Exchange 2016 CU13 has been released to the Microsoft download centre! Exchange 2016 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously. CUs are a complete installation of Exchange 2016 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 has the same servicing methodology.
This is build 15.01.1779.002 of Exchange 2016 and the update is helpfully named ExchangeServer2016-x64-CU13.iso which allows us to easily identify the update. Details for the release are contained in KB 4488406.
Exchange 2007 is no longer supported, updates are not provided once a product has exited out of extended support.
Exchange 2010 will transition out of support on the 14th of January 2020.
Updates Of Particular Note
This update provides a security advisory in Microsoft Exchange. For more information, see Security Advisory ADV190018.
Modern Authentication will NOT be released for Exchange on-premises. Exchange hybrid is required. This is a different strategy than what was originally outlined for Exchange on-premises in June 2017.
The latest DST updates for Exchange 2016 are included.
Exchange 2016 CU12 decreased Exchange Rights in the Active Directory. This is covered in KB 4490059 — Reducing permissions required to run Exchange Server by using Shared Permissions Model. CU13 has additional changes to further limit the rights Exchange has to AD. There is a deny ACE on the DNS admins group along with removing the right for Exchange to assign SPNs.
In order to apply these changes, a directory admin will need to run the cumulative update setup program with the /PrepareAD parameter. When multiple Exchange versions co-exist in a single Active Directory forest, the cumulative update matching the latest version of Exchange deployed should be used to run /PrepareAD. If there are multiple domains in the environment, /PrepareDomain needs to be executed in the additional domains.
Exchange Online received a feature in 2018 to allow admins to control which users could see the public folder list in Outlook. This feature is included in Exchange 2019 CU2 and Exchange 2016 CU13.
.NET Framework 4.7.2 is required at a minimum, and support for .NET 4.8 has been added with CU13. .NET 4.8 will be a requirement for future CUs. Plan to upgrade in the near future.
Details are listed in the Exchange Server prerequisites. Also note the requirement for Visual C++ Redistributable Package for Visual Studio 2013.
- 4502154 Providing information to administrators when auto forward limit is reached in Exchange Server 2016
- 4502155 “The primary SMTP address must be specified when referencing a mailbox” error when using impersonation in Exchange Server 2016
- 4502156 Audit logs aren’t updated when “-WhatIf” is used as $false in the command in Exchange Server 2016
- 4502157 The Find command not returning the HasAttachments element in Exchange Server 2016
- 4502158 SyncFolderItems contains duplicated ReadFlagChange items in Exchange Server 2016
- 4502131 “TLS negotiation failed with error UnknownCredentials” error after updating TLSCertificateName on Office 365 send connector in Exchange Server 2016 hybrid environment
- 4502132 Can’t reply to old emails after migration even though old legacyExchangeDN is set to migrated mailbox in Exchange Server 2016
- 4502136 The response of FETCH (BODYSTRUCTURE) command of IMAP violates RFC 3501 in Exchange Server 2016
- 4502140 Can’t preview an eDiscovery search when there are multiple domains in Exchange Server 2016
- 4502141 Appointment that’s created by responding to an email message doesn’t show in any of Outlook calendar views in Exchange Server 2016
- 4502133 Can’t use Outlook on the web to reply a partner email through mutual TLS in Exchange Server 2016
- 4488396 Can’t search any results in manually added shared mailbox in Outlook in Exchange Server 2016
- 4488078 Public folder contact lists don’t show contact’s profile picture in Outlook on the web in Exchange Server 2016
- 4499503 Heavy organizational forms traffic due to materialized restriction when organization forms library has more than 500 items in Exchange Server 2016
- 4503027 Description of the security update for Microsoft Exchange Server 2019 and 2016: June 11, 2019
Some Items For Consideration
Exchange 2016 follows the same servicing paradigm for Exchange 2013 which was previously discussed on the blog. The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2016 installation to this CU. Cumulative Updates are well, cumulative. What else can I say…
Customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).
Test the CU in a lab which is representative of your environment
Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server
Follow your organisation’s change management process, and factor the approval time into your change request
Provide appropriate notifications as per your process. This may be to IT teams, or to end users.
After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange. If you uninstall this cumulative update package, Exchange is removed from the server.
Place the server into SCOM maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
I personally like to restart prior to installing CUs. This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations. 3rd party AV products are often guilty of this
Restart the server after installing the CU
Ensure that all the relevant services are running
Ensure that event logs are clean, with no errors
Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment. This includes archive, backup, mobility and management services.
Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application. FIM and 3rd party user provisioning solutions are examples of the latter.
Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. See KB981474.
Disable file system antivirus prior to installing. Do this through the appropriate console. Typically this will be a central admin console, not the local machine.
Verify file system antivirus is actually disabled
Once server has been restarted, re-enable file system antivirus.
Please enjoy the update responsibly!
What do I mean by that? Well, you need to ensure that you are fully informed about the caveats with the CU and are aware of all of the changes that it will make within your environment. Additionally you will need to test the CU your lab which is representative of your production environment.