release through their early deployments of Exchange Server 2007.  It was their feedback and participation in the SP 1 TAP that has driven most of the features in this release.  In a meeting with our TAP customers earlier in the week we asked them if SP1 was ready to ship; I would like to share with you a few of comments from that meeting:

"With the additional enhancements contained in SP1, Exchange Server 2007 is a "must have" for all organizations, large or small.  The enhancements (and there are many) we are most excited about revolve around an improved Site Resiliency Solution with the inclusion of Standby Continuous Replication and the continuous improvements to Outlook Web Access." - Gary Cooper, Horizons Consulting

"I've been really excited about some of the UI enhancements (especially bulk mailbox creation), but for my customers the OWA features have taken the cake! The return of Public Folder access, a monthly calendar view, and the ability to work with Personal DL's produced cheers from the troops.  The ability to recover deleted items as well as a great deal of added right-click functionality was also a big plus - we can now offer our staff and students truly robust access to their Exchange resources... anytime, anywhere!" - Sarah Windsor, Tracy Unified School District

"Exchange Server 2007 was a significant step forward for Exchange, raising the bar for performance, stability and scalability and allowing HP to consolidate our 260,000+ mailboxes from over 100 locations to 3 and reduce the number of Exchange servers by two thirds. Exchange Server 2007 Service Pack 1 rounds out the enterprise features of Exchange Server 2007 with even better management, improved support for our Windows Mobile devices and takes disaster recovery and fault tolerance to a new level." - Stan Foster, HP Technology Solutions Group

"Kudos to the Exchange team for this landmark release, which has more new features and functionality than any other service pack ever. The Exchange ActiveSync experience has been wonderful, and so has OWA. Most of all, the High Availability improvements and addition of SCR make SP1 a hard-to-resist release. Participating in E12 and E12 SP1 TAP programs was a great opportunity to work with a very customer-focused product team - you guys rock! This is also one of the best documented releases of Exchange Server, and given the mind-boggling amount of information covered in the documentation, that's no small feat. Congratulations to the UE team for that!" - Bharat Suneja (Exchange MVP), Zenprise

For those of you who have deployed Exchange Server 2007 and are ready to apply SP1 you can go out and download the bits here. Please read the Release Notes located here.

If you are ready to try out Exchange Server 2007 SP1 you can download the trial here.  As this service pack is slipstreamed you can install Exchange Server 2007 SP1 without installing Exchange Server 2007; so there is no need to download the Exchange Server 2007 trial first.

- The Exchange team

Share this post :

The Exchange Team would like to get your feedback on use of Exmerge in Exchange 2003, to make sure that we are focusing on right things in our next release. There are a few questions we have on the subject:

-          What are the scenarios where you use Exmerge with your Exchange 2003 servers now? (Note that we specified here "Exchange 2003" because some new features in Exchange 2003 – like a Recovery Storage Group for example – do not require use of Exmerge on Exchange 2003 servers anymore while this was required on earlier versions of Exchange)

-          Which of those are the most critical to you?

-          What are the scenarios where you do a bulk PST import / export operations using Exmerge? How often do you do this? Do you script it?

Please let us know by posting comments on this blog post.

Thank you!

- The Exchange Team

This is a heads up that Update Rollup 6 for Exchange Server 2007 SP1 should be out on Tuesday February 10, 2009. As you can see the rollup release date coincides with the day Microsoft issues security patches. No points for guessing that this rollup contains a fix for a security issue. This patch has been assigned a severity rating of critical in Microsoft Security Bulletin Advance Notification for February 2009. As such customers should plan to apply this update rollup to ensure their Exchange Servers are protected.

In addition to the security issues, we have included a change which will allow Internet Explorer 8 to be used for Outlook Web Access 2007. However, this does not include the Outlook Web Access 2007 S/MIME control. We are still working on some changes in the control to make it work better with Internet Explorer 8. Look for an updated version of the S/MIME control in a future rollup.

-Ananth Ramanathan

Like Exchange 2007 Service Pack 1, Exchange 2007 Service Pack 2 is a slip-streamed version.

Exchange 2007 Service Pack 2 introduces several new features, but in order to utilize Exchange 2007 SP2, you must perform the following steps:

1. Extend the Schema
2. Prepare Active Directory
3. Install Windows Installer 4.5
4. Uninstall Interim Updates

Extend the Schema

In order to deploy Exchange 2007 SP2, you must first extend the schema. Depending on your environment's configuration, one of the following scenarios will happen:

• If your Active Directory environment currently does not have any Exchange Server version deployed, then when you extend the schema, the schema changes included with Exchange 2000 through Exchange 2010 will be deployed in your environment.
• If your Active Directory environment is currently Exchange 2000 and you are upgrading to Exchange 2007, then when you extend the schema, the schema changes included with Exchange 2003 through Exchange 2010 will be deployed in your environment.
• If your Active Directory environment is currently Exchange 2003 and you are upgrading to Exchange 2007, then when you extend the schema, the schema changes included with Exchange 2007 through Exchange 2010 will be deployed in your environment.
• If your Active Directory environment is currently Exchange 2007 and you are upgrading to Exchange 2007 SP2, then when you extend the schema, the Exchange 2010 schema changes will be deployed in your environment.

Question 1: Why is Exchange 2010 listed above?

For those of you that haven't been keeping abreast of the work we are doing in Exchange 2010, Exchange 2007 SP2 is required for coexistence with Exchange 2010. This enables support for coexistence like ensuring Exchange 2010 mailbox Autodiscover requests that are received by CAS2007 are redirected to the appropriate CAS2010 and enabling ActiveSync proxy support between CAS2010 and CAS2007.

Therefore, to minimize the number of times you have to perform a schema extension, we decided to include the Exchange 2010 RTM schema. For those of you that are planning to upgrade your Exchange 2007 environments to Exchange 2010, this will reduce the number of schema extensions you have to perform. Once you extend the schema with Exchange 2007 SP2, you will not have to extend the schema with Exchange 2010 RTM.

However there are direct benefits with deploying the Exchange 2010 schema with Exchange 2007 SP2. One of the new features in Exchange 2007 SP2 is the ability for administrators to control certain settings at the organization level that originally were configured via configuration files; the schema changes have enabled us to move some of these settings now into AD. Expect to hear more about this in a future blog post.

Question 2: How do I extend the schema?

In order to extend the schema you must meet all the pre-requisites:

1. You must be running the Exchange 2007 setup with a domain account that is a member of the Schema Admins and Enterprise Admins security groups.
2. The machine on which you run the Exchange 2007 setup schema extension process must be a member of the same domain and Active Directory site as the Schema Master.
3. The machine on which you run the Exchange 2007 setup schema extension process must be:

a. Windows Server 2003 SP2 with Windows Installer 4.5 installed
b. Windows Server 2008 with Windows Installer 4.5 installed
c. Windows Server 2008 SP2

To extend the schema, you simply run this command from an administrative command line:

setup /PrepareSchema

Prepare Active Directory

In order to support the new Role Based Access Control (RBAC) model in Exchange 2010, a new security group was created, the Exchange Trusted Subsystem (ETS). The ETS is a highly-privileged universal security group (USG) that has read and write access to every Exchange-related object in the Exchange organization. In Exchange 2010 all Remote Powershell actions are run under the context of a CAS which is a member of the Exchange Trusted Subsystem. This means that for any action that acts against a local server resource, for example in enumerating the IIS virtual directories, to succeed the Exchange Trusted SubSystem needs sufficient rights to view or manipulate those local resources depending on the action.

In order to support coexistence with Exchange 2010, Exchange 2007 SP2 creates this security group in the Microsoft Exchange Security Groups organization unit during the AD preparation setup phase. This group is then added to the Exchange 2007 server's local administrators group during the installation of the SP2 binaries.

Question: How do I prepare Active Directory?

In order to prepare Active Directory you must meet all the pre-requisites:

1. You must be running the Exchange 2007 setup with a domain account that is a member of the Enterprise Admins security group.
2. The machine on which you run the Exchange 2007 setup schema extension process must be a member of the same domain and Active Directory site as the Schema Master.
3. The machine on which you run the Exchange 2007 setup schema extension process must be:

a. Windows Server 2003 SP2 with Windows Installer 4.5 installed
b. Windows Server 2008 with Windows Installer 4.5 installed
c. Windows Server 2008 SP2

To extend the schema, you simply run this command from an administrative command line:

setup /PrepareAD

Install Windows Installer 4.5

Microsoft Windows Installer is a component of the Windows operating system. Windows Installer provides a standard foundation for installing and uninstalling software. Software manufacturers can create the setup of their products to use Windows Installer to help make software installation, maintenance, and uninstallation straightforward and easy. For more information, please see http://msdn.microsoft.com/en-us/library/cc185688(VS.85).aspx.

The Exchange 2007 and Exchange 2010 setup engine is an example of a product that leverages Windows Installer. Specifically we have a setup wrapper that launches and installs the product via an MSI file. Windows Installer also allows us to patch via MSP files.

However, several of our customers have experienced an issue due to Windows Installer and the way rollups are applied. Essentially the following could happen:

1. You installed Exchange 2007 SP1 on a machine that does not have Windows Installer 4.5.
2. You removed the setup media or disconnected the network share.
3. You then applied SP1 RU4v1.
4. You then uninstall SP1 RU4v1.
5. During the uninstall you are now prompted for the source media (Exchange 2007 SP1).

This scenario was a result of a bug in the Installer setup experience, where if we ship a non-versioned file with a companion file in the main product setup MSI file (so in the Exchange 2007 SP1 media) and then and we patch the non-versioned file for the first time (so in the SP1 RU4v1 patch) then the uninstall of the patch prompts for original install media (because MSI has a bug where it does not make a backup of the non-versioned file when installing the patch). An example of a non-versioned file is the logon.aspx file for the forms-based authentication page in Outlook Web Access.

Question: How do I install Windows Installer 4.5?

For Windows Server 2003 SP2, Windows Vista SP1, and Windows Server 2008 RTM, to install Windows installer 4.5 you need to download the appropriate version from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=5a58b56f-60b6-4412-95b9-54d056d6f9f4.

Please note that if you are running Windows Vista SP2 or Windows Server 2008 SP2, Windows Installer 4.5 is already included.

Uninstall Interim Updates

Beginning with Exchange 2007, Sustained Engineering moved to model where we release public rollups on a routine basis as opposed to building individual hot-fixes that may or may not be publically accessible. This allows customers to get the latest code base fixes directly from Microsoft.com without requiring numerous hot-fixes to be up to date.

However, sometimes customers do experience issues that require them to run what we have termed an Interim Update because they cannot wait for the rollup to be released that contains the fix. Customers can obtain the Interim Update from Microsoft Support and deploy it to resolve their issue. Because it is an Interim Update, it does have certain requirements - they require a certain version of a rollup / service pack and due to our rollup architecture, Interim Updates must be uninstalled prior to installing the next rollup or service pack.

Conclusion

Hopefully the information included above will prepare you in upgrading to Exchange 2007 Service Pack 2. If you have any questions, please let us know.

-- Ross Smith IV

Today the Exchange team released security bulletin MS13-105. Updates are being made available for the following versions of Exchange Server:

• Exchange Server 2007 SP3
• Exchange Server 2010 SP2
• Exchange Server 2010 SP3
• Exchange Server 2013 CU2
• Exchange Server 2013 CU3

Customers who are not running one of these versions will need to upgrade to an appropriate version in order to receive the update.

Security bulletin MS13-105 contains details about the issues resolved, including download links.

For Exchange Server 2007/2010 customers, the update is being delivered via an Update Rollup per standard practice. Due to the timing of the release of our most recent Update Rollups, the only difference between the previously released Update Rollup and the Security Update Rollup released today is the inclusion of the security updates identified in MS13-105. We did not include updates for any other customer reported issues in these packages to ease their adoption.

For Exchange Server 2013 customers, security updates are always delivered as discrete updates and contain no other updates. Security updates for Exchange 2013 are cumulative in nature based upon a given Cumulative Update. This means customers who are running CU2 who have not deployed MS13-061 can move straight to the MS13-105 update because it will contain both security updates. Customers who are already running MS13-061 on CU2 may install MS13-105 on top of MS13-061 without removing the previous security update. If MS13-061 was previously deployed, Add/Remove Programs will indicate that both updates are installed. If MS13-061 was not previously deployed, only MS13-105 will appear in Add/Remove Programs.

These updates are being made available via Microsoft Update and on the Microsoft Download Center.

Exchange Team

Exchange Server 2003 fits on a single CD. For Exchange 12, which is expected to be released in the second half of 2006, the disk space consumption for a full install of the product is much larger than previous versions, because of certain features that use a lot of disk space across multiple languages. So because of that and because we've heard complaints from customers who didn't like multiple-CD installs of other server products, we are evaluating shipping the Exchange12 bits on a single DVD instead of multiple CDs.

We're aware that DVD drives are not as common in server hardware as they are in consumer and end user systems, but we're trying to get some feedback to understand how our customers feel about the idea of having a DVD for Exchange instead of multiple CDs. Here are some specific questions that we'd appreciate your answers to:

• In your Exchange server environment today, do you currently have a DVD drive available - such as on a machine reachable over the network from your server, or a USB DVD drive - from which you can install server software?
• Thinking about your Exchange environment in late 2006, do you expect to have a DVD drive available from which you can install server software at that time?
• Would you see Exchange shipping on one DVD (as opposed to multiple CDs) as a convenience or a hassle? If a hassle, do you have a "threshold point" for where a single DVD becomes more attractive than multiple CDs? I.e. is it 3 CDs? 4?
• Do you have any other comments on DVD or CD media for server software?

Please post your thoughts on this as comments to this post!

- KC Lemson

There has been a lot of speculation about the iPhone and its abilities to connect to Microsoft Exchange Server. For instance, Wall Street Journal columnist Walt Mossberg mentions in his June 26 All Things Digital column that, "It [the iPhone] can also handle corporate email using Microsoft's Exchange system, if your IT department cooperates by enabling a setting on the server."

Technically this is correct, as today iPhone users can connect to Microsoft Exchange using IMAP.  There are, however, some significant differences in the mobile device experience and IT professional capabilities supported by IMAP on the iPhone and those enabled by Exchange ActiveSync (EAS) for compatible devices.  EAS is a protocol that provides rich messaging experiences for over 200 different smartphones right out of the box.  These smartphones include Windows Mobile devices as well as phones from a broad range of 3^rd parties including Helio, Motorola, Nokia, Palm, Sony Ericsson and others.

Comparing IMAP and EAS at a high level: IMAP provides an adequate mobile email experience (but is subject to some important limitations), whereas EAS provides a more secure, complete companion experience to Outlook and Outlook Web Access (OWA) for the mobile device.  To better understand this comparison, let's look at IMAP on the iPhone and EAS in a bit more detail from several perspectives:

1. Mobile email
2. The mobile experience beyond email
3. Security

IMAP enables an adequate mobile email experience; EAS enables the additional pieces that make mobile email great

Both IMAP and EAS give the mobile client the capability to read email with rich html formatting, and view their inbox as well as subfolders of their inbox and reply/reply-all/forward/compose email (technically, the iPhone uses SMTP to send email.  SMTP for outbound email is configured along during IMAP/Exchange account setup on the device).

EAS also supports capabilities for:

• Direct Push, which provides an up-to-date messaging experience designed for mobile networks
• Email flagging to improve the triage experience on the device
• AutoDiscover to simplify the process of setting up a new device over-the-air
• Server-side logic to preserve the formatting of rich email on reply/forward if the mobile client doesn't support rich html editing (most don't)
• Numerous bandwidth optimizations to reduce data charges and improve battery life

EAS enables a rich collaboration experience beyond email

A significant part of the Exchange user experience goes beyond email.  The IMAP protocol only supports email.  EAS is designed to enable a great over-the-air companion experience to Outlook and OWA and supports many facets of Exchange beyond email, including:

• Contact synchronization - view, create and update contacts
• Calendar synchronization - view, create & update appointments, schedule meetings, and accept/decline/propose new time for meeting requests
• Global Address List (GAL) lookup - look-up users in your corporate directory
• Tasks synchronization
• Out-of-office (OOF) email responses - turn on/off and change the OOF message directly from your mobile phone
• Access to documents stored in Sharepoint document libraries and UNC shares
• Search your entire mailbox on the server regardless of what's cached on the mobile phone
• Allowing users to manage their mobile device(s) using OWA - see device activity, help retrieve forgotten PIN, remotely wipe lost device, etc

EAS and IMAP both secure data on the network; EAS also protects data once it's on the device

From an IT department's perspective, this is a highly important distinction between IMAP and EAS. 

Both IMAP and EAS allow IT to ensure data and credentials are protected on the network by encrypting them via SSL.   

Many IT departments require support for additional security measures to protect data on the device as well (not just over the network) to guard against loss or theft before they are willing to let users connect to Exchange from the Internet using a given protocol.  Only EAS addresses this requirement by enabling IT to implement and enforce security policies that protect the data once it's on the device. There are a number of these policies supported by EAS today and we continue to add more, some key examples are:

• Requiring a PIN lock on the device
  • IT also has a number of controls dictating the strength of the PIN, timeout, etc. as well as the ability to recover forgotten PINs
• Local and Remote Wipe
  • IT can require that the device erases all data (including data on the SD card) in the event that (1) the PIN is incorrectly entered an IT-specified number of times or (2) IT or the user issues a remote wipe command from the admin console or OWA.
• Blocking attachment download to the device
• Limiting which Sharepoint libraries / UNC shares the user can access

Because IMAP does not support these security policies, many IT departments have decided not to enable mobile device (or any Internet client) access to email via IMAP. EAS on the other hand is seeing increasingly broad adoption by IT departments.

Summary

Microsoft Exchange does have IMAP support that provides for an adequate email experience. The iPhone can access email via IMAP if the IT department has enabled IMAP connectivity for users.  However, IMAP has limitations from both an IT and user standpoint with respect to security and richness of experience that prevent it from being a complete solution for mobile device access to Microsoft Exchange. 

Exchange ActiveSync on the other hand provides a very rich email and collaboration experience for end-users as well as support for the important security measures needed for IT.

* All were tested using Exchange Server 2007

We have some great news - today, Exchange Server 2007 Service Pack 1 Beta 2 is available as a community technology preview.  This is a great milestone for the product and the team and builds on the great work we did in Exchange 2007.  We are distributing the release through MSDN and TechNet Plus subscriptions.

We've added many enhancements to SP1 Beta 2, including:

• Standby Continuous Replication – Now Exchange's built-in log file shipping can be used to keep a standby server up-to-date.  This is great for organizations who need to quickly recover from datacenter-level failures, such as those caused by power failures or natural disasters. 
• Office Communications Server 2007 integration - Certain OCS 2007 and Office Communicator 2007 qualified devices will work with Exchange Server 2007 for added functionality like a new message indicator that shows when a user has new voice mail messages waiting in their inbox.  Now you can also use your Office Communicator 2007 client to call Outlook Voice Access directly without the need to enter an access number, extension, or pin as it uses your Communicator credentials to authenticate.
• Windows Server 2008 support - Exchange now runs on Windows Server 2003 SP2 and Windows Server 2008.  The update also allows Exchange Server 2007 management tools to run on Windows Vista and Windows Server 2008.  Among other benefits, Windows Server 2008 clustering will make it easier for companies to deploy geographically dispersed Exchange Server clusters.
• Exchange ActiveSync Policies - New policies in SP1 build on Exchange Server 2007's security and management features with new policies for synchronization, authentication, and encryption.  For more advanced data protection needs, Exchange Server 2007 SP1 also offers device, network, and application controls.  These new features allow network administrators to help manage and secure Exchange ActiveSync enabled mobile devices.

Overall, these features should add up to greater security, easier management, and advanced mobility tools for our customers.  You can check out a full list of the features included in SP1 Beta 2 here.

At Microsoft, we are now running Exchange Server 2007 SP1 Beta 2 with over 60,000 users.  I hope many of you decide to try this release and give us feedback.  As always, we're eager to hear from you!  Please remember that Exchange Server 2007 SP1 Beta 2 is for lab use only.

Thank you for choosing Exchange!

- Terry Myerson

CALL TO ACTION

A change in Exchange permissioning behavior may impact mobile communications and other add-on applications for Exchange. Shared and resource mailboxes may also be affected.  By evaluating in advance whether this change will impact your environment, you can take simple remediation steps to ensure that installation of a new Exchange update will not impact critical services. A script is available to help you identify accounts and applications in your environment that may be affected.

EXECUTIVE SUMMARY

A change has been made in how the "Send As" permission works in Microsoft Exchange. In the past, additional accounts could be granted the "Full Mailbox Access" permission to a mailbox and these accounts could then send mail as the mailbox owner. From now on, the "Send As" permission must be explicitly granted to additional accounts or they will not be able to send mail as the mailbox owner.

This change can affect add-on services that have relied on "Full Mailbox Access" alone for impersonating users to send messages on their behalf. For example, the user of a mobile email device may compose a message on the device. This message is transmitted to the mobile access service, which logs on to Exchange and sends the message as the user.

New rollups and service packs for both Exchange 2000 and Exchange 2003 will include this change, as will all updates and hotfixes for the Exchange Information Store service (store.exe).

The change was made several months ago and has been documented in Microsoft Knowledge Base Article 912918. However, many administrators have been caught by surprise after downloading an Exchange store update for a different issue. Therefore, the Knowledge Base article has been rewritten to more fully explain the change, and Microsoft will be publicizing the article widely, both internally and externally. A sample script has been added to the article that shows administrators how to quickly identify affected accounts and to correct their permissions, if necessary.

This change in permissions behavior will not keep Exchange mailbox owners from sending mail when logged on as themselves. But it may keep them from sending from a mobile device that impersonates them, or affect other applications or users who send mail as them. This change also does not affect "cross-forest," "resource forest" or mixed Exchange 5.5 and Exchange 2000/2003 installations.

Nonetheless, running the script right now is a good idea, both to get familiar with how it works, and to find out whether you have affected accounts you don't know about. You may have created resource or other shared mailboxes and forgotten to grant "Send As." Or you may be running scripts and applications that do not grant "Send As" when they should.

The script for finding affected accounts and granting them the right permissions  is available from this link:

http://support.microsoft.com/kb/912918

FREQUENTLY ASKED QUESTIONS

WHY DID YOU MAKE THIS CHANGE IF IT BREAKS SOME APPLICATIONS?

The change was implemented because of multiple requests from customers, and it provides additional security functionality in several scenarios. For example, consider a disaster recovery situation where an Exchange administrator needs full access to all mailboxes in a database in order to merge or salvage mailbox contents. Before, you could not grant such access without also giving the administrator the ability to send as any user in the database.

Correcting problems created by the change is straightforward--just go to the mailbox owner account and grant the "Send As" permission to the account that needs to send as that mailbox.

The old behavior was confusing too. An administrator might explicitly deny "Send As" rights and the Deny would have no effect when an account had "Full Mailbox Access". The way it works now is easier to understand and administer.

IS THERE A REGISTRY KEY OR SOME OTHER WAY TO OVERRIDE THE NEW BEHAVIOR UNTIL I'M READY FOR IT?

No, there is not. Providing a registry key or other override was considered and rejected because it would allow temporarily overriding the enhanced security whenever someone wanted to.

Something to remember is that this change applies only to additional accounts that are granted "Full Mailbox Access." If you are the mailbox owner, you don't need additional "Send As" permission. In cross-forest or Windows NT 4 mixed domain scenarios, the "Associated External Account" is treated like the mailbox owner, and so is a delegate who has been granted "Full Mailbox Access." Microsoft Knowledge Base article 912918 discusses each of these scenarios and exceptions in detail.

WHAT EXACTLY DOES THE SCRIPT DO?

The script is pretty simple. It works on one Active Directory domain at a time. In its Export mode it finds all accounts in the domain that have "Full Mailbox Access" to a particular mailbox, but don't also have "Send As." It ignores accounts that already have both permissions. So the output file only contains accounts that might have a problem.

The Export file is tab-delimited. You can sort it and edit it in Notepad or Excel, and then feed the file right back into the script to grant "Send As" in bulk for all accounts listed in the file.

Full documentation and tips on using the script are included in the Knowledge Base article.

ARE THERE OTHER WAYS OF CORRECTING THE PROBLEM WITHOUT USING THE SCRIPT?

You can use the Active Directory Users & Computers console to set permissions on individual accounts. You can also grant "Send As" for all objects in a domain or container, and thus have the permission take effect by inheritance.  

WHERE DO I GO FOR MORE INFORMATION?

Microsoft KnowledgeBase article 912918 is the place to start. It includes the script and the details about how all of this works - including information about Outlook delegation scenarios. To really dig in to how Exchange permissions work, settle in with these white papers:

Working with Active Directory Permissions in Exchange Server 2003

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3ad.mspx

Working with Store Permissions in Microsoft Exchange 2000 and 2003

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/storperm.mspx

EDIT: Wanted to let you know that the security bulletin, the KB article pointing to the security bulletin and article 912918 were all updated to answer some of the questions that were coming up on this issue. If you had some remaining questions, please check those again.

- Mike Lee

Update 7/13/2011: Exchange 2010 SP1 RU4 has been removed. See Exchange 2010 SP1 RU4 Removed from Download Center for details.

Earlier today the Exchange CXP team released Update Rollup 4 for Exchange Server 2010 SP1to the Download Center.

This update contains a number of customer-reported and internally found issues since the release of RU1. See 'KB 2509910: Description of Update Rollup 4 for Exchange Server 2010 Service Pack 1' for more details. In particular we would like to specifically call out the following fixes which are included in this release:

• 2519359Unable to Create a 'Reply With' Rule on Public Folders Even With Owner and Send As Permissions
• 2394554Generating DSN fails if original mail uses non-support encoding charset.
• 2490134 Outlook 2007 does not deliver "Delayed Delivery" Messages against an Exchange 2010 Server in Online mode with any additional Transport loaded in the Outlook Profile

Some of the above KnowledgeBase articles are not replicated/live at the time of writing this post. Please check back later in the day if you can't reach them.

Update Rollup 5 for Exchange Server 2010 Service Pack 1 is currently scheduled to release in August 2011.

General Notes

Note for Exchange 2010 Customers using the Arabic and Hebrew language version: We introduced two new languages with the release of Service Pack 1, Arabic and Hebrew. At present we are working through the process of modifying our installers to incorporate these two languages. Customers running either of the two language versions affected are advised to download and install the English language version of the rollup which contains all of the same fixes.

Note for Forefront users: For those of you running Forefront Security for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup's installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.

Kevin Bellinger

Earlier today the Exchange CXP team released Update Rollup 5 for Exchange Server 2010 SP1 to the Download Center.

This update contains a number of customer-reported and internally found issues since the release of SP1. See 'KB 2582113: Description of Update Rollup 5 for Exchange Server 2010 Service Pack 1' for more details.

We want to let you know this rollup contains the Exchange 2010 SP1 version of the change described in this KB article:

2543879 PDF attachment from a Mac Mail client is not displayed when you use Outlook 2010 to open the email message in an Exchange Server 2007 SP3 environment

We are happy to announce that Exchange 2010 is Code Complete!  Our senior leadership team has signed off on the final code, and it has been sent to our early adopters for one final look before its public release. This Release to Manufacturing (RTM) milestone means we are on our way to general availability and the launch at Tech·Ed Europe 2009 (http://www.microsoft.com/europe/teched/) in early November.

For those of you attending Tech·Ed in Berlin this year, be sure to check out the Unified Communications track, which is packed with technical content on Exchange 2010. And be sure to visit us at the Exchange product booth in the Exhibition Hall and let us know what you think of the product. Crystal Flores, who interviewed some of you on video at Tech·Ed North America earlier this year, will be on-hand in Berlin in a few weeks, armed with a camera and interview questions.  A group of us are also marching to Las Vegas for Exchange Connections the same week where our fearless leader Rajesh is giving the keynote.

We hope to see you in Berlin or Vegas, but if you can't join us in person, tune in via the Web (www.thenewefficiency.com) to be part of the launch.

- The Exchange Team

Earlier today the Exchange CXP team released Update Rollup 6 for Exchange Server 2010 SP1 to the Download Center.

This update contains a number of customer-reported and internally found issues since the release of SP1. See 'KB 2608646: Description of Update Rollup 6 for Exchange Server 2010 Service Pack 1' for more details.

This update contains a number of customer reported and internally found issues since the release of RU5. In particular we would like to specifically call out the following fixes which are included in this release:

• 2627769  Some time zones in OWA are not synchronized with Windows in an Exchange Server 2010 environment
• 2528854  The Microsoft Exchange Mailbox Replication service crashes on a computer that has Exchange Server 2010 SP1 installed
• 2544246 You receive a NRN of a meeting request 120 days later after the recipient accepted the request in an Exchange Server 2010 SP1 environment
• 2616127  "0x80041606" error code when you use Outlook in online mode to search for a keyword against a mailbox in an Exchange Server 2010 environment.
• 2549183  "There are no objects to select" message when you try to use the EMC to specify a server to connect to in an Exchange Server 2010 SP1 environment

• For general DST related information please see: http://www.microsoft.com/time

Availability of this update on Microsoft Update is planned for late November.

General Notes

An issue with management of RBAC roles when RU6 is partially deployed in the organization: Due to changes shipped in this update, certain warnings can be displayed when managing RBAC roles, if RU6 is not yet deployed to all servers in the organization. Please see the following KB article for more information:

Managing RBAC roles might display warnings or errors if Exchange 2010 SP1 RU6 is partially deployed in the organization
http://support.microsoft.com/kb/2638351

Note for Forefront users: For those of you running Forefront Protection for Exchange, before installing the update, stop all Forefront services.

Ron Ragsdale