Exchange 2019 CU11 Released

Exchange 2019 CU11 has been released to the Microsoft Volume Licensing Center and the public Microsoft Download site!  Exchange 2019 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.    CUs are a complete installation of Exchange 2019 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 and 2016 have the same servicing methodology.

Previously Exchange 2019 updates were only available through the Volume Licensing Centre.  This was changed during the March 2021 Hafnium attack.

Download Exchange 2019 CU11

Details for the release are contained in KB 5005334.

Updates Of Particular Note

This CU contains the latest security updates at the time of release, specifically the recently released updates for Hafnium.

Note that there are changes to the setup routine and the required prerequisites.  Please see this post for more details.  IIS URL Scan is required to support the new Exchange Emergency Mitigation (EM) service.  Setup was also changed to allow admins to control whether Exchange diagnostic data is sent to Microsoft.  This setup option is managed via a different UI and command line parameter.

Please see this post which announced the Emergency Mitigation service, and the subsequent follow up which was released to address feedback and concerns.

There have been issues when only some of the Exchange servers behind a load balancer were updated due to security changes in the previous Exchange security update.  Since the security fixes are included in this CU, you need to be aware of this issue.  A note was added to the items for consideration section below to run the Exchange Health Check script to help verify the environment’s status prior to launching the CU setup.  This would have caught issues such as expired OAUTH certificate.  A knock on issue is the subsequent need to re-run the Exchange Hybrid Configuration Wizard and this posed challenges in some environments where the person performing the change did not have Exchange Online administrative permissions.

Note that there are some known issues when preparing AD which are discussed in the release KB.  There are additional operations required for multiple domain environments where /PrepareAD needs to be executed manually in the other domains.

This CU still has the Autodiscover EventID 1 error in the Application event log.  See KB 4532190 for details.

Note as of September 2020 the Exchange 2019 sizing calculator can be downloaded manually from: https://aka.ms/excalc

Previously it was only available via the Exchange 2019 CU media.

Issues Resolved

This cumulative update also fixes the issues that are described in the following Microsoft Knowledge Base articles:

  • 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
  • 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
  • 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
  • 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
  • 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
  • 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
  • 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
  • 5006990 Exchange CU installation fails after you configure fallback to use default character set (5006990)
  • 5006991 Mail quota warning messages no longer sent daily in Exchange Server 2019 (KB5006991)
  • 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
  • 5006993 Can't log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
  • 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
  • 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
  • 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
  • 5006997 Korean messages in OWA display "From" as "Start date" after you filter the list in Exchange Server 2019 and 2016
  • 5006999 "401" error and Outlook repeatedly prompts for credentials in Exchange Server 2019 (KB5006999)
  • 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
  • 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)
  • 5007044 Start-MailboxAssistant not available in EMS in Exchange Server 2019 (KB5007044

Some Items For Consideration

Exchange 2019 follows the same servicing paradigm for Exchange 2013 and 2016 which was previously discussed on the blog.  The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2019 installation to this CU.  Cumulative Updates are well, cumulative.  What else can I say…

Customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).

  • Test the CU in a lab which is representative of your environment
  • Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server
  • Follow your organisation’s change management process, and factor the approval time into your change request
  • Provide appropriate notifications as per your process.  This may be to IT teams, or to end users
  • Run the Exchange Health Check Script against all servers, and ensure there are no issues prior.  Download the latest version from https://aka.ms/ExchangeHealthChecker
  • Generally you do not have to re-run the Exchange Hybrid Configuration Wizard as part of a CU update, thought it is prudent to have this as a contingency aspect of your change.  If you do not have the required permission in Exchange Online, list a person who does as part of the change should it be required
  • After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange. If you uninstall this cumulative update package, Exchange is removed from the server
  • Place the server into SCOM (or whatever is used) maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
  • Place the server into Exchange maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
  • I personally like to restart prior to installing CUs.  This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations.  3rd party AV products are often guilty of this
  • Restart the server after installing the CU
  • Ensure that any Exchange security updates are installed
  • Ensure that all the relevant services are running
  • Ensure that event logs are clean, with no errors
  • Re-Run the Exchange Health Check Script
  • Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment.  This includes archive, backup, mobility and management services
  • Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application.  FIM and 3rd party user provisioning solutions are examples of the latter
  • Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  See this article on setting PowerShell to Unrestricted
  • Disable file system antivirus prior to installing. Do this through the appropriate console.  Typically this will be a central admin console, not the local machine
  • Verify file system antivirus is actually disabled
  • Once server has been restarted, re-enable file system antivirus

Please enjoy the update responsibly!

What do I mean by that?  Well, you need to ensure that you are fully informed about the caveats with the CU  and are aware of all of the changes that it will make within your environment.  Additionally you will need to test the CU your lab which is representative of your production environment.



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *