Released: May 2022 Exchange Server Security Updates
Published May 10 2022 10:00 AM 145K Views

Microsoft has released security updates (SUs) for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

IMPORTANT: Starting with this release of Security Updates, we are releasing updates in a self-extracting auto-elevating .exe package (in addition to the existing Windows Installer Patch format). Please see this post for more information. Original update packages can be downloaded from Microsoft Update Catalog.

These SUs are available for the following specific builds of Exchange Server:

The SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

Manual run of /PrepareAllDomains is required

Because of additional security hardening work for CVE-2022-21978, the following actions should be taken in addition to application of May 2022 security updates (please see the FAQ below if in your organization you never ran /PrepareAllDomains but ran /PrepareDomain for some domains only):

Latest version of Exchange Server installed in the organization

Additional steps needed

Exchange Server 2016 CU22 or CU23, or

Exchange Server 2019 CU11 or CU12

Install the May 2022 SU first and then run the following Command Prompt command once using Setup.exe in your Exchange Server installation path (e.g., …\Program Files\Microsoft\Exchange Server\v15\Bin):

 

“Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains”

 

Or

 

“Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains”

Exchange Server 2013 CU23

Install the May 2022 SU first and then run the following Command Prompt command once using Setup.exe in your Exchange Server installation path (e.g., …\Program Files\Microsoft\Exchange Server\v15\Bin):

 

Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains

Any older version of Exchange Server not listed above

Update your Exchange server to the latest CU, install May 2022 SU and then follow the steps above.

You need to run /PrepareAllDomains only once per organization and those changes will apply to all versions of Exchange Server within the organization. When you run /PrepareAllDomains, your account needs to be a member of the Enterprise Admins security group. This might be a different account from the one you use to install the SU. 

Update installation

Two update paths are available:

May2022SUsPath.jpg

Inventory your Exchange Servers / determine which updates are needed

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

Known issues with this release

  • If you get the following error when trying to install the .exe version of the Exchange 2016 SU for CU22: "Could not load file or assembly 'Microsoft.Exchange.SecurityPatch.ExeGenerator" followed by "Strong name validation failed." and error "0x8013141A" - then please re-download the Exchange 2016 CU22 update and try again. We have resolved the problem with that .exe package.

Issues resolved by this release

The following issues have been resolved in this update:

  • Exchange Service Host service fails after installing March 2022 security update (KB5013118)
  • New-DatabaseAvailabilityGroupNetwork and Set-DatabaseAvailabilityGroupNetwork fail with error 0xe0434352 (Update: the -Subnets parameter is still not fixed)
  • The UM Voicemail greetings function stops working and returns error 0xe0434352.
  • Unable to send mails through EAS and Get-EmailAddressPolicy fails with Microsoft.Exchange.Diagnostics.BlockedDeserializeTypeException after installing Security Update KB5008631 for Exchange 2019

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the May 2022 SUs do need to be installed on your on-premises Exchange servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after installing updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only the Management Tools role (no Exchange services) do not need these updates. If your organization uses only an Exchange Management Tools machine, then you should install the May 2022 SU package on it and run /PrepareAllDomains as per the above instructions to update Active Directory permissions.

Instructions seem to indicate that we should /PrepareAllDomains after May 2022 SU is installed; is that correct?
Yes. The May 2022 SU package updates files in Exchange server folders when it is installed. That is why once those files are updated (SU is installed) – we ask you to go and explicitly /PrepareAllDomains using setup from \v15\Bin folder. Please note that this needs to be done only once in the organization (in case of /PrepareAllDomains) or per domain (in case of /PrepareDomain).

In our organization we never ran /PrepareAllDomains. We only prepared several of our domains. Do we still need to run /PrepareAllDomains to address CVE-2022-21978?
Our documentation guides our customers to run /PrepareAllDomains as a part of the Exchange organization setup. If your organization has prepared only a subset of all your Active Directory domains, then you can choose to use the /PrepareDomain switch in those specific domains only. To check if /PrepareDomain was ran in a particular domain, check for the presence of the Microsoft Exchange System Objects container in that domain.

We never used the Microsoft Update catalog and need help getting the old version of update package. Help?!
You can search the Microsoft Update Catalog for your version of Exchange (for example “Exchange Server 2019”). Here are quick links with search strings for Exchange 20132016 and 2019. Once the results come up, sort by the “Last updated” column to display the latest security update. Use the Download button to download the .cab file and then rick-click on the .cab and choose Open to reveal the .msp file. Extract the .msp file and proceed using it (but remember that .msp requires elevation when installing!)

Can we run /PrepareAllDomains before all of our Exchange servers are updated with May 2022 CU?
Yes. There is no dependency between running of /PrepareAllDomains and installation of updates on all servers. /PrepareAllDomains can be run when as least one machine is updated (from that machine) but could be postponed and be run when you are ready to address that particular CVE.

We ran /PrepareAllDomains but Health Checker script is telling us we are still vulnerable. Or: Health Checker script fails to check for CVE-2022-21978 update status.
Please update your Health Checker script; we resolved the problem that was causing this and the new version of the check is now published. Also, please note that if your organization uses split permissions and Exchange admins do not have rights to read Active Directory configuration, we updated the Health Checker on 5/16 to indicate when more permissions might be required for the check to complete.

Updates to this blog post:

  • 5/27: Clarified that /Prepare switches need to be run only once (not on every updated server)
  • 5/23: Added information about -Subnets parameter still not working for New-DatabaseAvailabilityGroupNetwork and Set-DatabaseAvailabilityGroupNetwork
  • 5/16: Another update to Health Checker FAQ to account for split permissions
  • 5/12: Updated the Health Checker FAQ; the updated version is now published
  • 5/11: Added a FAQ about Health Checker script in some environments incorrectly reporting that CVE-2022-21978 is not addressed after /PrepareAllDomains was run
  • 5/11: Added a FAQ on order of running /PrepareAllDomains vs. updating of all Exchange servers
  • 5/11: Redirected the Exchange 2016 CU22 package back to the Download Center as the issue with that update's .exe package has been resolved
  • 5/11: Redirected the Exchange 2016 CU22 SU download link to Microsoft Update Catalog download while we address an issue with .exe installer.
  • 5/11: Additional clarification of /PrepareDomain vs. /PrepareAllDomains for customers who never ran /PrepareAllDomains in their organization
  • 5/11: Added the workaround for a 'Strong name validation error' that a small number of customers reported
  • 5/11: Added information on how to find the .msp version of updates in Microsoft Update Catalog
  • 5/10: Added a FAQ mentioning the use of /PrepareDomain instead of /PrepareAllDomains for organizations that need to do so.

The Exchange Server Team

198 Comments
Copper Contributor

Hi,

 

If you install the May 2022 SU while on Exchange 2019 CU11 and then later down the road, upgrade to CU12, will the same May 2022 SU and command need to be installed again, but now for CU12?

 

Also, now with the SU being a .exe, for Exchange Server Core versions, is this just now a matter of navigating to the .exe via command line as administrator and lunching it?

Brass Contributor

Because of the /PrepareAllDomains switch, does the Exchange Administrator also need to be an Enterprise Administrator to install this SU?

 

It was pointed out that this question was already answered with a note in the article (I missed it), my bad.  Thanks for the clarification.  I will also add this does make the installation of this SU some what painful as Exchange Admin duties are very much separated from Domain and Enterprise Admins in my org, it will require a lot of explaining.  :)

Microsoft

@PatchesOhoulihan14 No, every CU has it's own SU. SU installation does not "survive" the upgrade between CUs. See this post. EDIT: yes this is how it should work on Core.

@Todd J Vanscoter Yes please see the above note. /PrepareAllDomains requires Enterprise Admin.

Microsoft

@Todd J Vanscoter No problem; just to be super clear: the installation of the SU itself does not require more permissions; addressing that CVE using /PrepareAllDomains is what does, however. I get it, still more permissions are required but you can install the package with the same account that you usually use.

Brass Contributor

Hello Exchange Team

 

Microsoft Update Catalog only lists Exchange May 10 2022 patches as .cab files, what happened to .msp files? Where can i get those?

I have about 40 Exchange 2016 servers, so do i have to run those additional steps on every single Exchange server after installing May 2022 SU?

My Exchange servers live in a child domain and are unable to talk directly to my schema master to make those changes / updates in the root domain. I have dedicated server (no Exchange 2016 installed) running in the same root domain / AD site as the schema master so i can prepare AD when needed for new CUs and so on, how i am going to run those additional tasks? DO i need to install Exchange 2016 CU22 on this server, run May 2022 SU and then /PrepareAllDomains?

 

preparing AD is usually part of CUs not SUs and making changes to Forest / AD is more difficult than it should be.

Microsoft

@null null Update Catalog always has only .cab but when you run the .cab (or extract it) it gives you a .msp. Hmmm we could have mentioned this somewhere, now that you bring that up. EDIT: this is now added as a FAQ on the New Exchange Server Security Update and Hotfix Packaging blog post.

/PrepareAllDomains needs to be run only once. Requirements are here. You could install a management tools machine using the last CU in that site, install the SU on it and then run /PrepareAllDomains from it (this scenario is in the FAQ above).

Brass Contributor

@Nino BilicThanks for the quick update.

Copper Contributor

Does the /PrepareAllDomains stuff have to be done after ALL your Exchange servers have been updated, or can it be done immediately after the first has been updated?

Microsoft

@philrandal You can run this as soon as any one of your Exchange servers is updated with May 2022 SUs. You do not need to wait until all Exchange servers are updated.

Copper Contributor

What if you have a mix of Exchange 2013 and Exchange 2019 servers in the same domain? Do you need to run the /PrepareAllDomains once on an ex2013 box, and once on an ex2019 box?

Microsoft

@RussellBuijsse Just run it once, after installing the SU for the latest version.

Brass Contributor

The instructions seem to indicate installing the latest SU before the last CU.  I thought it was the other way around.  Do I have it backwards?

Microsoft

@Rob Hupf We released SUs for last two CUs for Exchange 2016 / 2019. You can take the SU if you have either of those CUs installed and then run /Prepare switch. If you are on older CU that is not supported anymore, you'll need to come forward to one of supported CUs and install the SU after that.

Brass Contributor

So if we are on 2016 CU22, we can load the May 2022 SU instead of CU23, or do we load both?

Copper Contributor

I'm getting a 'vulnerability detected true' error from the latest Exchange Health Checker version 22.05.10.2047 powershell script. 

So far I have successfully installed KB5014261 via Windows Update (Server 2019, Exchange 2019 CU12) and ran the post-install setup command mentioned above. I gave it a reboot for good measure -- still getting the vulnerability detected error: 

Security VulnerabilityCVE-2022-21978 Unable to perform vulnerability testing - See: https://aka.ms/HC-May22SU
Security VulnerabilitiesCVE-2022-21978 Unable to perform vulnerability testing - See: https://aka.ms/HC-May22SU

 

Any ideas?

Copper Contributor

Is there an article that states the changes for the /prepareAllDomains switch for this SU?  I need something to show change control but cannot find the details!

 

Thanks ;)

Brass Contributor

@The_Exchange_Team @Nino Bilic 

 

if we are in a hybrid setup, do we have to have the /TenantOrganizationConfig switch with the preparealldomains switch?

 

or just simply run the command

 

“Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains”

Microsoft

@Rob Hupf If you are running CU22, then installing SU for CU22 is the easiest for you now until you move to CU23. Just run /Prepare after installation of the SU.

Microsoft

@Googol No, you should not have to run /TenantOrganizationConfig anymore.

Microsoft

@cvanoort We are still working on Health Checker script for this scenario, sorry about that. It is a work in progress. If you ran /Prepare and it completed successfully, you should be good to go. Still working on sorting out the details of Health Checker for all scenarios.

@dcliff11715 We do not have an article published with details of exactly what the changes are.

Brass Contributor

oh really? appreciate the quick response and your involvement in the community

 

perhaps this should be updated then about hybrid and running that switch?

Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange...

Microsoft

@Googol Yeah we will sort that out. But a note there indicates that the switch was not needed for "existing organizations" but this can be better.

Brass Contributor

Hi, I have 2 servers 2013 CU23 and 2 servers 2016 CU21.
What would be the best way here?

First the SU installation on 2013 and then /PrepareAllDomains or first the installation server 2016 on CU22/23 and the SU and then the /PrepareAllDomains.

All servers are in the same domain.

 

Thanks for the help.

Copper Contributor

Hi, if the SU was installed to CU11/CU22 and /preparealldomains done, then later updated to CU12/CU23 and SU installed again, is the /preparealldomains required to be run again? Or is it enough that prep was done already earlier?

@Tonibert I would suggest to install the SU on Exchange 2016 first, perform PrepareAllDomain and then continue with other servers.

@karil222 PrepareAllDomains is not required again for the case you mention

Brass Contributor

@Bhalchandra_Atre-MSFT 

 

Thank you for your prompt reply.

But then I have to install the CU 22 or 23 first
Then the SU and then the older servers 2013 SUs.
Right?

Copper Contributor

Hello,

Will Exchange continue to work normally after the update when calling "preparealldomains" at a later time. Or must it be done immediately after the update?

Copper Contributor

Hello,

 

It seems that HealthChecker.ps1 script doesn't work properly on Exchange 2013:

 

Security Vulnerability
----------------------
Security Vulnerability: CVE-2022-21978
Unable to perform vulnerability testing - See: https://aka.ms/HC-May22SU

 

Compared to a previous version "Exchange2013" is not part of the check condition:

old:

if (($SecurityObject.MajorVersion -eq [HealthChecker.ExchangeMajorVersion]::Exchange2013) -or
(($SecurityObject.MajorVersion -eq [HealthChecker.ExchangeMajorVersion]::Exchange2016) -and
($SecurityObject.CU -lt [HealthChecker.ExchangeCULevel]::CU21)) -or
(($SecurityObject.MajorVersion -eq [HealthChecker.ExchangeMajorVersion]::Exchange2019) -and
($SecurityObject.CU -lt [HealthChecker.ExchangeCULevel]::CU10))) {
Write-Verbose "Testing CVE: CVE-2021-34470"

 

current:

 if ((($SecurityObject.MajorVersion -le [HealthChecker.ExchangeMajorVersion]::Exchange2016) -and
($SecurityObject.CU -le [HealthChecker.ExchangeCULevel]::CU23)) -or
(($SecurityObject.MajorVersion -eq [HealthChecker.ExchangeMajorVersion]::Exchange2019) -and
($SecurityObject.CU -le [HealthChecker.ExchangeCULevel]::CU12))) {
Write-Verbose "Testing CVE: CVE-2022-21978"

 

As I don't know whether or not this is the only occurence: could someone of the experts check and fix the checker script, please?

Sascha 

 

 

Brass Contributor

Hello,

We have implemented a Tier Model - where Exchange running with Split-Permissions in Tier 1.

The requirement to running /preparedomain is the membership in the Domain Admins group. -> That would be a Tier 0 user.

But in accordance with the Microsoft Tier Model Tier 0 users are not allowed to login on Tier 1 Servers (that is Exchange Servers).

 

Is there any supported way to provide the setup executable for the Domain Admins to do the domain prep on Tier 0 systems, e.g. domain controller, like it used to be with the setup.exe provided in the ISO for every CUs?

 

Why do you changed model - is that the new way to patch the setup executable only in the live system?

 

__TK__

 

Copper Contributor

Hi,

 

Will there be any impact on our Exchange servers if we don't run the /PrepareAllDomains or /PrepareDomains after installing the Exchange 2016 May2022 SU?

@Tonibert The AD preparation commands must be performed from highest Exchange version installed in the org, hence you must perform PrepareAllDomain from Exchange 2016, and later just install the SU for Exchange 2013

@mykel1982 @Saska69 the CVE won't be addressed till you perform PrepareAllDomain command, hence you should perform PrepareAllDomain after installing the SU.

@__TK__   You can install Exchange management tools on a workstation, install security update and have your domain admins use the workstation to perform the PrepareAllDomains

Copper Contributor

@Bhalchandra_Atre-MSFT 
The question was meant like this: apart from the CVE, are there any limitations or malfunctions if we run /preparealldomains a few hours/days later?

Brass Contributor

I installed CU22 with no errors. Then I restart the server. Everything without problems.
Now I want to install the SU and I get this error:

 

 

Unbehandelte Ausnahme: System.IO.FileLoadException: Die Datei oder Assembly "Microsoft.Exchange.SecurityPatch.ExeGenerator, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" oder eine Abhängigkeit davon wurde nicht gefunden. Fehler bei der Überprüfung des starken Namens. (Ausnahme von HRESULT: 0x8013141A) ---> System.Security.SecurityException: Fehler bei der Überprüfung des starken Namens. (Ausnahme von HRESULT: 0x8013141A)

 

Brass Contributor

I was able to install the May update.
I previously installed the March update.

If this is the case, then the specified path is not correct.

 

Do you also see it like that?

@Saska69 No other issues apart from addressing the CVE

Brass Contributor

Thanks for all your assistance, Nino.  I'm still not 100% clear about my path.  We were already planning the 2016 CU23 update.  We are currently on CU22.  Should I install this SU before the CU23, as the documentation suggests, or after CU23, or not at all because CU23 supersedes it?

Copper Contributor

When trying to install the .msp version of the patch on Exchange 2016 CU23 I am getting this error, anyone else seen this?

Capture.PNG

Microsoft

@Saska69 No issues, no.

Brass Contributor

Initially I had an the SU installation fail due to not being able to find certain files. I restarted, mounted the CU12 ISO this time, and got a successful installation of the SU. Not sure whether this was a random problem or whether access to the CU12 installation files is actually required.

Copper Contributor

Hello Exchange-team, Hello Everyone,

 

we have a nearly empty root domain and a production domain.

For PrepareSchema, PrepareActiveDirectory andPrepareAllDomains we normally run setup from the installation binary (mounted ISO-Image) on a Domain-Controller located in the root domain.

 

You, Exchange-Team, had written:
"Prompt command once using Setup.exe in your Exchange Server installation path (e.g., 
…\Program Files\Microsoft\Exchange Server\v15\Bin):"

 

Can we still use the setup.exe from the installation binary (mounted ISO-Image) like we always did before, or is it important to use the setup.exe that was placed in the Exchange Server installation path (e.g., …\Program Files\Microsoft\Exchange Server\v15\Bin):

 

Any help is appreciated.

Greetings, Roland (Germany)

 

Microsoft

@Tonibert We are looking into this, thank you. Please follow the FAQ to download the .msp version of the update and install that (make sure to run the .msp from the elevated command line!)

Microsoft

@lewismartin Please see this.

Microsoft

@Rocky567 You need to run it using the files from the Exchange installation directory. Those files get updated after SU is installed.

Microsoft

@Rob Hupf This is up to you. We suggest that SU gets installed as soon as possible. If you install the SU now (when you have CU22), you will need to reinstall it once you install CU23 also. But note, if you run the /Prepare switches manually after you install it on CU22, you do not need to do that again once you install the SU on top of CU23. /Prepare needs to be ran only once from a server that was updated to wither the SU for CU22 or CU23.

Copper Contributor

Hi MS,

we are on Exchange 2013 CU 23 plus one server Exchange 2019 CU12 (just started rolling out new version), all on same domain.

Do I patch the only 2019 server and prepare all domains and then continue provisioning the rest 2019 CU12 + patch?

It will not break anything on 2013, which can be patched at a later time, correct?

Microsoft

@dmdovnar Absolutely nothing will break if you run /Prepare and then keep updating other servers as you need to.

Copper Contributor

@Nino Bilic Thank you, appreciate the prompt response!

Co-Authors
Version history
Last update:
‎May 27 2022 06:25 AM
Updated by: