Microsoft has released the January 2023 Security Update for Exchange Server. This update includes a key feature, Serialization Payload Includes the certificate signing required for . To enable this feature, all servers in your environment must be updated.
- Exchange Server Monitor Exchange Auth Certificate – Cengiz YILMAZ
- Exchange Server January 2023 Security Update – Cengiz YILMAZ
Exchange Server Serialization Payload Requirements
To successfully enable the Serialization Payload feature, the following prerequisites must be met:
- Server Updates: All Exchange servers in your environment must have the January 2023 Security Update (SU) or later installed. Enabling this feature before the update can lead to deserialization errors and other issues.
- Certificate Validation: Before you enable certificate signing, ensure that a valid Auth Certificate is configured and available on all Exchange-based servers in your environment (except Edge Transport servers). You can check the valid authentication certificates in your environment and check if the certificate is less than 1 days old by running the MonitorExchangeAuthCertificate.ps60 script.
Enabling Serialization Payload in Exchange Server 2013
if Exchange Server 2013 if you are using PowerShell To enable Serialization Payload, you need to create a registry value on each server.
You can use CMD or Powershell for the Regedit value we will create to enable Serialization Payload in Exchange Server 2013.
- Open a PowerShell window as administrator.
New-ItemProperty -Path HKLM:SOFTWAREMicrosoftExchangeServerv15Diagnostics -Name "EnableSerializationDataSigning" -Value 1 -Type String
This command is for Exchange Server 2013 Diagnostics
on the registry path EnableSerializationDataSigning
It creates a new feature called 1
we throw away its value.
After enabling Serialization Payload in Exchange Server 2013, services or servers need to be restarted. You can restart Exchange Server services with the following command.
Restart-Service -Name W3SVC, WAS -Force
This command is used by World Wide Web Publishing Service (W3SVC
) and Windows Process Activation Service (WAS
) restarts its services.
Exchange Server 2016/2019 Powershell Serialization Payload Enabling
This feature can be enabled organization-wide or for a specific server as follows:
- Across the Exchange Server Organization Powershell Serialization Payload Activation
New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true") -Reason "Enabling Signing Verification"
- On Exchange Server Powershell Serialization Payload feature Enabling for a Specific Server:
New-SettingOverride -Name "EnableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=true") -Reason "Enabling Signing Verification" -Server <ExchangeServerName>
- On Exchange Server Variant Configuration to refresh the settings;
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
(Get-ExchangeDiagnosticInfo), Exchange Server's “Directory TopologyServiceIt is used to refresh the “VariantConfiguration” argument of the component. This is used to update the configuration changes (in this case Serialization Payload updates the configuration data to ensure that features are implemented (such as enabling signature signing).
- After these operations, you can restart the relevant services with the following command:
Restart-Service -Name W3SVC, WAS -Force
Exchange Server Powershell Serialization Payload Verification
In your Exchange Server environment Exchange Server Powershell Serialization Payload After activation, you can perform the verification process.
For this Exchange Server in your environment Exchange Server Health Check It will be enough to perform the operation. Exchange Server Health Check on HTML report as it analyzes the entire system Serialization Payload You can verify that it is enabled.
Exchange Server Health Check in his report SerializedDataSigning section "True” you see as Serialization Payload means that the feature is enabled.
Disable Exchange Server 2016/2019 Powershell Serialization Payload Feature
Warning: Powershell Serialization Payload Disabling it makes your environment vulnerable to known Exchange vulnerabilities.
If published in the period from January 2023 to October 2023 Security UpdateIf you have implemented (SU) in your Exchange Server 2016 and 2019 environments, and PowerShell Serialization Payload If you want to disable the feature, you must run the following command from the Exchange Management Shell to delete the configuration:
Get-SettingOverride -Identity "EnableSigningVerification" | Remove-SettingOverride
Note: Exchange Server'in January 2023 ve October 2023If you are using Security Updates released in the period up to , the relevant configuration must be deleted.
Exchange Server Published on or after November 2023 Exchange Server Security Update If (SU) is applied, Powershell Serialization Payload To disable the feature, configuration is required;
New-SettingOverride -Name "DisableSigningVerification" -Component Data -Section EnableSerializationDataSigning -Parameters @("Enabled=false") -Reason "Disable Signing Verification"
To refresh the VariantConfiguration argument, run the following command:
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
When a configuration setting is deleted or updated, the World Wide Web Publishing Service (W3SVC) and Windows Process Activation Service (WAS) must be restarted on the relevant Exchange server:
Restart-Service -Name W3SVC, WAS -Force
Disable Powershell Serialization Payload in Exchange Server 2013
To disable this feature in Exchange Server 2013, the registry value must be set to 0 or deleted.
To set the registry value in Exchange Server 2013, run the following command:
Set-ItemProperty -Path HKLM:SOFTWAREMicrosoftExchangeServerv15Diagnostics -Name "EnableSerializationDataSigning" -Value 0
On each Exchange Server server whose regedit value is changed, the World Wide Web Publishing Service and Windows Process Activation Service must be restarted:
Restart-Service -Name W3SVC, WAS -Force