To prevent misuse of UNC paths by attackers, we are removing parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). 

These changes are available in the following latest Exchange Server updates:

Cumulative Update 12 for Exchange Server 2019 or a later cumulative update for Exchange Server 2019

Cumulative Update 23 for Exchange Server 2016 or a later cumulative update for Exchange Server 2016

Changes in Exchange Server cmdlets

Get-AgentTrafficTypeSubscription 

  • TransportService <service>

  • Server <server UNC path>

Change: The parameter Server that takes the UNC path as input is removed from the cmdlet. This restricts usage to the local server on which the cmdlet is run. 

Import-ExchangeCertificate 

  • FileName "<local/UNC path>"

  • Password <password>

Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To import the certificate that's stored in another UNC path, you must use the FileData parameter, as shown in following example:

Import-ExchangeCertificate

  • FileData ([Byte[]]$(Get-Content -Path "<local or UNC path>" -Encoding byte))

  • Password <password>

Export-ExchangeCertificate 

  • Thumbprint <thumbprint>

  • FileName "<local/UNC path>"

  • BinaryEncoded

  • Password <password>

Change: The FileName parameter that takes the UNC path as input is removed from the cmdlet. To export the certificate to a UNC path, you must use the FileData parameter, as shown in the following example: 

  • $cert = Export-ExchangeCertificate

    • Thumbprint <thumbprint>

    • Password <password>

    • BinaryEncoded

  • Set-Content -Path "<local or UNC path>" -Value $cert.FileData -Encoding byte

New-ExchangeCertificate 

  • GenerateRequest

  • RequestFile "<local/UNC path>"

  • SubjectName "<subject>"

  • DomainName <domains>

Change: The RequestFile parameter that takes the UNC path as input is removed from the cmdlet. To export the request file to a UNC path, you must use the Set-Content cmdlet, as shown in the following example. 

  • $request = New-ExchangeCertificate

    • GenerateRequest

    • SubjectName "<subject>"

    • DomainName <domains>

  • Set-Content -Path "<local or UNC path>" -Value $request

Get-CalendarDiagnosticLog 

  • Identity "Jasen Kozma"

  • Subject "Budget Meeting"

  • ExactMatch $true

  • LogLocation "C:\My Documents\Calendar Diagnostic Export"

Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. This restricts the usage to the local server on which the cmdlet is run.  

Get-CalendarDiagnosticAnalysis 

  • LogLocation "C:\My Documents\Calendar Diagnostic Export"

  • OutputAs HTML

| Set-Content -Path <local/UNC path> 

Change: The LogLocation parameter that takes the UNC path as input is removed from the cmdlet. You must provide Calendar Diagnostic logs through the CalendarLogs parameter, as shown in the following example:

$calitems = Get-CalendarDiagnosticLog -Identity <mailbox user> -Subject "Budget Meeting" 

Get-CalendarDiagnosticAnalysis  

  • CalendarLogs $calitems

  • OutputAs HTML

| Set-Content -Path <local/UNC path> 

Exchange Admin Center changes 

Remove UNC path input for storing Virtual Directory settings during reset 

When you reset a virtual directory, the Exchange Control Panel (ECP) asks for a UNC path that it can copy the current settings to. This process is changed. ECP will no longer allow any UNC path input here.

Screenshot of Office 365 Exchange Admin Center window

Instead, ECP will ask for the file name to export the settings from the user. This information will be stored in the ../V15/Config/Backup folder on the server through which ECP is accessed. If the folder doesn't exist, it will be created by ECP.

Screenshot of Office 365 Exchange Admin Center window

Removal of Import & Export Exchange Certificate

In the previous versions of Exchange Server, there was an option to import or export the Exchange certificate through ECP.

Screenshot of Office 365 Exchange Admin Center window

This option is removed. You must now use a PowerShell cmdlet to import or export the Exchange certificate.

Screenshot of Office 365 Exchange Admin Center window

Removal of Complete Exchange Certificate Request

In previous versions of Exchange Server, there was an option to complete the Exchange certificate by using ECP. This prompted admins to provide UNC path input.

Screenshot of Office 365 Exchange Admin Center window

This option is removed from ECP. You must now use a PowerShell cmdlet to do this.

Screenshot of Office 365 Exchange Admin Center window

Removal of New Exchange Certificate Request from CA

In previous version of Exchange Server, there was an option to request a new Exchange certificate from the certificate authority (CA) by using ECP. This prompted admins to provide UNC path input.

Screenshot of Office 365 Exchange Admin Center window

This option is removed from ECP. You must now use a PowerShell cmdlet to do this.

Screenshot of Office 365 Exchange Admin Center window

Removal of Renew Exchange Certificate Request

In Previous version of Exchange Server, there was an option to Renew Exchange Certificate Request using ECP which led to admins providing UNC path input.

Screenshot of Office 365 Exchange Admin Center window

This option is removed from ECP. You must now use a PowerShell cmdlet to do this.

Screenshot of Office 365 Exchange Admin Center window

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×