BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Exchange 2010 contained several helpful compliance and e-discovery features, but they were more a stepping stone...
to what's available in Exchange 2013. This tip details how those features have been improved in Exchange 2013 and the benefits gained. It also includes an example walkthrough of how they can be put into action.
Check out more new features of Exchange 2013
Improve compliance with Exchange 2013's Data Loss Prevention feature
Exploring the Exchange Administration Center
Exchange 2013 site mailboxes
When it comes to compliance, Exchange Server traditionally hasn't been considered strong enough to meet the needs of most companies who need to retain email for legal reasons. In Exchange 2010, Microsoft introduced the legal hold and discovery search features to achieve what the company refers to as "immutability."
This essentially means that once it's in Exchange, it's possible to make sure that the content cannot be modified; even if a user edits or deletes a message, the original is retained within Exchange. This "in-place hold" means that instead of needing a separate store for all content that should be kept for compliance purposes, admins can leave everything where it is -- within Exchange -- and know that it is available for discovery if needed at a later date.
Compliance improvements in Exchange 2013
In Exchange 2013, the compliance and e-discovery feature set has been significantly overhauled to the point that it is a practical option over third-party products. In fact, these features are so improved that it's not unreasonable to imagine that they'll be a key to Exchange 2013 adoption, especially when combined with SharePoint 2013 and Lync 2013.
Although legal hold remains in Exchange 2013, it's now a deprecated feature. Both legal hold and multi-mailbox search have been replaced by the new In-Place eDiscovery & Hold section, which is found within the Compliance Management section of the Exchange Administration Center (EAC); you'll also find the corresponding PowerShell cmdlets there as well.
While the consolidation of features is a major improvement, it's how they work that's really impressive. In Exchange 2010, legal hold was an all-or-nothing feature. Admins could enable it for mailboxes on a case-by-case basis, but didn't have granular control over it.
In Exchange 2013, admins can define a scope when implementing an in-place hold, then let it do the heavy lifting for them:
- Indefinite hold -- This option lets admins put entire mailboxes on hold indefinitely.
- Query-based hold -- This option lets admins place items that match a set of criteria on hold. This includes keywords within the message, senders, recipients and more.
- Time-based hold -- As the name suggests, this option lets admins place messages on hold for a specified amount of time.
Limiting duplicate messages
You can also ensure that duplicate messages -- such as when people mail distribution lists, multiple recipients or send and receive a message -- are only shown once.
Not only do admins have the option to select specific mailboxes to include within the scope, but they can also choose to put everything contained within them on hold. Additionally, entire distribution groups can be placed on hold.
Compliance improvements don't end with in-place hold. The multi-mailbox search feature has been enhanced in Exchange 2013 as well. The main improvement you'll notice is that you can now preview search results, then view the items within the preview. Gone are the days of copying items and viewing them elsewhere. You still have the option to copy those items to a Discovery Search mailbox for export, but the preview feature helps when determining if your selected scope is appropriate.
In Exchange 2013, admins can also now perform multiple searches and holds that not only target different mailboxes, but also simultaneously include different scopes on those same sets of mailboxes. For example, users in one department may have a hold against all items in their mailboxes for a predetermined amount of time, while a company-wide hold is in place for specific keywords and a different amount of time.
In-place e-discovery and holds in action
Now that you've got a better understanding of in-place hold and e-discovery improvements in Exchange 2013, let's see what they look like when put into action. The following is an example scenario where we've been tasked with the following:
- Hold all mail for all users in the Finance department for at least six years; and
- Due to a case in progress, we must search for any messages within the organization that include the words Contoso, terms, business, trade or contract.
To begin, open the EAC and ensure that the correct rights are in place. If not set already, make certain the admin has been added to the Discovery Management role group (Figure 1).
Next, navigate to the Compliance Management section. To create the first search, choose the Add icon (+) within the In-Place eDiscovery & Hold section (Figure 2):
We can now create our new in-place discovery and hold. Let's name it Finance 6-year hold. Now, let's configure it to match our business requirements.
Under "Mailboxes," add the finance department's distribution group under "Specify mailboxes to search" (Figure 3).
On the Search query page, choose to "Include all user mailbox content" (Figure 4).
Now, in the In-Place Hold settings section, set the number of days to hold items to 2192 (accounting for two leap years) and click Finish (Figure 5).
We can now see that our new hold for the finance department is saved and that it estimates the search and hold results. When the estimate is complete, we can preview exactly what we're putting on hold. To do so, select the Search drop-down menu and click Preview Search Results (Figure 6).
We can now see the eDiscovery Search Preview, which displays all the mailboxes the query will place on hold (Figure 7).
Now let's create the in-place discovery on the aforementioned Contoso case. To recap, we're searching for anything mentioning Contoso along with the words terms, business, trade or contract.
Navigate to the Mailboxes page, name the new hold Contoso Case, then click Search all mailboxes (Figure 8).
On the Search Query page, click Filter based on criteria and enter the following: Contoso AND (Terms OR Business OR Trade OR Contract) (Figure 9).
In this case, our criteria are not particularly complicated, but allow a range of options using the Keyword Query Language (KQL) syntax that's documented on the Microsoft website.
To save the new in-place discovery, click Finish and wait for the estimate to complete on the main In-Place eDiscovery & Hold page in the EAC (Figure 10).
As you can see in Figure 10, not only did we receive an estimate of the amount of data, but we can also view statistics against the keywords searched for. This gives us a good idea of how successful the search was, and if our scope was too small or large.
Before exporting these results for the legal team, let's do a quick preview like we did for our 6-year hold (Figure 11).
As you can see, we have a solid preview that looks as though it will be useful. It includes results from mailboxes we've placed on hold, as well as mailboxes that aren't within the scope.
If you're happy with the results, export them to a Discovery Search Mailbox. To do so, navigate back to the EAC, click the Search drop-down menu and click Copy Search Results (Figure 12).
We should now deduplicate these search results in order to reduce what the legal team needs to sift through. We should also enable full logging. By doing so, we can provide an Excel-compatible CSV file that contains information about the messages. This includes whether the message was read, message IDs and other information that helps ensure that we can prove that the exported data is valid (Figure 13).
After the search is complete, open the Discovery Search mailbox (Figure 14).
Upon opening the Discovery Search mailbox you'll see that copies of the individual messages are shown and there is a subfolder that is specific to the case and the search that was just performed (Figure 15).
The key benefit here is that we've reduced the number of messages that need to be examined. There is a view of each conversation and all the messages within it. You don't see a copy of each carbon copied message or sent message.
The changes within Exchange 2013's in-place hold and discovery features are a massive improvement over previous versions. With these enhancements, it's safe to say that many compliance scenarios that today's businesses may encounter can be met using built-in functionality within Exchange 2013, and that third-party products are less necessary than ever before.
About the author
Steve Goodman is an Exchange MVP, and works as a technical architect for one of the UK's leading Microsoft Gold partners, Phoenix IT Group. Goodman has worked in the IT industry for 14 years and has worked extensively with Microsoft Exchange since version 5.5.