Exchange 2013 and Exchange 2010 SP2 RU4 Address Compliance Issues

IT pros usually don't enjoy applying updates and fixes to existing software because of the chance that such "fixes" could introduce new problems. (We've all seen it happen.) So when those updates come with welcome new features, it makes the process just a little sweeter, and could even get IT shops to fast-track the implementation. Such is the case with Update Rollup 4 (RU4) for Microsoft Exchange Server 2010 SP2 because of the new support for retention policies on Calendar and Tasks.

In versions of Exchange 2010 prior to RU4, you can't apply retention tags or policies either to individual calendar or task items or to the main Calendar folder or Tasks folder. So, businesses with particularly stringent retention needs for compliance might be running into trouble relying only on Exchange's built-in features. Of course, third-party vendors that provide e-discovery or compliance solutions will tell you that Exchange 2010's retention and compliance features are limited even in the best of cases.

Nonetheless, the calendar and tasks update in RU4 is certainly being met with approval; many Exchange users have clearly been waiting for this feature. If you're using retention policies already, Calendar and Tasks will inherit the Default Policy Tag (DPT) automatically. However, you can exclude these folders from the DPT through a registry hack, if necessary, to avoid unexpected results for your end users. The process is explained in the Exchange Team Blog post about this update by Ross Smith IV.

Exchange 2010 retention policies should be used as part of an overall company email retention policy -- in which case, note that your policy might include both retention and deletion, as well as archiving if you're using the Personal Archives feature also included with Exchange 2010. Some companies (such as mine) will prefer to have mailboxes purged of older content that is not specifically required to be kept for legal reasons, rather than archiving the data. Less data in storage means less trouble (i.e., time and expense) finding what is required when slapped with an e-discovery request.

So, with the retention policies in Exchange 2010, you have the following options for action on an item that has met it's time limit:

The EHLO blog explains in detail how the time limit is figured for calendar and task items, since these same options now apply to them with RU4. The "mark as past retention limit" option simply sends a flag to the end user about a given item; naturally, this is a weak option in terms of compliance, relying on the end user to take action, but might be acceptable in some, probably smaller, organizations.

The New Exchange, as the Exchange 2013 Preview is being called in some quarters, adds new compliance and data protection features, specifically with the implementation of data loss prevention (DLP). Similar to retention policies, DLP lets you monitor email content, through the use of policies, for "sensitive" data, such as credit card numbers or social security numbers that you don't want being transferred outside the organization.

DLP in Exchange 2013 is based on Exchange Transport Rules. When a policy violation is detected, you can have the system take actions such as sending the message for mediation, returning it to the sender (with explanation of the policy violation), or simply suppressing the message. Interestingly, Outlook 2013 will be DLP-aware as well so that it can provide warnings similar to MailTips about possible policy violations prior to sending a message.

So, although Exchange probably isn't the best solution for all your compliance and retention needs -- particularly if you find yourself in a heavily litigious environment -- the Exchange team is clearly addressing these needs as they develop out the product. Maybe that gives you more reason to think about applying that update or considering an upgrade. If you're considering third-party solutions for compliance, Sherpa Software recently released a white paper that compares Sherpa's Discovery Attender to Exchange. This paper is worth reading if for nothing else because it clearly outlines what Exchange 2010 does and doesn't do in preparing your organization for e-discovery.

You can read more about Exchange 2010 SP2 RU4 in Tony Redmond's post. And you can download the RU4 update from the Microsoft Download Center. And meanwhile, feel free to let us know how you maintain compliance in your organizations and what you think of these changes -- leave a comment below, connect on Twitter, or send an email.

Follow B. K. Winstead on Twitter at @bkwins
Follow Windows IT Pro on Twitter at @windowsitpro