Released: May 2021 Exchange Server Security Updates

Published 05-11-2021 09:54 AM 57.7K Views

Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU19 and CU20
  • Exchange Server 2019 CU8 and CU9

The May 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Known issues in May 2021 security updates

During the release of April 2021 SUs, we received some reports of issues after installation. The following issues reported for April 2021 SUs also apply to May SUs and have the following workarounds:

  • Administrator/Service accounts ending in ‘$’ cannot use the Exchange Management Shell or access ECP. The only workaround at this time is to rename Admin accounts or use accounts with no ‘$’ at the end of the name.
  • Some cross-forest Free/Busy relationships based on Availability address space can stop working (depending on how authentication was configured) with the error: “The remote server returned an error: (400) Bad Request.” Please see this KB article for how to work around this problem.
  • After application of the Exchange Server April or May security updates, cmdlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message: The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode. Please see this KB article for more information.

Additional fixes in May 2021 security update

In addition to the fixes for the vulnerabilities, we also fixed an issue with the version info that is returned in the protocol response headers. Prior to this release, the version information in the protocol response headers was incomplete and inaccurate. We have fixed this in the May 2021 security updates and now admins can correctly validate the security patch status of servers.

Update installation

Two update paths are available:

May21SU.jpg

Inventory your Exchange Servers

Use the Exchange Server Health Checker script (use the latest release), to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU. Then click the “Tell me the steps” button, to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the May 2021 security updates do need to be applied to your on-premises Exchange Server, even if it is used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do the May 2021 security updates contain the April 2021 security updates for Exchange Server?
Yes, our security updates are cumulative. Customers who installed the April 2021 security updates for supported CUs can install the May 2021 security updates and be protected against the vulnerabilities that were disclosed during those months.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Updates to this post:

  • 5/12: Added (and removed) a note about manual steps needed to address CVE-2021-1730; this CVE is from February 2021, and a few of our customers mentioned that Health Checker script is now calling out manual steps needed. Please see CVE details for more information.
  • 5/11: Clarified the wording around protocol response header

The Exchange Team

22 Comments
New Contributor

Hello,

Can you clarify why we need to patch an Exchange hybrid only use for management purpose ?

( We are using multiple hybrid servers for many customers without any inbound connection from internet. )

So the exploit cannot be run from internet.

In this situation I understand that I need to patch but not in an emergency way ( as it was the case in March).

Thanks for your clarification.

 

New Contributor

@The_Exchange_Team 

Patch Tuesday first, or May 2021 security updates first?

 

Visitor

The new version of Exchange Server Health Checker script tells something concerning "DownloadDomains". A additional Certificate is also necessity. As Certificates costs money thats not what I like to hear.  Additional i dont realy understand whatfor it is needed.

 

If the primary domain is contoso.com one should use something like download.contoso.com as additional domain.

 

- If you have more than one Maildomains do you still need only one additional domain or one each?

- will that necessity be gone whith the next CU (Exchange 2016 CU21 in my Case)?

 

 

Occasional Contributor

@The_Exchange_Team Thank you for the clear information!

Senior Member

Hello

 

Regarding the new health checker, there are few bugs that need to be sorted out

I do have Exchange 2016 CU19 with all available sec patches installed, but your script reports CU18 incorrectly but then shows all CU19 sec updates correctly

as per below from running your script:

 

Hardware/OS/Exchange Information:
Hardware Type: VMWare
Operating System: Microsoft Windows Server 2016 Standard
System up since: 23 day(s), 23 hour(s), 50 minute(s), 10 second(s)
Time Zone: Eastern Standard Time
Exchange: Exchange 2016 CU18
Build Number: 15.1.2176.2
Exchange IU or Security Hotfix Detected
Security Update for Exchange Server 2016 Cumulative Update 19 (KB4602269)
Security Update for Exchange Server 2016 Cumulative Update 19 (KB5000871)
Security Update for Exchange Server 2016 Cumulative Update 19 (KB5001779)
Server Role: Mailbox

 

Page file issue as per your script

Pagefile Settings:
Pagefile Size: Page file is set to (32778) which appears to be More than the Total System Memory plus 10 MB which is (32777) this appears to be set incorrectly. --- Warning: Article: https://docs.microsoft.com/en-us/exchange/exchange-2013-sizing-and-configuration-recommendations-exc...
Note: We are calculating the page file size based off the WMI Object Win32_ComputerSystem. This is what is available on the OS.

 

If my memory serves me well, 32GB is 32768 PLUS 10MB which would be 32778, kinda silly error

 

no longer any info about certificates installed on the system, as well as you were never showing type of the certificate SHA1 or SHA2, which would be helpful to some Exchange admins

 

Multiple active network adapters detected. Exchange 2013 or greater may not need separate adapters for MAPI and replication traffic. For details please refer to https://docs.microsoft.com/en-us/exchange/planning-for-high-availability-and-site-resilience-exchang...

 

why flag this in yellow as a big warning? we have been running in this config for years with no issues

 

NIC Power Saving: Not configured --- Warning: It's recommended to disable NIC power saving options

both  my network adapters have everything turned off under properties->Power Management settings, unless there is another way to turn it off, and if there is I would like to know where is this setting located.

 

that's all for now, thanks

Microsoft

@Vinch_BE - a server that is running on premises when hybrid is an actual Exchange server (Exchange services are running). We are calling this out not because those servers are specifically vulnerable; rather - people might forget that they are Exchange servers too, are running Exchange services and as such need to be updated; that's all.

 

@sjhudson - they are actions that do not depend on each other; do what you'd usually do. Exchange can take updates independently from Windows updates.

 

Microsoft

@null null The reason why the Exchange Health Checker is reporting an incorrect version of Exchange is because you need to download the latest version. If you don't update the Health Checker, it can't correctly report the latest versions of Exchange. Download the latest version here: https://aka.ms/ExchangeHealthChecker 

 

@Test-RRR The Exchange Health Checker calls out Security Vulnerabilities that are posted under Vulnerabilities - Security Update Guide - Microsoft. For the CVE-2021-1730, it provided that you needed to take additional steps to protect against this vulnerability besides just installing the update. We then added those checks, based off what is in the article, within the script to help call this out to allow admins to be aware if they are still vulnerable or not. 

Senior Member

Have the latest version running 2.44.7, even the previous versions worked just fine :)

Microsoft

@null null That isn't the latest version, hence why I provided to upgrade it. That version is from Oct 26th, 2020. There has been multiple releases since that date. CU19 was released in Dec, so there is no way for that version of the script to know of CU19. 

 

The latest release as of right now is v21.05.11.1059. 

Microsoft

@null null What might help understand the versioning difference etc. is this: Exchange Health Checker has a new home - Microsoft Tech Community

Senior Member

sorry about that

running the latest version i hope, Exchange Health Checker version 21.05.11.1059

 

few things i found when running the script

under:

Frequent Configuration Issues
-----------------------------
TCP/IP Settings: 900000
RPC Min Connection Timeout: 120
More Information: https://blogs.technet.microsoft.com/messaging_with_communications/2012/06/06/outlook-anywhere-networ...

 

RPC is set to 120 seconds in registry so why not green as TCP/IP Settings? is there another more preferred value?

 

Certificates are being listed, but it wold be nice to see if the cert is SHA1 or SHA2, i know this old news but it would help some exchange admins

 

other than that it looks good. Thanks

Microsoft

@null null Thanks, good to hear that got sorted; as far as your suggestions go, do you mind providing the feedback via one of the methods mentioned here? We are kind of crossing the streams now... :)

Senior Member

@Nino Bilic will do, thanks

Frequent Visitor

March SU, April SU, now May SU, you do work very hard, MSFT.  I haven't finishing installing April SU until now. Please do me a favor, please don't release SU so frequently. As a email admin, my only job now is installing SU. Thanks.

Frequent Visitor

So far I've seen two Exchange servers (both 2016) at unrelated organizations in the last 24 hours that have run this update and then had this problem:

Information Store won't start.
AD Topology Service won't stop.

None of the relevant services were disabled--they just wouldn't start or stop.
Problems starting other services like Service Host.

The only fix was to restore from backup and block the patch.
In the environment I had direct access to, they were running Avast and Huntress on the server.

Are other people seeing this?

Senior Member

Hi,

@The_Exchange_Team thank you for the information provided. Just to double check. If we applied April 2021 security patch to  Exchange 2016 CU19 and are planning to upgrade to CU20, then we should be good to just apply May 2021 security patch without the need to reapply previous security patches ? Thanks again.

Senior Member

@The_Exchange_Team  Regarding the question for download domains, would it be a "good idea" to set this to the already existing autodiscover name? As I understand it, it just have to be a different location than the OWA URL from that the inline images would be downloaded, right? This feature isn't that good documented at all. Would be nice to have a bit more to go for.

 

Regards

Norbert

New Contributor

@DaveShackelford  Haven't seen these issues but since applying KB5003435 on an Exchange 2019 CU9 server in a small test environment we've been seeing intermittent and inexplicable delayed message delivery. This includes messages sent internally  between Exchange mailboxes in the same database.  First time seeing this and this server has been on every CU since Exchange 2019 RTM. Anyone else seeing any issues after the application of KB5003435?

 

For the problem you saw, are all of the Microsoft recommended file/folder/process antivirus exclusions in place?

Senior Member

Does anyone else have any issues with these updates when you first launch them taking forever on Calculating Space Requirements? What is it actually checking and is there any way to speed it up? We have multiple servers to update and this just adds way too much time. It takes around 10-15 minutes on most servers. And they have plenty of free space. 

New Contributor

@Nino Bilic Hello Nino. KB5003435, like KB5001779 and KB5000871 before it, is not visible by running get-hotfix or by looking for updates in WAC when installed on a Windows 2019 Core server.   This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes.   This is an issue for administrators, installers, etc.  When will this be addressed?   Do you see the same thing on your Windows 2019 Core servers?

New Contributor

@Nino Bilic Hello Nino. KB5003435, like KB5001779 and KB5000871 before it, is not visible by running get-hotfix or by looking for updates in WAC when installed on a Windows 2019 Core server.   This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes.   This is an issue for administrators, installers, etc.  When will this be addressed?   Do you see the same thing on your Windows 2019 Core servers?

New Contributor

@Nino Bilic Hello Nino. KB5003435, like KB5001779 and KB5000871 before it, is not visible by running get-hotfix or by looking for updates in WAC when installed on a Windows 2019 Core server.   This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes.   This is an issue for administrators, installers, etc.  When will this be addressed?   Do you see the same thing on your Windows 2019 Core servers?

%3CLINGO-SUB%20id%3D%22lingo-sub-2347653%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2347653%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3ECan%20you%20clarify%20why%20we%20need%20to%20patch%20an%20Exchange%20hybrid%20only%20use%20for%20management%20purpose%20%3F%3C%2FP%3E%3CP%3E(%20We%20are%20using%20multiple%20hybrid%20servers%20for%20many%20customers%20without%20any%20inbound%20connection%20from%20internet.%20)%3C%2FP%3E%3CP%3ESo%20the%20exploit%20cannot%20be%20run%20from%20internet.%3C%2FP%3E%3CP%3EIn%20this%20situation%20I%20understand%20that%20I%20need%20to%20patch%20but%20not%20in%20an%20emergency%20way%20(%20as%20it%20was%20the%20case%20in%20March).%3C%2FP%3E%3CP%3EThanks%20for%20your%20clarification.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2348100%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2348100%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPatch%20Tuesday%20first%2C%20or%26nbsp%3BMay%202021%20security%20updates%20first%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2348359%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2348359%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20new%20version%20of%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExchangeHealthChecker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EExchange%20Server%20Health%20Checker%20script%3C%2FA%3E%20tells%20something%20concerning%20%22DownloadDomains%22.%20A%20additional%20Certificate%20is%20also%20necessity.%20As%20Certificates%20costs%20money%20thats%20not%20what%20I%20like%20to%20hear.%26nbsp%3B%20Additional%20i%20dont%20realy%20understand%20whatfor%20it%20is%20needed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20primary%20domain%20is%20contoso.com%20one%20should%20use%20something%20like%20download.contoso.com%20as%20additional%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20If%20you%20have%20more%20than%20one%20Maildomains%20do%20you%20still%20need%20only%20one%20additional%20domain%20or%20one%20each%3F%3C%2FP%3E%3CP%3E-%20will%20that%20necessity%20be%20gone%20whith%20the%20next%20CU%20(Exchange%202016%20CU21%20in%20my%20Case)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2348582%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2348582%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20clear%20information!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2348767%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2348767%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20the%20new%20health%20checker%2C%20there%20are%20few%20bugs%20that%20need%20to%20be%20sorted%20out%3C%2FP%3E%3CP%3EI%20do%20have%20Exchange%202016%20CU19%20with%20all%20available%20sec%20patches%20installed%2C%20but%20your%20script%20reports%20CU18%20incorrectly%20but%20then%20shows%20all%20CU19%20sec%20updates%20correctly%3C%2FP%3E%3CP%3Eas%20per%20below%20from%20running%20your%20script%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHardware%2FOS%2FExchange%20Information%3A%3CBR%20%2F%3EHardware%20Type%3A%20VMWare%3CBR%20%2F%3EOperating%20System%3A%20Microsoft%20Windows%20Server%202016%20Standard%3CBR%20%2F%3ESystem%20up%20since%3A%2023%20day(s)%2C%2023%20hour(s)%2C%2050%20minute(s)%2C%2010%20second(s)%3CBR%20%2F%3ETime%20Zone%3A%20Eastern%20Standard%20Time%3CBR%20%2F%3EExchange%3A%20Exchange%202016%20CU18%3CBR%20%2F%3EBuild%20Number%3A%2015.1.2176.2%3CBR%20%2F%3EExchange%20IU%20or%20Security%20Hotfix%20Detected%3CBR%20%2F%3ESecurity%20Update%20for%20Exchange%20Server%202016%20Cumulative%20Update%2019%20(KB4602269)%3CBR%20%2F%3ESecurity%20Update%20for%20Exchange%20Server%202016%20Cumulative%20Update%2019%20(KB5000871)%3CBR%20%2F%3ESecurity%20Update%20for%20Exchange%20Server%202016%20Cumulative%20Update%2019%20(KB5001779)%3CBR%20%2F%3EServer%20Role%3A%20Mailbox%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPage%20file%20issue%20as%20per%20your%20script%3C%2FP%3E%3CP%3EPagefile%20Settings%3A%3CBR%20%2F%3EPagefile%20Size%3A%20Page%20file%20is%20set%20to%20(32778)%20which%20appears%20to%20be%20More%20than%20the%20Total%20System%20Memory%20plus%2010%20MB%20which%20is%20(32777)%20this%20appears%20to%20be%20set%20incorrectly.%20---%20Warning%3A%20Article%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fexchange-2013-sizing-and-configuration-recommendations-exchange-2013-help%23pagefile%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fexchange-2013-sizing-and-configuration-recommendations-exchange-2013-help%23pagefile%3C%2FA%3E%3CBR%20%2F%3ENote%3A%20We%20are%20calculating%20the%20page%20file%20size%20based%20off%20the%20WMI%20Object%20Win32_ComputerSystem.%20This%20is%20what%20is%20available%20on%20the%20OS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20my%20memory%20serves%20me%20well%2C%2032GB%20is%2032768%20PLUS%2010MB%20which%20would%20be%2032778%2C%20kinda%20silly%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eno%20longer%20any%20info%20about%20certificates%20installed%20on%20the%20system%2C%20as%20well%20as%20you%20were%20never%20showing%20type%20of%20the%20certificate%20SHA1%20or%20SHA2%2C%20which%20would%20be%20helpful%20to%20some%20Exchange%20admins%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMultiple%20active%20network%20adapters%20detected.%20Exchange%202013%20or%20greater%20may%20not%20need%20separate%20adapters%20for%20MAPI%20and%20replication%20traffic.%20For%20details%20please%20refer%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fplanning-for-high-availability-and-site-resilience-exchange-2013-help%23NR%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fplanning-for-high-availability-and-site-resilience-exchange-2013-help%23NR%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhy%20flag%20this%20in%20yellow%20as%20a%20big%20warning%3F%20we%20have%20been%20running%20in%20this%20config%20for%20years%20with%20no%20issues%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENIC%20Power%20Saving%3A%20Not%20configured%20---%20Warning%3A%20It's%20recommended%20to%20disable%20NIC%20power%20saving%20options%3C%2FP%3E%3CP%3Eboth%26nbsp%3B%20my%20network%20adapters%20have%20everything%20turned%20off%20under%20properties-%26gt%3BPower%20Management%20settings%2C%20unless%20there%20is%20another%20way%20to%20turn%20it%20off%2C%20and%20if%20there%20is%20I%20would%20like%20to%20know%20where%20is%20this%20setting%20located.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethat's%20all%20for%20now%2C%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2348953%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2348953%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F92746%22%20target%3D%22_blank%22%3E%40Vinch_BE%3C%2FA%3E%26nbsp%3B-%20a%20server%20that%20is%20running%20on%20premises%20when%20hybrid%20is%20an%20actual%20Exchange%20server%20(Exchange%20services%20are%20running).%20We%20are%20calling%20this%20out%20not%20because%20those%20servers%20are%20specifically%20vulnerable%3B%20rather%20-%20people%20might%20forget%20that%20they%20are%20Exchange%20servers%20too%2C%20are%20running%20Exchange%20services%20and%20as%20such%20need%20to%20be%20updated%3B%20that's%20all.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F566935%22%20target%3D%22_blank%22%3E%40sjhudson%3C%2FA%3E%26nbsp%3B-%20they%20are%20not%20actions%20that%20depend%20on%20each%20other%3B%20do%20what%20you'd%20usually%20do.%20Exchange%20can%20take%20updates%20independently%20from%20Windows%20updates.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349080%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349080%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210956%22%20target%3D%22_blank%22%3E%40null%20null%3C%2FA%3E%26nbsp%3BThe%20reason%20why%20the%20Exchange%20Health%20Checker%20is%20reporting%20an%20incorrect%20version%20of%20Exchange%20is%20because%20you%20need%20to%20download%20the%20latest%20version.%20If%20you%20don't%20update%20the%20Health%20Checker%2C%20it%20can't%20correctly%20report%20the%20latest%20versions%20of%20Exchange.%20Download%20the%20latest%20version%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExchangeHealthChecker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FExchangeHealthChecker%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F462123%22%20target%3D%22_blank%22%3E%40Test-RRR%3C%2FA%3E%26nbsp%3BThe%20Exchange%20Health%20Checker%20calls%20out%20Security%20Vulnerabilities%20that%20are%20posted%20under%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EVulnerabilities%20-%20Security%20Update%20Guide%20-%20Microsoft%3C%2FA%3E.%20For%20the%26nbsp%3BCVE-2021-1730%2C%20it%20provided%20that%20you%20needed%20to%20take%20additional%20steps%20to%20protect%20against%20this%20vulnerability%20besides%20just%20installing%20the%20update.%20We%20then%20added%20those%20checks%2C%20based%20off%20what%20is%20in%20the%20article%2C%20within%20the%20script%20to%20help%20call%20this%20out%20to%20allow%20admins%20to%20be%20aware%20if%20they%20are%20still%20vulnerable%20or%20not.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349317%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349317%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20the%20latest%20version%20running%202.44.7%2C%20even%20the%20previous%20versions%20worked%20just%20fine%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349384%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349384%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210956%22%20target%3D%22_blank%22%3E%40null%20null%3C%2FA%3E%26nbsp%3BThat%20isn't%20the%20latest%20version%2C%20hence%20why%20I%20provided%20to%20upgrade%20it.%20That%20version%20is%20from%20Oct%2026th%2C%202020.%20There%20has%20been%20multiple%20releases%20since%20that%20date.%20CU19%20was%20released%20in%20Dec%2C%20so%20there%20is%20no%20way%20for%20that%20version%20of%20the%20script%20to%20know%20of%20CU19.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20latest%20release%20as%20of%20right%20now%20is%20v%3CSPAN%3E21.05.11.1059.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349405%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349405%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210956%22%20target%3D%22_blank%22%3E%40null%20null%3C%2FA%3E%26nbsp%3BWhat%20might%20help%20understand%20the%20versioning%20difference%20etc.%20is%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fexchange-health-checker-has-a-new-home%2Fba-p%2F2306671%22%20target%3D%22_blank%22%3EExchange%20Health%20Checker%20has%20a%20new%20home%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349443%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349443%22%20slang%3D%22en-US%22%3E%3CP%3Esorry%20about%20that%3C%2FP%3E%3CP%3Erunning%20the%20latest%20version%20i%20hope%2C%20Exchange%20Health%20Checker%20version%2021.05.11.1059%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efew%20things%20i%20found%20when%20running%20the%20script%3C%2FP%3E%3CP%3Eunder%3A%3C%2FP%3E%3CP%3EFrequent%20Configuration%20Issues%3CBR%20%2F%3E-----------------------------%3CBR%20%2F%3ETCP%2FIP%20Settings%3A%20900000%3CBR%20%2F%3ERPC%20Min%20Connection%20Timeout%3A%20120%3CBR%20%2F%3EMore%20Information%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fmessaging_with_communications%2F2012%2F06%2F06%2Foutlook-anywhere-network-timeout-issue%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fmessaging_with_communications%2F2012%2F06%2F06%2Foutlook-anywhere-network-timeout-issue%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERPC%20is%20set%20to%20120%20seconds%20in%20registry%20so%20why%20not%20green%20as%20TCP%2FIP%20Settings%3F%20is%20there%20another%20more%20preferred%20value%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECertificates%20are%20being%20listed%2C%20but%20it%20wold%20be%20nice%20to%20see%20if%20the%20cert%20is%20SHA1%20or%20SHA2%2C%20i%20know%20this%20old%20news%20but%20it%20would%20help%20some%20exchange%20admins%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eother%20than%20that%20it%20looks%20good.%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349532%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F210956%22%20target%3D%22_blank%22%3E%40null%20null%3C%2FA%3E%26nbsp%3BThanks%2C%20good%20to%20hear%20that%20got%20sorted%3B%20as%20far%20as%20your%20suggestions%20go%2C%20do%20you%20mind%20providing%20the%20feedback%20via%20one%20of%20the%20methods%20mentioned%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fexchange-health-checker-has-a-new-home%2Fba-p%2F2306671%22%20target%3D%22_self%22%3Ehere%3C%2FA%3E%3F%20We%20are%20kind%20of%20crossing%20the%20streams%20now...%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349791%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349791%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3Bwill%20do%2C%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2350316%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2350316%22%20slang%3D%22en-US%22%3E%3CP%3EMarch%20SU%2C%20April%20SU%2C%20now%20May%20SU%2C%20you%20do%20work%20very%20hard%2C%20MSFT.%26nbsp%3B%20I%20haven't%20finishing%20installing%20April%20SU%20until%20now.%20Please%20do%20me%20a%20favor%2C%20please%20don't%20release%20SU%20so%20frequently.%20As%20a%20email%20admin%2C%20my%20only%20job%20now%20is%20installing%20SU.%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2353921%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2353921%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20the%20information%20provided.%20Just%20to%20double%20check.%20If%20we%20applied%20April%202021%20security%20patch%20to%26nbsp%3B%20Exchange%202016%20CU19%20and%20are%20planning%20to%20upgrade%20to%20CU20%2C%20then%20we%20should%20be%20good%20to%20just%20apply%20May%202021%20security%20patch%20without%20the%20need%20to%20reapply%20previous%20security%20patches%20%3F%20Thanks%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351371%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351371%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20far%20I've%20seen%20two%20Exchange%20servers%20(both%202016)%20at%20unrelated%20organizations%20in%20the%20last%2024%20hours%20that%20have%20run%20this%20update%20and%20then%20had%20this%20problem%3A%3CBR%20%2F%3E%3CBR%20%2F%3EInformation%20Store%20won't%20start.%3CBR%20%2F%3EAD%20Topology%20Service%20won't%20stop.%3C%2FP%3E%3CP%3ENone%20of%20the%20relevant%20services%20were%20disabled--they%20just%20wouldn't%20start%20or%20stop.%3CBR%20%2F%3EProblems%20starting%20other%20services%20like%20Service%20Host.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20only%20fix%20was%20to%20restore%20from%20backup%20and%20block%20the%20patch.%3CBR%20%2F%3EIn%20the%20environment%20I%20had%20direct%20access%20to%2C%20they%20were%20running%20Avast%20and%20Huntress%20on%20the%20server.%3CBR%20%2F%3E%3CBR%20%2F%3EAre%20other%20people%20seeing%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2367446%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2367446%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%20Regarding%20the%20question%20for%20download%20domains%2C%20would%20it%20be%20a%20%22good%20idea%22%20to%20set%20this%20to%20the%20already%20existing%20autodiscover%20name%3F%20As%20I%20understand%20it%2C%20it%20just%20have%20to%20be%20a%20different%20location%20than%20the%20OWA%20URL%20from%20that%20the%20inline%20images%20would%20be%20downloaded%2C%20right%3F%20This%20feature%20isn't%20that%20good%20documented%20at%20all.%20Would%20be%20nice%20to%20have%20a%20bit%20more%20to%20go%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3ENorbert%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2335209%22%20slang%3D%22en-US%22%3EReleased%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2335209%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20has%20released%20security%20updates%20for%20vulnerabilities%20found%20in%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExchange%20Server%202013%3C%2FLI%3E%0A%3CLI%3EExchange%20Server%202016%3C%2FLI%3E%0A%3CLI%3EExchange%20Server%202019%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThese%20updates%20are%20available%20for%20the%20following%20specific%20builds%20of%20Exchange%20Server%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EExchange%20Server%202013%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3FfamilyID%3D91b8d31b-dcd8-4e3c-a262-8229a0d060d4%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECU23%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EExchange%20Server%202016%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3FfamilyID%3D68b339e9-3040-4da8-8e57-6fd325cfa9ee%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECU19%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3FfamilyID%3De8857a66-5eb5-4b0e-b938-07eb17c3af1a%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECU20%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EExchange%20Server%202019%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3FfamilyID%3D0ff8a768-1dfb-4d50-acd4-87f5a1b34e5f%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECU8%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3FfamilyID%3D9536f4a0-838b-40a6-b625-36cd7a6229a1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECU9%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20May%202021%20security%20updates%20for%20Exchange%20Server%20address%20vulnerabilities%20responsibly%20reported%20by%20security%20partners%20and%20found%20through%20Microsoft%E2%80%99s%20internal%20processes.%20Although%20we%20are%20not%20aware%20of%20any%20active%20exploits%20in%20the%20wild%2C%20our%20recommendation%20is%20to%20install%20these%20updates%20%3CEM%3Eimmediately%3C%2FEM%3E%20to%20protect%20your%20environment.%3C%2FP%3E%0A%3CP%3EThese%20vulnerabilities%20affect%20on-premises%20Microsoft%20Exchange%20Server%2C%20including%20servers%20used%20by%20customers%20in%20Exchange%20Hybrid%20mode.%20Exchange%20Online%20customers%20are%20already%20protected%20and%20do%20not%20need%20to%20take%20any%20action.%3C%2FP%3E%0A%3CP%3EMore%20details%20about%20specific%20CVEs%20can%20be%20found%20in%20%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESecurity%20Update%20Guide%3C%2FA%3E%20(filter%20on%20Exchange%20Server%20under%20Product%20Family).%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--467856277%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--467856276%22%20id%3D%22toc-hId--468782952%22%3EKnown%20issues%20in%20May%202021%20security%20updates%3C%2FH2%3E%0A%3CP%3EDuring%20the%20release%20of%20April%202021%20SUs%2C%20we%20received%20some%20reports%20of%20issues%20after%20installation.%20The%20following%20issues%20reported%20for%20April%202021%20SUs%20also%20apply%20to%20May%20SUs%20and%20have%20the%20following%20workarounds%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAdministrator%2FService%20accounts%20ending%20in%20%E2%80%98%24%E2%80%99%20cannot%20use%20the%20Exchange%20Management%20Shell%20or%20access%20ECP.%20The%20only%20workaround%20at%20this%20time%20is%20to%20rename%20Admin%20accounts%20or%20use%20accounts%20with%20no%20%E2%80%98%24%E2%80%99%20at%20the%20end%20of%20the%20name.%3C%2FLI%3E%0A%3CLI%3ESome%20cross-forest%20Free%2FBusy%20relationships%20based%20on%20Availability%20address%20space%20can%20stop%20working%20(depending%20on%20how%20authentication%20was%20configured)%20with%20the%20error%3A%20%3CEM%3E%E2%80%9CThe%20remote%20server%20returned%20an%20error%3A%20(400)%20Bad%20Request.%E2%80%9D%20%3C%2FEM%3EPlease%20see%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2F-400-bad-request-error-during-autodiscover-for-per-user-free-busy-in-a-trusted-cross-forest-topology-a1d6296b-1b2b-4ecd-9ab6-d8637fe20a21%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20KB%20article%3C%2FA%3E%20for%20how%20to%20work%20around%20this%20problem.%3C%2FLI%3E%0A%3CLI%3EAfter%20application%20of%20the%20Exchange%20Server%20April%20or%20May%20security%20updates%2C%20cmdlets%20executed%20against%20the%20Exchange%20Management%20Console%20using%20an%20invoked%20runspace%20might%20fail%20with%20the%20following%20error%20message%3A%26nbsp%3B%3CEM%3EThe%20syntax%20is%20not%20supported%20by%20this%20runspace.%20This%20can%20occur%20if%20the%20runspace%20is%20in%20no-language%20mode.%26nbsp%3B%3C%2FEM%3EPlease%20see%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2F-the-syntax-is-not-supported-by-this-runspace-error-after-installing-april-2021-exchange-security-update-ac2d4e97-62f6-4ad4-9dbb-0ade9b79f599%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20KB%20article%3C%2FA%3E%20for%20more%20information.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-2019656556%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2019656557%22%20id%3D%22toc-hId-2018729881%22%3ENew%20security%20functionality%20in%20May%202021%20security%20updates%3C%2FH2%3E%0A%3CP%3EWe%20are%20making%20one%20additional%20change%20in%20May%20SU%20to%20make%20it%20easier%20for%20Exchange%20administrators%20and%20cybersecurity%20teams%20to%20quickly%20inventory%20the%20update%20state%20of%20the%20Exchange%20Servers%20on%20their%20networks.%20Specifically%2C%20we%20have%20added%20a%20protocol%20reply%20header%20containing%20Exchange%20Server%20version%20information%20to%20http%20responses%20that%20can%20be%20used%20by%20defenders%20to%20validate%20security%20update%20status%20of%20servers%20on%20your%20networks.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-2009153452%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2009153453%22%20id%3D%22toc-hId-2008226777%22%3EUpdate%20installation%3C%2FH1%3E%0A%3CP%3ETwo%20update%20paths%20are%20available%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22May21SU.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279465i4AE07F0F6B37A871%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22May21SU.jpg%22%20alt%3D%22May21SU.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1595252370%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1595252369%22%20id%3D%22toc-hId--1596179045%22%3EInventory%20your%20Exchange%20Servers%3C%2FH2%3E%0A%3CP%3EUse%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExchangeHealthChecker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EExchange%20Server%20Health%20Checker%20script%3C%2FA%3E%20(use%20the%20latest%20release)%2C%20to%20inventory%20your%20servers.%20Running%20this%20script%20will%20tell%20you%20if%20any%20of%20your%20Exchange%20Servers%20are%20behind%20on%20updates%20(CUs%20and%20SUs).%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-892260463%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-892260464%22%20id%3D%22toc-hId-891333788%22%3EUpdate%20to%20the%20latest%20Cumulative%20Update%3C%2FH2%3E%0A%3CP%3EGo%20to%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExchangeUpdateWizard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FExchangeUpdateWizard%3C%2FA%3E%20and%20choose%20your%20currently%20running%20CU%20and%20your%20target%20CU.%20Then%20click%20the%20%E2%80%9CTell%20me%20the%20steps%E2%80%9D%20button%2C%20to%20get%20directions%20for%20your%20environment.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--915194000%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--915193999%22%20id%3D%22toc-hId--916120675%22%3EIf%20you%20encounter%20errors%20during%20or%20after%20installation%20of%20Exchange%20Server%20updates%3C%2FH2%3E%0A%3CP%3EIf%20you%20encounter%20errors%20during%20installation%2C%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExSetupAssist%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESetupAssist%20script%3C%2FA%3E.%20If%20something%20does%20not%20work%20properly%20after%20updates%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fclient-connectivity%2Fexchange-security-update-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERepair%20failed%20installations%20of%20Exchange%20Cumulative%20and%20Security%20updates%3C%2FA%3E.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--925697104%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--925697103%22%20id%3D%22toc-hId--926623779%22%3EFAQs%3C%2FH1%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EMy%20organization%20is%20in%20Hybrid%20mode%20with%20Exchange%20Online.%20Do%20I%20need%20to%20do%20anything%3F%3C%2FEM%3E%3C%2FSTRONG%3E%3CBR%20%2F%3EWhile%20Exchange%20Online%20customers%20are%20already%20protected%2C%20the%20May%202021%20security%20updates%20do%20need%20to%20be%20applied%20to%20your%20on-premises%20Exchange%20Server%2C%20even%20if%20it%20is%20used%20only%20for%20management%20purposes.%20You%20do%20%3CEM%3Enot%3C%2FEM%3E%20need%20to%20re-run%20the%20Hybrid%20Configuration%20Wizard%20(HCW)%20after%20applying%20updates.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EDo%20the%20May%202021%20security%20updates%20contain%20the%20April%202021%20security%20updates%20for%20Exchange%20Server%3F%3C%2FEM%3E%3C%2FSTRONG%3E%3CBR%20%2F%3EYes%2C%20our%20security%20updates%20are%20cumulative.%20Customers%20who%20installed%20the%20April%202021%20security%20updates%20for%20supported%20CUs%20can%20install%20the%20May%202021%20security%20updates%20and%20be%20protected%20against%20the%20vulnerabilities%20that%20were%20disclosed%20during%20those%20months.