Microsoft has released security updates (SUs) for vulnerabilities found in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
IMPORTANT: Updates are released in a self-extracting auto-elevating .exe package. Please see this post for more information. Older version of update packages can be downloaded from Microsoft Update Catalog.
These SUs are available for the following specific builds of Exchange Server:
The SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Manual enablement of Windows Extended Protection
Addressing some of CVEs released this month requires admins to enable Windows Extended protection on your Exchange servers. To help you enable this feature, we have developed a script for this process. Please carefully evaluate your environment and review all known issues mentioned in the script documentation before enabling Windows Extended protection on your Exchange servers.
Please note that enabling Extended Protection (EP) is only supported on specific versions of Exchange (please see documentation for full list of prerequisites).
The current version of this script can be found at https://aka.ms/ExchangeEPScript and the documentation is at https://aka.ms/ExchangeEPDoc. The script provided to enable Extended Protection will automatically update itself and ask you to relaunch it as long as the computer on which it is executed on has an internet connection (direct or via proxy). However, if you don’t have internet access, make sure to download the latest version of the script as we are continuously improving it.
It is important that you fully understand Windows Extended Protection prerequisites and all known issues before running the script in your environment. Enabling Extended Protection affects communication between your Exchange servers and between clients and servers.
Update paths available:
Inventory your Exchange Servers / determine which updates are needed
Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).
Update to the latest Cumulative Update
Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.
If you encounter errors during or after installation of Exchange Server updates
If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.
Known issues with this release
We are not aware of any known issues with this release.
My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the August 2022 SUs do need to be installed on your on-premises Exchange servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after installing updates.
Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only the Management Tools role (no Exchange services) do not need these updates.
We skipped installation of May 2022 SU. Do we need to run /preparealldomains after we install the August SU?
When May 2022 SU was released, the /preparealldomains switch needed to be run manually to address a particular CVE. If you skipped the May 2022 SU and are going straight to August 2022 SU, you will still need to run /preparealldomains to address that particular CVE. Please see the May 2022 SU release post for more details. When in doubt, run HealthChecker which will tell you what you need to do!
Updates to this post:
- 8/11: Updated the "update paths" graphics to indicate the preferred path for server running supported CUs older than 2022 H1 CUs. This is the "Preferred path" due to less restrictive Extended Protection requirements (see EP documentation)
- 8/10: Clarified the wording for script auto-update capability
- 8/10: Added a FAQ about /preparealldomains for customers who skipped May 2022 SU
- 8/9: We temporarily removed and now re-added a link to Exchange 2019 CU12 update package because of the issue with original download. The date of publication on the correct package is 8/9/2022
The Exchange Server Team