Released: September 2021 Quarterly Exchange Updates
Published Sep 28 2021 08:01 AM 145K Views

Today we are announcing the availability of quarterly Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019. These CUs include fixes for customer reported issues, all previously released security updates, and a new security feature.

A full list of fixes is contained in the KB article for each CU, but we wanted to highlight a few changes.

Microsoft Exchange Emergency Mitigation Service

As mentioned in our recent blog post, September 2021 CUs (and later) include the new Microsoft Exchange Emergency Mitigation service. Please familiarize yourself with the new service as it is a new security feature that will be installed on all Exchange Servers (except Edge servers).

Cumulative Update Setup Changes

We wanted to call out two setup changes starting with September 2021 CUs (more information in the Emergency Mitigation Service blog post):

  • We changed the unattended setup switch. The previous /IAcceptExchangeServerLicenseTerms switch will not work starting with the September 2021 CUs. You now must use either /IAcceptExchangeServerLicenseTerms_DiagnosticDataON or /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF for unattended and scripted installs.
  • The IIS URL Rewrite module is now a prerequisite for Exchange Server installation. This must be installed separately and is not installed as part of Exchange Setup (you need the x64 MSI version). Please note that app pools are restarted as a part of the IIS Rewrite module installation and service might be disrupted.

Release Details

The KB articles that describe the fixes in each release and product downloads are as follows:

Known issues with this release

Due to several changes released in security updates since the last CU release, we wanted you to be aware of the following issues that might impact customers who did not already install recent security updates:

  • Before the update, you should check your Exchange Server authorization certificate. Please see this KB article for more information.
  • If your organization uses Load Balancing, please see this KB article for more information on how to update.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment.

These updates do not contain schema changes. If coming from older updates, you can find more information on preparing Active Directory here. Schema changes can be tracked here. For best practices for successful installation, please see this document.

If updating from an older version of the CU, please see the Exchange Update Wizard for detailed steps to follow.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to Unrestricted on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use these resolution steps to adjust the settings.

If you plan to install the update with the unattended install option using either PowerShell or a command prompt, make sure you specify either the full path to the setup.exe file or use a “.” in front of the command if you are running it directly from the folder containing the update. If you do not, Exchange Setup may indicate that it completed successfully when it did not. Read more here.

Note: Customers in Exchange hybrid deployments and those using Exchange Online Archiving with an on-premises Exchange deployment are required to deploy a supported CU for the product version in use.

For the latest information on the Exchange Server and product announcements please see What's New in Exchange Server and Exchange Server Release Notes.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Server team

74 Comments
Brass Contributor

Hi Exchange team,

I guess, for the IIS URL Rewrite module, we just need the regular 'x64' msi installer, not the  Web Platform Installer (WebPI) Regards Stephen

Microsoft

@sjhudson Correct, x64 MSI version. I added that to the bullet. Thanks!

Copper Contributor

4. "IMPORTANT: You must install the CU from an elevated command prompt. If the CU installation is being started from PowerShell, ensure the full path to setup.exe is provided"

I normally Run As Admin the setup.exe in the mounted ISO(after a fresh reboot).     this sentence makes me think I should NOT do this?  I like using the GUI, it's worked in the past just fine.   I know I'll need the URL rewrite msi and I think I'll have a schema update coming from CU19, but the gui walks me through that.   and since I don't have a DAG I think I don't need to enter maintenance mode.   thanks!

Microsoft

@jordanl17 You are good and you can continue doing what works for you; CU setup is more advanced than the SU (security update) setup so either will work. The truth is that due to the fact that the SU setup is something that actually requires elevated CMD line, we have just gone to suggest to do the same thing (elevated) all the time. But CU setup will check for permissions and prompt for elevation if required.

Brass Contributor

We are running CU20 with Jul21SU... - does this mean, we must install CU21 first to get CU22 - or is it possible to go directly from CU20/Jul21SU to CU22?

Microsoft

@Duncan1528 You are go directly from CU20+(any SU) to CU22, yes. You will need to install IIS URL rewrite before you do that, though.

EDIT: you can always check https://aka.ms/exchangeupdatewizard for all of the steps!

Copper Contributor

KB2999226 is listed as a prerequisite for EM and therefore this CU. That KB only applies to Server 2012 R2 and lower. Is there a modern KB available for Server 2016/2019 available that we should be installing?