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3EDo%20I%20need%20to%20install%20the%20updates%20on%20%E2%80%98Exchange%20Management%20Tools%20only%E2%80%99%20workstations%3F%3CBR%20%2F%3E%3C%2FEM%3E%3C%2FSTRONG%3EServers%20or%20workstations%20running%20only%20Microsoft%20Exchange%20Management%20Tools%20(no%20Exchange%20services)%20do%20not%20need%20to%20apply%20these%20updates.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENOTE%3A%3C%2FSTRONG%3E%20This%20post%20might%20receive%20future%20updates%3B%20they%20will%20be%20listed%20here%20(if%20available).%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2335209%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20releasing%20a%20set%20of%20security%20updates%20for%20Exchange%20Server%202013%2C%202016%20and%202019.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2335209%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202019%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20premises%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2384965%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2384965%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20else%20have%20any%20issues%20with%20these%20updates%20when%20you%20first%20launch%20them%20taking%20forever%20on%20Calculating%20Space%20Requirements%3F%20What%20is%20it%20actually%20checking%20and%20is%20there%20any%20way%20to%20speed%20it%20up%3F%20We%20have%20multiple%20servers%20to%20update%20and%20this%20just%20adds%20way%20too%20much%20time.%20It%20takes%20around%2010-15%20minutes%20on%20most%20servers.%20And%20they%20have%20plenty%20of%20free%20space.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2402641%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2402641%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%3CSPAN%3E%26nbsp%3BHello%20Nino.%26nbsp%3BKB5003435%2C%20like%20KB5001779%20and%20KB5000871%20before%20it%2C%26nbsp%3Bis%20not%20visible%20by%20running%26nbsp%3Bget-hotfix%20or%20by%20looking%20for%20updates%20in%20WAC%20when%20installed%20on%20a%20Windows%202019%20Core%20server.%26nbsp%3B%20%26nbsp%3BThis%20is%20not%20a%20problem%20with%20other%20Windows%20Server%20security%20hotfixes%20-%20only%20with%20Exchange%20hotfixes.%26nbsp%3B%20%26nbsp%3BThis%20is%20an%20issue%20for%20administrators%2C%20installers%2C%20etc.%26nbsp%3B%20When%20will%20this%20be%20addressed%3F%26nbsp%3B%26nbsp%3B%20Do%20you%20see%20the%20same%20thing%20on%20your%20Windows%202019%20Core%20servers%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2406816%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2406816%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%3CSPAN%3E%26nbsp%3BHello%20Nino.%26nbsp%3BKB5003435%2C%20like%20KB5001779%20and%20KB5000871%20before%20it%2C%26nbsp%3Bis%20not%20visible%20by%20running%26nbsp%3Bget-hotfix%20or%20by%20looking%20for%20updates%20in%20WAC%20when%20installed%20on%20a%20Windows%202019%20Core%20server.%26nbsp%3B%20%26nbsp%3BThis%20is%20not%20a%20problem%20with%20other%20Windows%20Server%20security%20hotfixes%20-%20only%20with%20Exchange%20hotfixes.%26nbsp%3B%20%26nbsp%3BThis%20is%20an%20issue%20for%20administrators%2C%20installers%2C%20etc.%26nbsp%3B%20When%20will%20this%20be%20addressed%3F%26nbsp%3B%26nbsp%3B%20Do%20you%20see%20the%20same%20thing%20on%20your%20Windows%202019%20Core%20servers%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2374301%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2374301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1053101%22%20target%3D%22_blank%22%3E%40DaveShackelford%3C%2FA%3E%26nbsp%3B%20Haven't%20seen%20these%20issues%20but%20since%20applying%26nbsp%3BKB5003435%20on%20an%20Exchange%202019%20CU9%20server%20in%20a%20small%20test%20environment%20we've%20been%20seeing%20intermittent%20and%20inexplicable%20delayed%20message%20delivery.%20This%20includes%20messages%20sent%20internally%26nbsp%3B%20between%20Exchange%20mailboxes%20in%20the%20same%20database.%26nbsp%3B%20First%20time%20seeing%20this%20and%20this%20server%20has%20been%20on%20every%20CU%20since%20Exchange%202019%20RTM.%20Anyone%20else%20seeing%20any%20issues%20after%20the%20application%20of%26nbsp%3BKB5003435%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20problem%20you%20saw%2C%20are%20all%20of%20the%20Microsoft%20recommended%20file%2Ffolder%2Fprocess%20antivirus%20exclusions%20in%20place%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2416286%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20May%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2416286%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%3CSPAN%3E%26nbsp%3BHello%20Nino.%26nbsp%3BKB5003435%2C%20like%20KB5001779%20and%20KB5000871%20before%20it%2C%26nbsp%3Bis%20not%20visible%20by%20running%26nbsp%3Bget-hotfix%20or%20by%20looking%20for%20updates%20in%20WAC%20when%20installed%20on%20a%20Windows%202019%20Core%20server.%26nbsp%3B%20%26nbsp%3BThis%20is%20not%20a%20problem%20with%20other%20Windows%20Server%20security%20hotfixes%20-%20only%20with%20Exchange%20hotfixes.%26nbsp%3B%20%26nbsp%3BThis%20is%20an%20issue%20for%20administrators%2C%20installers%2C%20etc.%26nbsp%3B%20When%20will%20this%20be%20addressed%3F%26nbsp%3B%26nbsp%3B%20Do%20you%20see%20the%20same%20thing%20on%20your%20Windows%202019%20Core%20servers%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎May 12 2021 02:31 PM
Updated by: