Starting in the August 2023 security update for Microsoft Exchange Server, AES256 in Cipher Block Chaining mode (AES256-CBC) will be the default encryption mode across all applications that use Microsoft Purview Information Protection. For more information, see Encryption algorithm changes in Microsoft Purview Information Protection.
If you are using Exchange Server and have hybrid Exchange deployment, or you are using Microsoft 365 Apps this document will help you prepare for the change so that there are no disruptions.
The changes introduced in this security update (SU) help decrypt AES256-CBC-encrypted email messages and attachments. Exchange Server does not support encrypting email messages in AES256-CBC mode yet, but this support will be added in the future releases.
How to implement AES256-CBC mode change in Exchange Server
If you are using the Information Rights Management (IRM) features in Exchange Server together with either Active Directory Rights Management Services (AD RMS) or Azure RMS (AzRMS), you will have to update your Exchange Server 2019 and Exchange Server 2016 servers to the August 2023 Security Update and complete the additional steps that are described in the following sections by end of August 2023. If you do not update your Exchange servers to August 2023 SU by end of August, this will affect the search and journaling function.
If your organization needs additional time to update your Exchange servers, read through the rest of the article to understand how to mitigate the effect of the changes.
Enable support for AES256-CBC mode of encryption in Exchange Server
The August 2023 SU for Exchange Server supports decryption of AES256-CBC mode-encrypted email messages and attachments. To enable this support, follow these steps:
Install the August 2023 SU on all your Exchange 2019 and 2016 servers.
Run the following cmdlets on all Exchange 2019 and 2016 servers:
$acl = Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0)
Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server" -AclObject $acl
Note: The -AclObject $acl key is added to the registry during the installation of the August SU.
If you are using AzRMS, the AzRMS Connector must be updated on all Exchange servers. Run the updated GenConnectorConfig.ps1 script to generate the registry keys that are introduced for AES256-CBC mode support in the Exchange Server August 2023 SU and later Exchange versions. Download the latest GenConnectorConfig.ps1 script from the Microsoft Download Center.
For more information about how to configure Exchange servers to use the connector, see Configuring servers for the Microsoft Rights Management connector. The article discusses specific configuration changes for Exchange Server 2019 and Exchange Server 2016.
For more information about how to configure servers for the Rights Management connector, including how to run it and how to deploy the settings, see Registry settings for the Rights Management Connector.
Enable support for decryption of AES-256 CBC mode-encrypted email messages and attachments in Exchange Server. To do this, use the following setting override:
New-SettingOverride –Name “EnableMSIPC” -Component Encryption –Section UseMSIPC –Parameters @(“Enabled=true”) -Reason “Enabling MSIPC stack”
Refresh the VariantConfiguration argument. To do this, run the following cmdlet:
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
To apply the new settings, restart the World Wide Web Publishing service and the Windows Process Activation Service (WAS). To do this, run the following cmdlet:
Restart-Service -Name W3SVC, WAS -Force
Note: Restart these services on only the Exchange server on which the settings override cmdlet is run.
If you have Exchange hybrid deployment (mailboxes in both on-premises and Exchange Online)
Organizations that use Exchange Server together with the Azure Rights Management Service Connector (Azure RMS) will be automatically opted out of the AES256-CBC mode update in Exchange Online until at least January 2024. However, if you want to use the more secure AES-256 CBC mode to encrypt email messages and attachments in Exchange Online, and decrypt such email messages and attachments in Exchange Server, complete these steps to make necessary changes to your Exchange Server deployment.
After you complete the required steps, open a support case, and then request the Exchange Online setting to be updated to enable AES256-CBC mode.
If you are using Microsoft 365 Apps with Exchange Server
By default, all your M365 applications, such as Microsoft Outlook, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint, will use AES256-CBC mode encryption starting in August 2023.
Important: If your organization can’t apply the Exchange server August 2023 security update on all the Exchange servers (2019 and 2016), or if you can't update the connector configuration changes across the Exchange Server infrastructure by the end of August 2023, you must opt out of the AES256-CBC change on Microsoft 365 Applications.
The following section describes how to force AES128-ECB for the users who use registry settings and Group Policy.
You can configure Office and Microsoft 365 Apps for Windows to use ECB or CBC mode by using the Encryption mode for Information Rights Management (IRM) setting under Configuration/Administrative Templates/Microsoft Office 2016/Security Settings. By default, CBC mode is used starting in version 16.0.16327 of Microsoft 365 Apps.
For example, to force CBC mode for Windows clients, set the Group Policy setting as follows:
Encryption mode for Information Rights Management (IRM): [2, Electronic Codebook (ECB)]
To configure settings for Office for Mac clients, see Set suite-wide preferences for Office for Mac.
For more information, see the "AES256-CBC support for Microsoft 365" section of Technical reference details about encryption.
Email delivery and journaling fails intermittently if AES256-CBC mode support is enabled in Exchange Server 2019 and Exchange Server 2016 versions in an environment that coexists with Exchange Server 2013 servers. Exchange Server 2013 is out of support. Therefore, you should upgrade all your servers to Exchange Server 2019 or Exchange Server 2016.
Symptoms if CBC encryption is not configured correctly or is not updated
If TransportDecryptionSetting is set to mandatory (“optional” is default) within Set-IRMConfiguration, and Exchange servers and clients are not updated, messages that are encrypted by using AES256-CBC might generate Non Delivery Reports (NDR) and the following error message:
Remote Server returned '550 5.7.157 RmsDecryptAgent; Microsoft Exchange Transport cannot RMS decrypt the message.
This setting might also cause issues that affect transport rules for encryption, journaling, and eDiscovery if servers are not updated.