Updates for Exchange 2013
Applies to: Exchange Server 2013
Learn how the update process for Microsoft Exchange Server 2013 has changed. This article also provides links to information about the features and improvements that were included in current, and previous, releases of Exchange 2013.
With Microsoft Exchange Server 2013, we changed the way we deliver hotfixes and service packs. Instead of the priority-driven hotfix release and rollup update model used by previous versions of Microsoft Exchange, Exchange 2013 now follows a quarterly delivery model to release Cumulative Updates (CUs) that address issues reported by customers. CUs sometimes also add new features and functionality.
Critical product updates are packages that address a Microsoft-released security bulletin or that contain a change in time zone definitions. When in Mainstream Support, critical product updates are released as needed on a monthly basis for the most recently released CU and for the immediately previous CU. When in Extended Support, critical product updates are released as needed on a monthly basis for only the most recently released CU.
To get the latest version of Exchange 2013, download and install Microsoft Exchange Server 2013 Cumulative Update 23. Because each CU is a full installation of Exchange and includes updates and changes from all previous CUs, you don't need to install any previous CUs or service packs first.
For more information about updates as they relate to Exchange 2013, including an extensive FAQ, see Servicing Exchange 2013 and "Servicing Model Update" in Released: Exchange Server 2013 Cumulative Update 2.
The following table contains links to Exchange Team blog posts ("What's New" information) for this and other Exchange 2013 CUs.
For information on how to upgrade to the latest CU after you've downloaded it, see Upgrade Exchange 2013 to the latest cumulative update or service pack.
For information about the new features you'll get when you upgrade to Exchange 2013 from previous versions of Exchange, see What's new in Exchange 2013.
For downloads and updates for other versions of Exchange, see Exchange Server build numbers and release dates.
New features, improvements, and updates included in Exchange 2013 SP1
Windows Server 2012 R2 support
Windows Server 2012 R2 is now a supported operating system in Exchange 2013 SP1. Exchange 2013 SP1 also supports installation in Active Directory environments running Windows Server 2012 R2. For more information, see Exchange 2013 system requirements.
Edge Transport servers return
Edge Transport servers minimize attack surface by handling all Internet-facing mail flow, which provides SMTP relay and smart host services for your Exchange organization, including connection filtering, attachment filtering and address rewriting. For more information, see Edge Transport servers.
OWA Junk Email Reporting
Outlook Web App customers can report missed spam in the inbox (false negative) and misclassified as spam (false positive) messages to Microsoft for analysis by using its built-in junk email reporting options. Depending on the results of the analysis, we can then adjust the anti-spam filter rules for our Exchange Online Protection (EOP) service. For more information, see Report junk email and phishing scams in Outlook on the web.
S/MIME for Message Signing and Encryption
Exchange 2013 SP1 now supports S/MIME-based message security with Outlook Web App. Secure/Multipurpose Internet Mail Extensions (S/MIME) allows people to help protect sensitive information by sending signed and encrypted email within their organization. Administrators can enable S/MIME for mailboxes by synchronizing user certificates and then configuring Outlook Web App to support S/MIME. For more information, see S/MIME for message signing and encryption and the Get-SmimeConfig cmdlet reference.
DLP Policy Tips available in the desktop and mobile version of Outlook Web App
Data loss prevention (DLP) Policy Tips are informative notices that are displayed to senders in Outlook when they try sending sensitive information. In Exchange 2013 SP1, this functionality has been extended to both the desktop version of Outlook Web App and the mobile version (named OWA for Devices). You'll see it in action if you have an existing DLP policy with Policy Tips turned on for Outlook. If your policy already includes Policy Tips for Outlook, you don't need to set up anything else. Go ahead and try it out!
Not currently using Policy Tips? To get started, Create a DLP policy from a template, then add a policy tip by editing the policy and adding a Notify the sender with a Policy Tip action.
DLP Classification based on Document Fingerprints
Deep content analysis is a cornerstone of DLP in Exchange. Document Fingerprinting expands this capability to enable you to identify standard forms used in your organization, which may contain sensitive information. For example, you can create a fingerprint based off a blank employee information form, and then detect all employee information forms with sensitive content filled in.
DLP sensitive information types for new regions
Exchange 2013 SP1 provides an expanded set of standard DLP sensitive information types covering an increased set of regions, which makes it easier to start using the DLP features. Exchange 2013 SP1 adds region support for Poland, Finland and Taiwan. To learn more about the new DLP sensitive information types, see What the sensitive information types in Exchange 2013 look for.
