Why Is The Exchange Security Update Not Installed?

The issue of "Why is the Exchange Security Update not installed?" has popped up frequently over the last few months due to the number of security releases for on-premises Exchange.

Due to Hafnium, security teams have increased the monitoring of Exchange to make sure that it is fully patched.  In some of these cases, the Exchange and server admins think that they are all good as they run Windows Update, install the updates and are done.  In reality that is not enough.  Windows Update will only offer available updates, and if your version of Exchange is no longer supported then there are no updates to receive and you remain vulnerable.

Typically the security team run a compliance analysis against the server, note that the updates are missing and send a ticket to the messaging administrators.  It is at that point the gap is closed, but servers remain vulnerable prior to the installation of the updates.

How Did We Get Here

What led us to this position?  In numerous cases it is due to the admins running Windows Update and thinking they are done when it looks like the below – there are no more updates to install and your device is up to date.  The option to install updates for other Microsoft products is selected so Exchange updates are in scope.

Windows Settings - No Pending Updates

If we look at the details of what is actually installed, note that the October Exchange security update is NOT installed.

This is true for both the current and classic control panel.

Windows Settings - Update History

Note below, that the July 2021 Exchange security update is installed.  At the time of writing the October 2021 security update is available.

Classic Control Panel - No October Exchange Security Update

Unsupported CU

How come the security update is not installed?  This is because the server is running and old and unsupported Cumulative Update (CU).

At the time of writing this server has Exchange 2016 CU20 installed.  CU21 and Cu22 are available.

Due the the N and N-1 support policy this means that CU20 no longer receives updates.

Rather than introducing unnecessary risk, the Exchange admins can can run the Exchange health check script which is available from:


Ensure that you always download a new copy as it is constantly being updated.

Note that it states the CU is outdated.

Exchange Health Check Script - Outdated CU

As you can see below, the script clearly states that security updates are missing.

Exchange Health Check Script - Security Updates Missing

Please ensure that security updates are promptly installed for all elements in your messaging environment.  In order to receive these updates you must have a supported CU installed.



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *