Today we are announcing the availability of Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019. These CUs include fixes for customer reported issues along with all previously released Security Updates (SUs), including the updates released in the March 2022 SUs. A full list of fixes is contained in the KB article for each CU, but we also want to highlight some important changes.
We’re thrilled to announce the availability of new features in the CU for Exchange Server 2019, such as an updated Exchange Management Tools role that enables customers who run Exchange server(s) only for recipient management purposes to shut down their last Exchange server(s) and use Windows PowerShell for recipient management. We’re also excited to announce a change to the hybrid server license for Exchange Server 2019, as detailed below.
Servicing Model Changes
First, we’d like to share some changes to how we deliver updates (aka our servicing model) for Exchange Server. Historically, we have released quarterly CUs in March, June, September, and December. Customers have told us this is too frequent and that it hinders their ability to stay current (which for Exchange hybrid customers is a requirement). Customers also tell us that December is not a good time to release a CU, which is why we didn’t release any in December 2021.
Today, we are announcing changes to our update delivery model for Exchange Server. We are moving to a release cadence of two CUs per year – releasing in H1 and H2 of each calendar year, with general target release dates of March and September. But our release dates are driven by quality, so we might release updates in April or October, or some other month, depending on what we’re delivering.
The next CU will be released in H2 of 2022, and it will be for Exchange Server 2019 only; mainstream support has ended for Exchange Server 2013 and Exchange Server 2016. We will release SUs as needed while those versions are in extended support.
A CU release every 6 months might be too long to wait for some updates, so we may also release hotfixes between CU releases.
With these service model changes, being current still means running the latest CU or the one immediately preceding it (N or N-1), but the ‘currency window’ is now extended from 6 months to 1 year.
Exchange Management Tools Update
Until today, organizations that have all their mailboxes in Exchange Online and use Active Directory (AD) for identity management must have a running Exchange server in their environment in order to perform recipient management activities.
Today, we are excited to announce that Exchange Server 2019 CU12 includes an updated Exchange Management Tools role designed to address the specific customer scenario where an Exchange server is run only because of recipient management requirements.
The updated Management Tools role eliminates the need to have a running Exchange server for recipient management in this scenario. If you have only a single Exchange server that you use only for recipient management, you can install the updated tools on a domain-joined workstation, shut down your last Exchange server, and manage recipients using Windows PowerShell. For more information, see Manage recipients in Exchange Server 2019 Hybrid environments.
Hybrid Experience Updates
There are two more exciting updates for hybrid customers in Exchange Server 2019 CU12.
- CU12 includes a change to the Exchange Server License Terms. We have updated our licensing to add a product key for Exchange 2019 hybrid servers at no additional charge! This was previously available only for Exchange 2010, Exchange 2013, and Exchange 2016. Exchange Server 2019 CU12 and the Hybrid Configuration wizard have been updated to support this change.
- CU12 also includes support for using MFA-enabled admin credentials with Hybrid Agent cmdlets. The Hybrid Management PowerShell module now works with MFA-enabled admin accounts. This module includes the following cmdlets which can now be used with MFA:
Cmdlet | Description |
Get-HybridAgent | View installed Hybrid Agents |
Update-HybridApplication | Edit parameters of a Hybrid Application |
Get-HybridApplication | View all Hybrid Applications |
Remove-HybridApplication | Remove a Hybrid Application |
Support for Windows Server 2022
CU12 also introduces support for running Exchange Server 2019 on Windows Server 2022 and in environments that use Windows Server 2022 Active Directory servers.
Support for Exchange Server and Windows Server 2022 is detailed below and documented in the Exchange Server supportability matrix along with details on other Exchange Server operating system support.
Exchange Server Version |
Windows Server 2022 OS |
Windows Server 2022 AD Servers |
Exchange Server 2019 |
Supported |
Supported |
Support for TLS 1.3
By default, Windows Server 2022 uses Transport Layer Security (TLS) 1.3, the latest version of the Internet's most deployed security protocol. TLS 1.3 encrypts data to provide a secure communication channel between two endpoints. It eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible. Support for TLS 1.3 will be added to Exchange Server 2019 in 2023.
New Microsoft Bounty Program for Exchange Server
We strongly believe that close partnerships with security researchers help make customers more secure. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process, and each year we partner together to better protect billions of users worldwide.
Today, we are also sharing that we have launched a security vulnerability bounty program for Microsoft Exchange Server via the Microsoft Applications and On-Premises Servers Bounty Program. Individuals across the globe can now receive monetary rewards for submitting security vulnerabilities found in Exchange Server shipping on the latest, fully patched version of Windows. For the new bounty program, we request you submit bugs on any supported version of Exchange Server.
Release Details
The KB articles that describe the fixes in each release and product downloads are as follows:
- Exchange Server 2019 Cumulative Update 12 (KB5011156), VLSC Download, Download
- Exchange Server 2016 Cumulative Update 23 (KB5011155), Download, UM Lang Packs
Known Issues With This Release
Please see CU release Knowledge Base articles for known issues.
Additional Information
Microsoft recommends that all customers test the deployment of an update in a lab environment to determine the proper installation process for your production environment.
You can find information on preparing Active Directory here. All Exchange-made schema changes are tracked here.
For installation best practices, see Upgrade Exchange to the latest Cumulative Update. See also the Exchange Update Wizard for detailed installation steps.
When installing, ensure that the Windows PowerShell Script Execution Policy is set to Unrestricted on the server. To verify the policy settings, run Get-ExecutionPolicy from PowerShell on the Exchange server. If the policy is NOT set to Unrestricted, use these steps to set it to Unrestricted.
If you plan to install the update in unattended mode from PowerShell or a command prompt, make sure you specify either the full path to Setup.exe, or use a “.” in front of the command when running Setup directly from the folder containing the CU. If you do not do either of these, Setup may indicate that it completed successfully when it did not. Read more here.
NOTE: Customers in Exchange hybrid deployments and those using Exchange Online Archiving with an on-premises Exchange deployment are required to deploy the latest CU for product support.
For the latest information on Exchange Server announcements please see What's New in Exchange Server and the Exchange Server Release Notes.
NOTE: Documentation may not be available at the time this post is published.
Updates to this blog post:
- 4/21: Added information about support for TLS 1.3.
- 4/20: The original release of this post indicated that Exchange 2013 and Exchange 2016 were also supported to work with Windows Server 2022 Active Directory controllers. This has now been corrected.
The Exchange Server team
You Had Me at EHLO.