Microsoft, in their February 2019 quarterly updates, announced their release of Exchange Server quarterly updates will include “critical security” fixes, plus changing architectures of all supported Exchange Server products. Very uncommon to include security updates along with a CU, and most assume that the EWS/NTLM relay attack issue accelerated this plan.
One of the major changes is a chang with the notifications contract that is established between EWS clients and servers that are running Exchange Server not to allow authenticated notifications to be streamed by the server. Instead, these notifications are streamed by using anonymous authentication. With a client already authenticating to establish the subscription, this approach is an appropriate design to protect the credentials and identity of the server. After this change, clients that rely on an authenticated EWS Push Notification from the server that is running Exchange Server will require a client update to continue to function correctly.
Another change relates to how Microsoft favors the Split Permissions Model over the Shared Permissions Model for Exchange Server and Active Directory authentications. Microsoft still supports both models, and warns that organizations should weigh the effects before making any changes to the model they’re using. The quarterly update is also going to lower privileges assumed in the “Shared Permissions Model” that’s currently the default setup with Exchange Server and Active Directory environments.
As you can tell these types of updates delivered quickly and and sometimes silently are becoming common with Microsoft. It should provide a safer and stronger platform, but cause fire drills with IT Departments preparing for old tech integrations, thoughtful user delivery, etc.