2

Exchange 2019 CU14 Released (2024 H1)

Exchange 2019 CU14 has been released to the Microsoft Volume Licensing Center and the public Microsoft Download site!  Exchange 2019 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.    CUs are a complete installation of Exchange 2019 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 and 2016 have the same servicing methodology.

Previously Exchange 2019 updates were only available through the Volume Licensing Centre.  This was changed during the March 2021 Hafnium attack.

Download Exchange 2019 CU14

Details for the release are contained in KB 5035606.

Update:  Note that there are issues after installing the March 2024 security update

Known Issues with Mar 2024 Security Updates:
https://support.microsoft.com/help/5037171

Windows has released an out of band(OOB) release for addressing memory leak issue on a DC.

March 25, 2024—KB5037425 (OS Build 17763.5579) Out-of-band - Microsoft Support

 

Previous Updates of Note

As a recap, Exchange 2019 CU12 introduced these changes.  The new CU13 changes are in the next section.

The number of CUs that will be released in a given calendar year will be reduced to two.  This will be a H1 and H2 release which will ship approximately in April and October.  Exact dates may vary.  There will still be security releases to address those issues.  Reducing the CUs to two per year allows a longer coexistence period and less work for admins overall to keep on-premises Exchange updated.   The next CU for Exchange 2019 will be the H2 release later this year.

Exchange 2019 CU12 has multiple new additional features that were also announced today.  Perhaps the most anticipated was a mechanism to remove the last Exchange server when all mailboxes are in Exchange Online.  Note that there are a series of caveats with this, and needs to be fully explored.  Will do an additional post on this in the near future.  Please refer to Manage recipients in Exchange Server 2019 Hybrid environments.

Exchange 2019 is now eligible to receive a zero dollar hybrid server license.  Previously this was only available for older versions and Exchange 2019 had to be licensed through volume licensing.

Exchange 2019 adds support for MFA enabled admin credentials to the Hybrid Agent cmdlets.

Support is added for Windows Server 2022.  This allows Exchange 2019 to be installed onto the Windows Server 2022 platform.  CU12 also adds support for Windows Server 2022 DCs.  Please review the exact details in the Exchange Server supportability matrix.

On the topic of Windows 2022, this adds an interesting issue for TLS.  Windows Server 2022 uses TLS 1.3 by default and this is not currently supported by Exchange 2019.

Updates Of Particular Note

This CU contains the latest security updates at the time of release.  The latest DST time zone updates are also included.

As previously promised Extended Protection is now required.  Regardless if the organisation is fully prepared, you have had two years, setup will enable Extended Protection on the local server when CU14 setup is run via the GUI installer and also by default with the command line unless you manually add the new optional switches.  These switches are /DoNotEnableEP or /DoNotEnableEP_FEEW.

The act of configuring Extended Protection is required to address CVE-2024-21410.  This can be met with a fully updated CU13 version of Exchange and the Extended Protection script was also run to protect the environment.  Alternatively, installing CU14 will deploy Extended Protection on the local server though there are caveats.  The CU14 installer will NOT ensure that all servers are correctly configured for Extended Protection and that all scenarios have been reviewed.  This is why admins were instructed to do these steps last year so their environments were readied for CU14.

TLS 1.3 support will be added in Exchange 2019 CU15.

Note as of September 2020 the Exchange 2019 sizing calculator can be downloaded manually from: https://aka.ms/excalc

Previously it was only available via the Exchange 2019 CU media.

Known issues in this cumulative update:  when using /PrepareAD or PrepareSchema the installer will report that Extended Protection was configured by the installer with the following message.

“Exchange Setup has enabled Extended Protection on all the virtual directories on this machine. “

Issues Resolved

  • 5035442 Exchange Mitigation Service does not log incremental updates
  • 5035443 Read receipts are returned if ActiveSyncSuppressReadReceipt is "True" in Exchange Server 2019
  • 5035444 System.argumentnullexception when you try to run an eDiscovery search
  • 5035446 OAB shadow distribution fails if legacy authorization is blocked
  • 5035448 MCDB fails and leads to lagged copy activation
  • 5035450 Exchange 2019 setup installs a outdated JQuery library
  • 5035452 Usernames are not displayed in Event ID 23 and 258
  • 5035453 Issues in Exchange or Teams when you try to delegate information
  • 5035455 MSExchangeIS stops responding and returns "System.NullReferenceExceptions" multiple times per day
  • 5035456 "Deserialization blocked at location HaRpcError" error and Exchange replication stops responding
  • 5035493 FIP-FS Proxy Customizations are disabled after a CU or an SU update
  • 5035494 Modern attachment doesn't work when web proxy is used in Exchange Server 2019
  • 5035495 OWA displays junk operations even if junk mail reporting is disabled
  • 5035497 Edit permissions option in the ECP can't be edited
  • 5035542 Remote equipment and room mailboxes can now be managed through EAC
  • 5035616 Logon events failure after updating Windows Server
  • 5035617 Transport rules aren't applied to multipart or alternative messages
  • 5035689 "High %Time in GC" and EWS doesn't respond

Some Items For Consideration

Exchange 2019 follows the same servicing paradigm for Exchange 2013 and 2016 which was previously discussed on the blog.  The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2019 installation to this CU.  Cumulative Updates are well, cumulative.  What else can I say…

Customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).

  • Test the CU in a lab which is representative of your environment

  • Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server

  • Follow your organisation’s change management process, and factor the approval time into your change request

  • Provide appropriate notifications as per your process.  This may be to IT teams, or to end users

  • Run the Exchange Health Check Script against all servers, and ensure there are no issues prior to installing the new CU. Always download the latest version from https://aka.ms/ExchangeHealthChecker -- though the script now does have an update function if your server has Internet access.
  • Generally you do not have to re-run the Exchange Hybrid Configuration Wizard as part of a CU update, thought it is prudent to have this as a contingency aspect of your change.  If you do not have the required permission in Exchange Online, list a person who does as part of the change should it be required
  • After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange. If you uninstall this cumulative update package, Exchange is removed from the server

  • Place the server into SCOM (or whatever is used) maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

  • Place the server into Exchange maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

  • I personally like to restart prior to installing CUs.  This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations.  3rd party AV products are often guilty of this

  • Restart the server after installing the CU

  • Ensure that any Exchange security updates are installed
  • Ensure that all the relevant services are running

  • Ensure that event logs are clean, with no errors

  • Re-Run the Exchange Health Check Script

  • Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment.  This includes archive, backup, mobility and management services

  • Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application.  FIM and 3rd party user provisioning solutions are examples of the latter

  • Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  See this article on setting PowerShell to Unrestricted

  • Disable file system antivirus prior to installing. Do this through the appropriate console.  Typically this will be a central admin console, not the local machine

  • Verify file system antivirus is actually disabled

  • Once server has been restarted, re-enable file system antivirus

Please enjoy the update responsibly!

What do I mean by that?  Well, you need to ensure that you are fully informed about the caveats with the CU  and are aware of all of the changes that it will make within your environment.  Additionally you will need to test the CU your lab which is representative of your production environment.

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

2 Comments

  1. Hi Rhroderick, FRIL Corretion, --> run this switch /DoNotEnableEP_FEEWS if you have Modern Hybrid not /DoNotEnableEPFEEW 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *