Is Exchange Fully Updated? If Not, Go Update Now

The Exchange team just posted that the September 2021 updates are going to be slightly delayed.  The priority will always be to ship quality updates rather than force it out to meet a specific day.

You can look at the announcement, and Nino's additional comments here:

Delay of September 2021 Cumulative Update for Exchange Server - Microsoft Tech Community

This means that we have a little bit more time to make sure that Exchange is fully updated and is primed for the release of the next CU.

History has shown though that this is not always done, and was really highlighted during the March 2021 Hafnium issues.

Run Exchange Health Check Script

The Exchange Health Check Script makes it very easy to review the health of a single server or the entire environment.  There is a handy shortcut URL to memorise to get the script.


Always check to see if there is an updated script.

You will note below, that not all of the remediation work was done when it should have been earlier this year.

Exchange 2016 CU20 Installed - July 2021 Schema Updated Was NOT Done!

There were multiple issues to resolve in the July 2021 Exchange security updates.  In this case the AD DS schema was not updated as the latest CU was not installed onto the server.

In this lab, Exchange 2016 CU20 is installed.  This needs to be updated. With the release of the upcoming Autumn 2021 releases CU20 will no longer receive updates.  This is the standard N and N-1 support stance for Exchange updates.

Another item that was often skipped was the full implementation of the DownloadDomains restriction.
Please review and implement the remediation steps in CVE-2021-1730


Run the Exchange Health Check script, and go through the results in detail and take the time to install updates to .NET, Visual C++ runtime and the other components on the servers.



Rhoderick Milne [MSFT]


Leave a Reply

Your email address will not be published. Required fields are marked *