Microsoft

@NHawk257 That's... well, that is a little awkward. This update is quite old and I do not expect it to be an issue on say an Exchange 2019 server (which does not even run on 2012 R2). Bottom line is - if WU says your server is up to date, you are OK. I would hope that even on Exchange 2016 servers, this KB would be installed everywhere by now... but thinking about this as a reference in the KB; especially for E2019 CU, it does not make much sense, does it...

Copper Contributor

The KB articles in the Known issues point to the same URL. Can you verify the one for Load balancing? thanks

Microsoft

@Ricardo Costa da Silva That is correct; both issues are covered in the same KB; there is Cause 1 and Cause 2, with their own resolutions.

Copper Contributor

The Deployment instructions for Exchange 2016 CU in the Exchange Update Wizard when going from CU21 to CU22 says to "Install the latest applicable security update (SU) as listed in Exchange Server build numbers and release dates." I notice that "Exchange Server 2016 CU21 Jul21SU" is listed under CU22 on the build page. If I have already installed that SU while at CU21, do I need to install it again after installing CU22?

Copper Contributor

We are running Exchange 2016 CU21 in Windows 2012 server and I am planning to apply CU22 to our server. Please advice whether I have to install following pre request before apply CU22. Thanks

 

Microsoft

@RadHaz75 No; the reason why it says this is because it cannot know when you would be installing the CU; immediately after release or say... 2 months down the road (when there might be SUs for that CU). All of the SUs are CU specific. There are no SUs for latest set of CUs (released yesterday). That might change in the future but right now - there is nothing newer than the CU. We talk about this stuff here.

@vigna840 IIS Rewrite Module is a hard requirement, yes. You will be blocked from installation if you do not install that first. On the C Runtime - if your server is up to date on it's WU updates, then you should be good with this.

Copper Contributor

@Nino Bilic Thanks. That's what I thought. Can you explain why the Jul21SU is listed under CU22 the same way it is listed under CU21 here https://docs.microsoft.com/en-us/Exchange/new-features/build-numbers-and-release-dates?view=exchserv... Is this just a mistake?

Microsoft

@RadHaz75 The article does not show Jul21SU "under" CU11... if you look at all of the updates on the page, they are actually listed chronologically from oldest to newest. So there is a 2019 CU9, then all the SUs on top of that going "upward". Then 2019 CU10 and it's SU (released on Jul 13). Then there is CU11. The SU for CU11 (when released) will come on the top of the list and will be indented a bit to show that it is an SU vs. the CU which start at the start of each row.

I do agree this can be misinterpreted unless you realize the context of the list. Hmm. Thinking of how this could be presented clearer perhaps...

Copper Contributor

For 2019 CU10 without the SU installed...do we need to apply that first prior to going to CU11?  Also no schema changes right so need to run the commands for that correct?  What about being in a hybrid mode?  Do we need to include the command line switches when installing?  Thanks!

Copper Contributor

@Nino Bilic I think I see what you're saying. The fact that the SU is indented under CU21 implies to me it's like a subpart of that, like required after, hence my confusion there.

Microsoft

@Russo1485 No you do not need to install any SUs before going to next CU. No schema changes if you are on CU10 (there was a schema change in CU10). You can use the CMD line switches or use the UI; the CU setup is smart enough to prompt for admin elevation if needed.

Copper Contributor

@Nino Bilic thanks for the clarification.  If in hybrid I'm assuming you still have to run the setup command with your XML file...can you confirm?  Thanks!

Microsoft

@Russo1485 Sorry what does this mean? What do you mean Setup with the XML file?

The bottom line is I guess - as you ran it before; no difference with this CU compared to older ones; I'm guessing you might have some custom settings or something...

Copper Contributor

Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD /TenantOrganizationConfig C:\Source\MyTenantOrganizationConfig.xml

 

I've had to use that command when installing CUs because we're in a hybrid setup.  I'm assuming we have to, but of course the new "Wizard" doesn't cover that aspect and neither does the documentation.

 

Thanks

Copper Contributor

Dumb question: Does config related to the IIS Rewrite Module need to be done? Or just install the msi and move on?

Copper Contributor

The IIS Rewrite Module should be installed in a maintenance window, possibly right before installing the CU. I had to reboot our server after installing it, else Outlook wouldn't connect and OWA/ECP etc showed an HTTP 500 Internal Server Error on our Exchange 2016 Server (running on Windows Server 2012R2).

Microsoft

@Karen Brown Just install, do not need to config stuff.

Microsoft

@Russo1485 Sorry, I had a brain burp there - no, you are doing the right thing, just keep doing it! Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange... 

Copper Contributor

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to Unrestricted on the server being upgraded or installed

Hi, my current execution policy is RemoteSigned. I've changed it to Unrestricted before installing the latest CU. Can I revert back to RemoteSigned after installation? I've got to repeat the installation on the other servers in my DAG. Will RemoteSigned not work during installation?

Microsoft

@aleach Yes you can return it back later, sure.

Copper Contributor

Is this the last expected CU for Exchange 2016? If so, which 2016 CUs are supported?

Copper Contributor

Hi Exchange Team,

I'm trying to upgrade my test environment from Exch2016 CU21 + SU1 to Exch2016 CU22. My normal approach is to run it from an elevated cmd prompt but every single time I've tried to run the installer on the first server it's thrown the "there's a reboot pending" exception.

 

C:\Windows\system32>f:\setup.exe /m:Upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

Microsoft Exchange Server 2016 Cumulative Update 22 Unattended Setup

Copying Files...
File copy complete. Setup will now collect additional information needed for installation.

Languages
Management tools
Mailbox role: Transport service
Mailbox role: Client Access service
Mailbox role: Unified Messaging service
Mailbox role: Mailbox service
Mailbox role: Front End Transport service
Mailbox role: Client Access Front End service

Performing Microsoft Exchange Server Prerequisite Check

    Configuring Prerequisites                                                                         COMPLETED
    Prerequisite Analysis                                                                             FAILED

There is a pending reboot from a previous installation of a Windows Server role or feature. Please restart the computer
and then run Setup again.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.PendingRebootWindowsComponents.aspx


The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the
<SystemDrive>:\ExchangeSetupLogs folder.

 

I've restarted the server 5 times and it's thrown the same thing every time, I checked the setup log and it doesn't seem like this is actually the case:

 

[09/30/2021 10:58:27.0938] [1] Started [Rule:PendingRebootWindowsComponents] [Parent:RootAnalysisMember] [RuleType:Error]
[09/30/2021 10:58:27.0998] [1] Evaluated [Rule:PendingRebootWindowsComponents] [HasException:False] [Value:"True"] [ParentValue:"<NULL>"] [Thread:17] [Duration:00:00:00.0570024]
[09/30/2021 10:58:28.0000] [1] Finished [Rule:PendingRebootWindowsComponents] [Duration:00:00:00.0610040]

 

Just on the off chance that it was something related to the unattended installer I've tried launching the upgrade through the GUI setup and it is now successfully performing the upgrade. Underlying OS is fully-patched WinSvr2016.

 

Copper Contributor

Thank for your Update Nino

 

Copper Contributor

A bit of encouraging news. We normally wait longer than the day a CU is released to install it....hoping to let others discover if there is fallout first.

 

This time, we went for it and it was smooth sailing.

Now to read about the EM piece.

2019 CU10 to CU11.

Microsoft

@ScottKnights As of now, we do not have anything to announce if there will be more E2016 CUs. We made those announcements before. Then things changed. We will see! Always, the last two CUs are what is "supported".

@joeykins82 Thanks for providing details; we just tried to reproduce this using the same builds you mentioned, and could not, hmm. Will keep looking!

Copper Contributor

@Nino Bilic 

Hi Nino, I just wanted to clarify which CUs are supported as the support policy for Exchange server stipulates:
Critical product updates are packages that address a Microsoft-released security bulletin or that contain a change in time zone definitions. When in Mainstream Support, critical product updates are released as needed on a monthly basis for the most recently released CU and for the immediately previous CU. When in Extended Support, critical product updates are released as needed on a monthly basis for only the most recently released CU.

 

This was also stated again in this blog post about the end of Mainstream Support for Exchange 2016:
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-2016-and-the-end-of-mainst...

Microsoft encourages Exchange Server 2016 customers to adopt CU20 as soon as possible to ensure uninterrupted delivery of any future security related fixes. After March 16, 2021, only CU20 or its successors will receive updates. During the Extended Support phase, only the latest CU is eligible to receive updates once the standard 3 month transition period of the prior CU has lapsed.  

 

That is on this blog so is official information! Exchange 2016 has been in Extended Support since last October. Can you please ensure that when any future 2016 CUs are released (assuming any are) that you explicitly clarify which will receive critical updates.

Copper Contributor

Why does my Exchange shows two different things

 

Exchange: Exchange 2016 CU18
Build Number: 15.1.2308.8

 

Build 15.1.2308.8 should be CU21

 

At this point I don't know If I should treat this as upgrade CU18 -> 22 or CU21 -> CU22

 

Brass Contributor

Hi @Nino Bilic & Team,

 

At present we are on Exchange 2019 CU9, can we install or go directly to CU11...?

 

Regards,

Sree

Microsoft

@Sreejith yes, you can install CU11. Please note that PrepareSchema is required if CU9 is your current version.

Iron Contributor

Hello Microsoft,

 

I note that these CUs include the fix for "Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)"

 

For those SHA-1 certificates that were previously created by Microsoft Exchange, what is the procedure to convert them to SHA-256 ? 

Microsoft

@Sam_T you must recreate/renew them. There is no way to convert the existing certificates to SHA256. 

Microsoft

@Sreejith In addition to what Lukas mentioned - please see https://aka.ms/exchangeupdatewizard - we always update this to make sure that all the steps are listed when updating CUs.

Iron Contributor

@Lukas Sassl 

Thanks for your response Lukas. So what is the Microsoft recommended procedure to recreate or renew the SHA-1 certificates that were previously created by Microsoft Exchange, so that they are SHA-256 ? 

Microsoft

@Sam_T the steps to renew an Exchange certificate are described here: Renew an Exchange Server certificate | Microsoft Docs . The issue which is fixed with the latest CU has only affected the certificates created during the initial Exchange installation. 

The New-ExchangeCertificate cmdlet automatically generates certificates using SHA-256. You can also use the Exchange HealthChecker (https://aka.ms/ExchangeHealthChecker) to check the hash algorithm.

 

EDIT:

If you create a new auth certificate, make sure to configure it as next certificate via Set-AuthConfig (Set-AuthConfig (ExchangePowerShell) | Microsoft Docs) or follow these steps if it has already expired: https://aka.ms/HC-OAuthExpired 

Copper Contributor

I'm seeing my Microsoft Exchange Server Auth Certificate (and other cert) as SHA1.     reading above makes me think I need to create new a new Auth cert as SHA256 before applying CU22 ??

Microsoft

@jordanl17 No, it's no requirement to re-create the Auth certificate if it's valid and using SHA1 hash algorithm before applying CU22.

Copper Contributor

Hello,

we run two Edge Servers in a hybrid environment with two Exchange servers and since the upgrade to CU22 I see these Eventlog Errors. Does anyone else have such errors? Nothing changed in certificates since upgrade to CU21. E-mail flow seems not to be affected. The requested certificate is the hostname for the Edge Server.

Peter_2021_0-1633434389599.png

 

Copper Contributor

Has anyone with Exchange servers residing behind a NLB applied this CU yet? Curious to know if this months CU break OWA and ECP like July's did. 

 

All of our certificates were vailid and the session persistance workaround did not work for us in July. 

Brass Contributor

Hi @Lukas Sassl 

 

Do I need to run PrepareSchema if I am on Exchange 2019 CU10....?

 

Brass Contributor

@Sreejith There is no need to 'PrepareSchema' going from Exchange 2019 CU10 to CU11.

The document states "These updates do not contain schema changes". I did exactly this update yesterday.

Microsoft

@Sreejith as listed here: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/active-directory/ad-schema-changes?view=ex... , no Schema Update is required if your current version is CU10. 

The Exchange Update Wizard show all required steps: https://aka.ms/exchangeupdatewizard 

Microsoft

@PatchesOhoulihan14 If the organization is coming from pre July 2021 SU then I would expect the behavior of going to September 2021 CUs to be the same as going to July SUs. Once the organization is on July+ SUs, they should not be seeing problems related to LB.

Copper Contributor

@Nino Bilic Thank you, Nino. The organization is going from Exchange 2019 CU10 to CU11, so based on your reply, the issues relating to the LB should not be experienced during this upgrade?

Co-Authors
Version history
Last update:
‎Nov 10 2021 08:06 PM
Updated by: