Exchange 2019 CU13 has been released to the Microsoft Volume Licensing Center and the public Microsoft Download site! Exchange 2019 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously. CUs are a complete installation of Exchange 2019 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 and 2016 have the same servicing methodology.
Previously Exchange 2019 updates were only available through the Volume Licensing Centre. This was changed during the March 2021 Hafnium attack.
Details for the release are contained in KB 5020999.
Previous Updates of Note
As a recap, Exchange 2019 CU12 introduced these changes. The new CU13 changes are in the next section.
The number of CUs that will be released in a given calendar year will be reduced to two. This will be a H1 and H2 release which will ship approximately in April and October. Exact dates may vary. There will still be security releases to address those issues. Reducing the CUs to two per year allows a longer coexistence period and less work for admins overall to keep on-premises Exchange updated. The next CU for Exchange 2019 will be the H2 release later this year.
Exchange 2019 CU12 has multiple new additional features that were also announced today. Perhaps the most anticipated was a mechanism to remove the last Exchange server when all mailboxes are in Exchange Online. Note that there are a series of caveats with this, and needs to be fully explored. Will do an additional post on this in the near future. Please refer to Manage recipients in Exchange Server 2019 Hybrid environments.
Exchange 2019 is now eligible to receive a zero dollar hybrid server license. Previously this was only available for older versions and Exchange 2019 had to be licensed through volume licensing.
Exchange 2019 adds support for MFA enabled admin credentials to the Hybrid Agent cmdlets.
Support is added for Windows Server 2022. This allows Exchange 2019 to be installed onto the Windows Server 2022 platform. CU12 also adds support for Windows Server 2022 DCs. Please review the exact details in the Exchange Server supportability matrix.
On the topic of Windows 2022, this adds an interesting issue for TLS. Windows Server 2022 uses TLS 1.3 by default and this is not currently supported by Exchange 2019. Support will be added in a subsequent CU in 2023.
Updates Of Particular Note
This CU contains the latest security updates at the time of release. The latest DST time zone updates are also included.
The biggest change is the introduction of Modern Authentication for a pure on-premises environment. Hybrid Modern Auth (HMA) was already possible, but as the name suggests it has a requirement for Exchange to be deployed in a hybrid configuration with Exchange Online.
On the surface this sounds great, but there are still caveats and considerations. It requires AD FS. This is unfortunate as the rest of the world are moving away from AD FS to native Azure authentication to minimise AD FS deployment issues and security challenges. But, if all you have is on-prem then there is not much else to do. On a posititive note, backend Exchange 2016 servers are supported as long as Exchange 2019 fronts the traffic.
It should also be noted that only Outlook on Windows currently supports Modern Auth, and the version of Outlook must also support Modern Auth.
Windows 11 with the March 2023 update is required.
Since additional parameters are added to the Authentication Policy, you should run /PrepareAD to ensure that Exchange is fully updated. This is not a new issue, and we have seen this multiple times before.
Exchange setup will attempt to preserve around 70 various configuration setting when a new CU is deployed. This helps with the previous frustration caused by the CU removing and copying in a vanilla config file, effectively discarding changes the admin had made.
The full list of settings that are preserved are documented here. The Exchange Setup Log details the actions taken, and you will see this log entry:
"Exchange Setup preserved the required configurations during upgrade. More details can be found in Exchangesetup.log located in <SystemDrive>:\ExchangeSetupLogs folder"
The backup of the preserved configuration files is stored in %ProgramFiles%\Microsoft\Exchange Server\V15\Config
in subfolders that using a naming format of v_<ExchangeVersion>_<Timestamp>
.
There are multiple fixes for issues caused with Extended Protection is enabled.
Note as of September 2020 the Exchange 2019 sizing calculator can be downloaded manually from: https://aka.ms/excalc
Previously it was only available via the Exchange 2019 CU media.
This CU still has the Autodiscover EventID 1 error in the Application event log. See KB 4532190 for details.
Issues Resolved
- 5027150 Enable Modern Auth for pure On-Premises Exchange users
- 5026134 “InvalidRecipientsException" when you try to run MRM
- 5026135 CertificateDeploymentServicelet failure in multiple domain forest Exchange deployments
- 5026136 Microsoft Exchange Transport doesn't re-encrypt IRM messages
- 5026138 Users receive reminders although the meeting reminder is set to None
- 5026139 You can't move the public folder mailbox
- 5026142 Journal message returns "ConversionFailedException"
- 5026143 OAB shadow distribution threshold must be reduced or made configurable
- 5026146 Expiry notification is sent to moderator and sender for approved and delivered messages
- 5026147 BlockLegacyAuthentication fail Organization Policy because of BackendRehydrationModule implementation
- 5026149 Group metrics generation doesn't finish in multidomain environment
- 5026150 Edge server Filtering Agent removes journal attachments
- 5026151 Oab-Processing-Threshold is set to 0 for On-Premises
- 5026152 Microsoft Exchange ActiveSync or Current Requests counter inaccurately counts requests
- 5026153 Delivery Flow Control setting override is now available
- 5026154 On-premises Exchange has 35MB file size limit for online archiving
- 5026155 "No support for this operation" error on an Exchange 2019 DAG member server
- 5026156 Outlook search fails in a shared On-Premises mailbox if the primary user mailbox is migrated to Exchange Online
- 5026158 The body of recurring meeting is not clear if it has Chinese characters
- 5026159 IconIndex returns Default value when Server Assisted Search is used in Outlook
- 5026266 "Could not start MS Exchange Service Host service" error and Exchange stops responding
- 5026267 OWA stops responding in an Exchange 2019 and 2016 coexistence topology
- 5026268 Store Worker process crashes and returns "System.NullReferenceExceptions" multiple times per day
- 5026269 Block deserialization error when using eDiscovery
- 5026271 IIS URL Rewrite Module link is incorrect
- 5026273 Outlook configuration fails in Android or iOS
- 5026274 Hybrid Agent Validation fails after Extended Protection is enabled
- 5026277 Mail configuration fails on iOS device after Extended Protection is enabled
- 5026278 Mailbox migration fails after Extended Protection is enabled
Some Items For Consideration
Exchange 2019 follows the same servicing paradigm for Exchange 2013 and 2016 which was previously discussed on the blog. The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2019 installation to this CU. Cumulative Updates are well, cumulative. What else can I say…
Customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).
-
Test the CU in a lab which is representative of your environment
-
Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server
-
Follow your organisation’s change management process, and factor the approval time into your change request
-
Provide appropriate notifications as per your process. This may be to IT teams, or to end users
-
Run the Exchange Health Check Script against all servers, and ensure there are no issues prior to installing the new CU. Always download the latest version from https://aka.ms/ExchangeHealthChecker -- though the script now does have an update function if your server has Internet access.
-
Generally you do not have to re-run the Exchange Hybrid Configuration Wizard as part of a CU update, thought it is prudent to have this as a contingency aspect of your change. If you do not have the required permission in Exchange Online, list a person who does as part of the change should it be required
-
After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange. If you uninstall this cumulative update package, Exchange is removed from the server
-
Place the server into SCOM (or whatever is used) maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
-
Place the server into Exchange maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
-
I personally like to restart prior to installing CUs. This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations. 3rd party AV products are often guilty of this
-
Restart the server after installing the CU
-
Ensure that any Exchange security updates are installed
-
Ensure that all the relevant services are running
-
Ensure that event logs are clean, with no errors
-
Re-Run the Exchange Health Check Script
-
Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment. This includes archive, backup, mobility and management services
-
Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application. FIM and 3rd party user provisioning solutions are examples of the latter
-
Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. See this article on setting PowerShell to Unrestricted
-
Disable file system antivirus prior to installing. Do this through the appropriate console. Typically this will be a central admin console, not the local machine
-
Verify file system antivirus is actually disabled
-
Once server has been restarted, re-enable file system antivirus
Please enjoy the update responsibly!
What do I mean by that? Well, you need to ensure that you are fully informed about the caveats with the CU and are aware of all of the changes that it will make within your environment. Additionally you will need to test the CU your lab which is representative of your production environment.
Cheers,
Rhoderick