Exchange 2019 CU12 has been released to the Microsoft Volume Licensing Center and the public Microsoft Download site! Exchange 2019 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously. CUs are a complete installation of Exchange 2019 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 and 2016 have the same servicing methodology.
Previously Exchange 2019 updates were only available through the Volume Licensing Centre. This was changed during the March 2021 Hafnium attack.
Details for the release are contained in KB 5011156.
Updates Of Particular Note
This CU contains the latest security updates at the time of release, specifically the recently released updates for Hafnium and additional security issues that were addressed throughout 2021.
The latest DST time zone updates are also included.
With this release of Exchange 2016 and 2019, changes have been made to the servicing model. The number of CUs that will be released in a given calendar year will be reduced to two. This will be a H1 and H2 release which will ship approximately in April and October. Exact dates may vary. There will still be security releases to address those issues. Reducing the CUs to two per year allows a longer coexistence period and less work for admins overall to keep on-premises Exchange updated. The next CU for Exchange 2019 will be the H2 release later this year.
Exchange 2019 CU12 has multiple new additional features that were also announced today. Perhaps the most anticipated was a mechanism to remove the last Exchange server when all mailboxes are in Exchange Online. Note that there are a series of caveats with this, and needs to be fully explored. Will do an additional post on this in the near future. Please refer to Manage recipients in Exchange Server 2019 Hybrid environments.
Exchange 2019 is now eligible to receive a zero dollar hybrid server license. Previously this was only available for older versions and Exchange 2019 had to be licensed through volume licensing.
Exchange 2019 adds support for MFA enabled admin credentials to the Hybrid Agent cmdlets.
Support is added for Windows Server 2022. This allows Exchange 2019 to be installed onto the Windows Server 2022 platform. CU12 also adds support for Windows Server 2022 DCs. Please review the exact details in the Exchange Server supportability matrix.
On the topic of Windows 2022, this adds an interesting issue for TLS. Windows Server 2022 uses TLS 1.3 by default and this is not currently supported by Exchange 2019. Support will be added in a subsequent CU in 2023.
This CU still has the Autodiscover EventID 1 error in the Application event log. See KB 4532190 for details.
Note as of September 2020 the Exchange 2019 sizing calculator can be downloaded manually from: https://aka.ms/excalc
Previously it was only available via the Exchange 2019 CU media.
This cumulative update also fixes the issues that are described in the following Microsoft Knowledge Base articles:
- 5012757 "Migration user... can't be found" error when using Start-MigrationUser after batch migration fails
- 5012758 Start-MailboxAssistant is not available in Exchange Server 2019
- 5012760 You can't access OWA or ECP after installing the July 2021 security update
- 5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
- 5012762 PST creation is unexpectedly triggered again during multiple mailbox export
- 5012765 Email stuck in queue starting from "2022/1/1 00:01:00 UTC+0" on all Exchange on-premises servers
- 5012766 Transport Services fail repeatedly because of * Accepted Domain
- 5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
- 5012770 No response from public folder for users migrating to Microsoft Exchange 2019
- 5012772 Items are skipped at the start of a new search page request
- 5012773 OWAMailboxPolicy is bypassed and high resolution profile images can be uploaded
- 5012774 Can't change default path for Trace log data in Exchange Server 2019 and 2016
- 5012775 No additional global catalog column in the address book service logs
- 5012776 Exchange Server 2019 help link in OWA redirects users to online help for Exchange Server 2016
- 5012777 Can’t find forwarded messages that contain attachments in Exchange Server 2019
- 5012778 Exchange Server stops responding when processing PDF files with set transport rule
- 5012779 Invalid new auth certificate for servers that are not on UTC time zone
- 5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
- 5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
- 5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
- 5012783 Can't restore data of a mailbox when LegacyDN is empty in the database
- 5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save "Custom Attributes" changes in EAC
- 5012785 Read Only Domain Controllers (RODCs) in other domains do not get desired permissions
- 5012786 Forwarded meeting appointments are blocked or considered spam
- 5012787 Download domains created per CVE-2021-1730 don’t support AD FS authentication in OWA
- 5012789 Can't use Copy Search Results after eDiscovery & Hold search
- 5012790 OWA doesn’t remove the "loading" image when a message is opened in Chrome and Edge browsers
- 5012791 MailboxAuditLog doesn't work in localized (non-English) environments
- 5012829 Group metrics generation fails in multidomain environment
Some Items For Consideration
Exchange 2019 follows the same servicing paradigm for Exchange 2013 and 2016 which was previously discussed on the blog. The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2019 installation to this CU. Cumulative Updates are well, cumulative. What else can I say…
Customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).
Test the CU in a lab which is representative of your environment
Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server
Follow your organisation’s change management process, and factor the approval time into your change request
Provide appropriate notifications as per your process. This may be to IT teams, or to end users
- Run the Exchange Health Check Script against all servers, and ensure there are no issues prior. Always download the latest version from https://aka.ms/ExchangeHealthChecker
- Generally you do not have to re-run the Exchange Hybrid Configuration Wizard as part of a CU update, thought it is prudent to have this as a contingency aspect of your change. If you do not have the required permission in Exchange Online, list a person who does as part of the change should it be required
After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange. If you uninstall this cumulative update package, Exchange is removed from the server
Place the server into SCOM (or whatever is used) maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
I personally like to restart prior to installing CUs. This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations. 3rd party AV products are often guilty of this
Restart the server after installing the CU
- Ensure that any Exchange security updates are installed
Ensure that all the relevant services are running
Ensure that event logs are clean, with no errors
Re-Run the Exchange Health Check Script
Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment. This includes archive, backup, mobility and management services
Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application. FIM and 3rd party user provisioning solutions are examples of the latter
Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. See this article on setting PowerShell to Unrestricted
Disable file system antivirus prior to installing. Do this through the appropriate console. Typically this will be a central admin console, not the local machine
Verify file system antivirus is actually disabled
Once server has been restarted, re-enable file system antivirus
Please enjoy the update responsibly!
What do I mean by that? Well, you need to ensure that you are fully informed about the caveats with the CU and are aware of all of the changes that it will make within your environment. Additionally you will need to test the CU your lab which is representative of your production environment.