Using AD FS claims-based authentication with Outlook Web App and ECP
Deploying and configuring Active Directory Federation Services (AD FS) using claims means multifactor authentication can be used with Exchange 2013 SP1 including supporting smartcard and certificate-based authentication in Outlook Web App. In a nutshell, to implement AD FS to support multifactor authentication:
Install and configure Windows Server 2012 R2 AD FS (this is the most current version of AD FS and contains additional support for multifactor authentication). To learn more about setting up AD FS, see Active Directory Federation Services (AD FS) Overview.
Create relying party trusts and the required AD FS claims.
Publish Outlook Web App through Web Application Proxy (WAP) on Windows Server 2012 R2.
Configure Exchange 2013 to use AD FS authentication.
Configure the Outlook Web App virtual directory to use only AD FS authentication. All other methods of authentication should be disabled.
Restart Internet Information Services on each Client Access server to load the configuration.
For details, see Using AD FS claims-based authentication with Outlook Web App and EAC.
SSL Offloading support
SSL offloading is supported for all of the protocols and related services on Exchange 2013 Client Access servers. By enabling SSL offloading, you terminate the incoming SSL connections on a hardware load balancer instead of on the Client Access servers. Using SSL offloading moves the SSL workloads that are CPU and memory intensive from the Client Access server to a hardware load balancer.
SSL offloading is supported with following protocols and services:
Outlook Web App
Exchange admin center (EAC)
Outlook Anywhere
Offline Address Book (OAB)
Exchange ActiveSync (EAS)
Exchange Web Services (EWS)
Autodiscover
MAPI virtual directory for Outlook clients
If you have multiple Client Access servers, each Client Access server in your organization must be configured identically. You need to perform the required steps for each protocol or service on every Client Access server in your on-premises organization. For details, see Configuring SSL offloading in Exchange 2013.
Public Attachment Handling in Exchange Online
Although there are both private (internal network) and public (external network) settings to control attachments using Outlook Web App mailbox policies, admins require more consistent and reliable attachment handling when a user signs in to Outlook Web App from a computer on a public network such as at a coffee shop or library.
Browser Support for AppCache
Internet Explorer 10 and Windows Store apps using JavaScript support the Application Cache API (or AppCache), as defined in the HTML5 specification, which allows you to create offline web applications. AppCache enables webpages to cache (or save) resources locally, including images, script libraries, style sheets, and so on. In addition, AppCache allows URLs to be served from cached content using standard Uniform Resource Identifier (URI) notation. The following is a list of the browsers that support AppCache:
Internet Explorer 10 or later versions
Google Chrome 24 or later versions
Firefox 23 or later versions
Safari 6 or later (only on OS X/iOS) versions
Exchange OAuth authentication protocol
Information workers in Exchange on-premises organizations need to collaborate with information workers in Exchange Online organizations when they are connected via an Exchange hybrid deployment. New in Exchange 2013 SP1, this connection can now be enabled and enhanced by using the new Exchange OAuth authentication protocol. The new Exchange OAuth authentication process will replace the Exchange federation trust configuration process and currently enables the following Exchange features:
Exchange hybrid deployment features, such as shared free/busy calendar information, MailTips, and Message Tracking.
Exchange In-place eDiscovery.
For more information, see Configure OAuth authentication between Exchange and Exchange Online organizations.
Hybrid deployments with multiple Active Directory forests
New in Exchange 2013 SP1, hybrid deployments are now supported in organizations with multiple Active Directory forests. For hybrid deployment features and considerations, multi-forest organizations are defined as organizations having Exchange servers deployed in multiple Active Directory forests. Organizations that utilize a resource forest for user accounts, but maintain all Exchange servers in a single forest, aren't classified as multi-forest in hybrid deployment scenarios. These types of organizations should consider themselves a single forest organization when planning and configuring a hybrid deployment.
For more information, see Hybrid deployments with multiple forests.
Database Availability Group without an Administrative Access Point
Windows Server 2012 R2 enables you to create a failover cluster without an administrative access point. Exchange 2013 SP1 introduces the ability to leverage this capability and create a database availability group (DAG) without a cluster administrative access point. Creating a DAG without an administrative access point reduces complexity and simplifies DAG management. In addition, it reduces the attack surface of a DAG by removing the cluster/DAG name from DNS, thereby making it unresolvable over the network.
For more information, see High availability and site resilience.
UM Language Packs
The UM language packs for Exchange 2013 SP1 are available. If you install SP1 on your Mailbox servers, you must install the Exchange 2013 SP1 UM language packs. See Exchange Server 2013 SP1 UM Language Packs to download them. UM language packs are specific to the version of Exchange and the Service Pack (SP) installed.