Tag Archives: Exchange 2013 lititgation bug

Critical problem with Litigation Hold detected in OWA – Exchange Server 2013 and Exchange Online (Office 365)

P5_400x225_Exchange-Online-Plan-1
Recently, a very important critical problem has been detected in the behaviour of litigation hold in Exchange Server 2013 and Exchange Online.

When a mailbox is enabled for litigation and holds a delegate of the mailbox is able to use OWA to permanently delete folders (and their items) from the mailbox, without them being preserved correctly by the litigation hold.

The issue impacts Exchange Online and all supported versions of Exchange Server 2013 on-premises. The bug does not exist when mailboxes are accessed via Outlook or other clients, only when accessed via OWA

Microsoft has released KB2996477 which also describes the issue:

This problem occurs when a user uses OWA to delete or move a folder from a delegated mailbox that is on hold to another mailbox if that mailbox is also open in OWA but is not on hold. The items are preserved according to the hold settings of the delegate’s own mailbox, not the settings of the delegated mailbox. The delegate can move or delete individual items inside a folder, and the items are preserved as expected.

Non-delegated scenarios, in which one user is the sole owner of a mailbox, are not affected by this issue. This problem also does not occur in the Outlook client.

There are 2 known solutions:

1. Put a hold on all users who are participating in delegated scenarios.

2. Disable OWA for users who have delegated access to their mailbox.

First, it’s worth verifying whether any mailboxes in your organization are enabled for litigation hold.

[PS] C:\>Get-Mailbox | where LitigationHoldEnabled

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
Aurel Proorocu            aurel.proorocu       exch2013         Unlimited
IT Support                it.support           exch2013         Unlimited

If disabling OWA is a practical solution for your organization this can easily be performed, for example:

[PS] C:\>Get-Mailbox | where LitigationHoldEnabled | Set-CASMailbox -OWAEnabled:$false

Of course, if the mailboxes are under investigation it may not be wise to tip off the mailbox owner by disabling OWA. In that case enabling litigation hold for the other users with access to the mailbox would be the better approach.