This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 6%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
The HealthChecker.PS1 script reports that not having "Download Domains" makes an Exchange server vulnerable to CVE-2021-1730 (See: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730).
It looks simple to implement but I can't find any information describing the side-effects of implementing it.
Is there any downside to setting up a Download Domain?
Thank you in advance.
The Accepted Answer works perfectly. Thanks again!
The only drawback is you need a 4-domain certificate.
For example:
domain.com
mail.domain.com
autodiscover.domain.com
downloaddomain.domain.com
Hi @Jax Planet ,
It's like the download domain is only used to download items from OWA browsers. Basically you don't have to install other softwares or something to enable it.
Even though the official document has nothing useful:
I think you don't have to worry about that.
See this discuss: https://www.reddit.com/r/exchangeserver/comments/onhchg/download_domains_cve20211730_and_microsoft/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks again!
I completely agree that this level of complexity can yield unexpected results.
I will test it on a non-production server first.
If I find any problem in pre or post production, I will post back.
That's Okey.
Hope everything goes right & have a nice day:)
Cheers,
Lou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 99%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Hi Jax,
Do you have any updates on this?
We are currently trying to figure out the exact same question as you.
Let us know if you have any information.
Thanks in advance!
Thank you for the fast reply!
If I understand you correctly, you don't foresee any problems with making this change.
Regardless, I would like some way to make sure it did not cause a problem.
If I can download attachments in OWA after this change, does it mean that everything is okay?
Hello @Jax Planet ,
Yes I think it wouldn't. Since you don't have to modify any other settings or features. You might keep the domain as a blank except having the DNS records required.
I could understand your concerns, but it's hard to say how to foresee the issues. Maybe you could use some AD or defender to protect it.
I will consider the download domain as a normal domain but has no server functions. And from the steps of enabling the download domain, I didn't see a resonable issues.
If I can download attachments in OWA after this change, does it mean that everything is okay?
Yeah and make sure it obeys this part: "Check the URL for the image when it opens in a new tab. It should be the configured Download Domain. This confirms that the Download Domain is enabled."
Best regards,
Lou
Hi @Jax Planet ,
Do the suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark the helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
If you are still stuck in this issue, please feel free to post your questions.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.