Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary 

Starting in the January 2023 security update (SU) for Microsoft Exchange Server, we introduced a new feature that enables admins to configure certificate-based signing of PowerShell serialization payloads. This feature has to be manually enabled by an Exchange Server admin after the SU installed on all Exchange-based servers. This article provides the steps to enable certificate-based signing of PowerShell serialization data in Exchange Server.  

Prerequisites 

Prerequisites to enable this feature: 

  • Make sure that all Exchange-based servers in your environment have the January 2023 SU or a later SU installed. If you enable this feature before you update all servers, deserialization failures might occur and trigger other issues. 

  • Make sure that a valid Exchange Server auth certificate is configured and available on all Exchange-based servers (except Edge Transport servers) before and after you enable certificate signing.

You can run the MonitorExchangeAuthCertificate.ps1 script to check for a valid auth certificate on Exchange-bases servers in your environment. The script also checks whether the auth certificate will expire in less than 60 days, and it can help you to rotate the certificate. For more information about MonitorExchangeAuthCertificate.ps1, see Monitor Exchange AuthCertificate

To manually check auth certificate availability and validity, see Auth Certificate Availability and Validity. 

We strongly recommend that you use the MonitorExchangeAuthCertificate.ps1 script (or create a new one, if it's necessary). This is because the script can also renew an expired auth certificate. The script includes a manual execution mode (verify the auth certificate availability or verify and take action, if it's necessary). The script also includes an automation mode that works by using Windows Task Scheduler. 

Resolution

For servers running Exchange Server 2019 or Exchange Server 2016 (updated to the January 2023 SU or later) 

  1. Run the following cmdlet in Exchange Management Shell (EMS) on a server that's running Exchange Server in your environment: 

    New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true") -Reason "Enabling Signing Verification"

    This cmdlet enables all servers that are running Exchange Server 2019, 2016, or 2013 in your environment for certificate signing of PowerShell serialization payload. You don’t have to run the cmdlet on every server.

  2. Refresh the VariantConfiguration argument by running the following cmdlet:
      
    Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh 

  3. To apply the new settings, restart the World Wide Web Publishing service and the Windows Process Activation Service (WAS). To do this, run the following cmdlet: 

    Restart-Service -Name W3SVC, WAS -Force 

    Note: Restart these services on only the Exchange Server-based server on which the settings override cmdlet is run. 

For servers running Exchange Server 2013

If you have servers that are running Microsoft Exchange Server 2013 in your environment, you must configure a registry key on each server. Specify the following settings.

Registry key: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics 

Value:  EnableSerializationDataSigning 

Type: String 

Data: 1

To create the registry value on an Exchange Server 2013-based server, run the following cmdlet:

  • New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name "EnableSerializationDataSigning" -Value 1 -Type String

To apply the new settings, restart the World Wide Web Publishing service and the Windows Process Activation Service (WAS). To do this, run the following cmdlet:  

  • Restart-Service -Name W3SVC, WAS -Force 

Note: Restart these services on all Exchange Server 2013-based servers in your environment on which registry changes are made. 

Known issues

  • If the ability to sign serialization data is enabled, an expired auth certificate prevents the Get-ExchangeCertificate cmdlet from returning certificate details.

  • After the January 2023 or the February 2023 Security Update for Microsoft Exchange Server 2019, 2016, or 2013 is installed, and the Certificate Signing of PowerShell Serialization Payload is enabled, the Exchange Toolbox and Queue Viewer doesn't start. For more information, see Exchange Toolbox and Queue Viewer fails after Certificate Signing of PowerShell Serialization Payload is enabled (KB5023352).

  • If the ability to sign serialization data is enabled, the Get-ExchangeCertificate cmdlet doesn't return a visible value when it's run on a computer that has the Exchange Management Tools installed but has no other Exchange Server role. This occurs regardless of whether the auth certificate is valid.

  • Some of the scripts that are included with Exchange Server (for example, RedistributeActiveDatabases.ps1) do not work correctly if the following conditions are true:

    • The Signing of PowerShell Serialization Payload feature is enabled.

    • You don't use the default security groups that are provided by Exchange RBAC.

    • The user who runs the script is not a member of the Organization Management role group.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×