Changes in Exchange Server PowerShell cmdlets and Exchange Admin Center for UNC path inputs (KB5014278)

To prevent misuse of UNC paths by attackers, we are removing parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).

These changes are available in the following latest Exchange Server updates:

Cumulative Update 12 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019

Cumulative Update 23 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016

Changes in Exchange Server cmdlets

Get-AgentTrafficTypeSubscription

TransportService <service>
Server <server UNC path>

Change: The parameter Server that takes the UNC path as input is removed from the cmdlet. This restricts usage to the local server on which the cmdlet is run.

Import-ExchangeCertificate

FileName "<local/UNC path>"
Password <password>

Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To import the certificate that's stored in another UNC path, you must use the FileData parameter, as shown in following example:

Import-ExchangeCertificate

FileData ([Byte[]]$(Get-Content -Path "<local or UNC path>" -Encoding byte))
Password <password>

Export-ExchangeCertificate

Thumbprint <thumbprint>
FileName "<local/UNC path>"
BinaryEncoded
Password <password>

Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To export the certificate to a UNC path, you must use the FileData parameter, as shown in the following example:

$cert = Export-ExchangeCertificate
- Thumbprint <thumbprint>
- Password <password>
- BinaryEncoded
Set-Content -Path "<local or UNC path>" -Value $cert.FileData -Encoding byte

New-ExchangeCertificate

GenerateRequest
RequestFile "<local/UNC path>"
SubjectName "<subject>"
DomainName <domains>

Change: The RequestFile parameter that takes the UNC path as input is removed from the cmdlet. To export the request file to a UNC path, you must use the Set-Content cmdlet, as shown in the following example.

$request = New-ExchangeCertificate
- GenerateRequest
- SubjectName "<subject>"
- DomainName <domains>
Set-Content -Path "<local or UNC path>" -Value $request

Get-CalendarDiagnosticLog

Identity "Jasen Kozma"
Subject "Budget Meeting"
ExactMatch $true
LogLocation "C:\My Documents\Calendar Diagnostic Export"

Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. This restricts the usage to the local server on which the cmdlet is run.

Get-CalendarDiagnosticAnalysis

LogLocation "C:\My Documents\Calendar Diagnostic Export"
OutputAs HTML

| Set-Content -Path <local/UNC path>

Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. You must provide Calendar Diagnostic logs through the CalendarLogs parameter, as shown in the following example:

$calitems = Get-CalendarDiagnosticLog -Identity <mailbox user> -Subject "Budget Meeting"

Get-CalendarDiagnosticAnalysis

CalendarLogs $calitems
OutputAs HTML

| Set-Content -Path <local/UNC path>

Exchange Admin Center changes

Remove UNC path input for storing Virtual Directory settings during reset

When you reset a virtual directory, the Exchange Control Panel (ECP) asks for a UNC path that it can copy the current settings to. This process is changed. ECP will no longer allow any UNC path input here.