Released: October 2021 Exchange Server Security Updates

Published Oct 12 2021 10:00 AM 17.7K Views

Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (do not choose Run after download).

  • Exchange Server 2013 CU23 (Exchange 2013 customers might also need to /prepareschema. Please see this post.)
  • Exchange Server 2016 CU21 and CU22
  • Exchange Server 2019 CU10 and CU11

The October 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Update installation

Two update paths are available:


Inventory your Exchange Servers / determine which updates are needed

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to and choose your currently running CU and your target CU to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.


My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the October 2021 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

NOTE: This post might receive future updates; they will be listed here (if available).

The Exchange Server Team

Occasional Visitor

Impossible to install

file are used by microsoft filtering management service (but service is disabled)


either throug win update nor manually (admin prompt)


Occasional Visitor

Please share some your details? What was OS platform and Exchange? So far we cannot replicate that behaviour. 


Occasional Visitor

After install the update on Exchange 2013, i have a problem with access to OWA/ECP, like this


have a solution?

Occasional Visitor

In case of Exchange 2013 with October 2021 security updates installed without running the /PrepareSchema using July 2021 CUs first. Is it supported to update the schema after installing the October security update by using the command "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms". Or is it needed to uninstall the October updates first?

Regular Visitor


I think you have that issue if you don't run the update from an elevated/admin command prompt?

Occasional Visitor

@DanielEarl  the installation was successful, but after that, I came up with the problem I indicated.

Regular Visitor

@andreasoc2350 Yes, the update will appear to install properly (it will complete) but you will see those OWA/ECP errors and it's because the update hasn't been run with sufficient privs. If you run the update again, but from an elevated cmd/ps session, I think it's likely to run properly and you won't get the errors.


See the section in the article above:


"IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (do not choose Run after download)."


If you already did that, then sorry I am not sure.

Occasional Visitor

For resolve problem with ecp and owa, is necessari to rebind certificare in back end site in iis. After that do a iisreset and all it's ok

Occasional Visitor

@DanielEarl  i installed with privilege correct! 

Occasional Visitor

I am just experiencing issues with the SU and Exchange Server 2013 CU23 on Windows Server 2012 R2.

The Exchange Services are taking forever to start up. Installation was done with an elevated Shell.

Startup typ is "Automatic" but the services are taking much longer to start up.


Are you guys also experiencing those issues?


After updating the system on my end I am also seeing a problem with OWA

Windows 2012R2/ Exchange 2016 CU21 to CU22 with Security patch mentioned.


When trying to login to OWA user keeps getting redirected to the login page.

Outlook and phones are working properly.



You might have to wait for 3 hours for OWA to start working again. 

New Contributor

I have seen dot net updates create problems very often. Better to have a pool of front ends.  These updates often breaks .. These updates also change to defaults .. Any custom configurations that you might have done will be over written . Better to keep a copy of your customized configuration 

Version history
Last update:
‎Oct 15 2021 11:46 AM
Updated by: