Exchange Unattended Install Script [Update]

Posted on by
1

Back in 2013, I published an unattended installation script for Exchange Server 2013, together with a walkthrough on this blog. At the time, the goal was simple: make Exchange deployments more predictable, repeatable, and less error‑prone by removing as much manual interaction as possible.

Exchange has evolved, deployment practices have matured, and automation expectations are much higher. Over the past years, I have continued to maintain and refine the script to keep pace with those changes. Recently, I completed a major cleanup and refresh. Those watching my GitHub have likely seen the incremental changes.

This post serves as a refresher and high‑level overview on the current state.

Goal

This script automates the unattended installation of Microsoft Exchange Server 2016, 2019, and Exchange Server SE on Windows Server 2016 through 2025. For this, it follows a state machine process. This is necessary because some steps require a reboot before continuing.

The script handles the full installation lifecycle: Windows features, prerequisites (.NET, VC++ runtimes, IIS components), Active Directory preparation, Exchange setup, and post-configuration and hardening. With the -AutoPilot switch, the script manages automatic reboots and logon cycles, tracking progress in a JSON state file to track where it is in the process.

Supported Builds and Operating Systems

Exchange VersionMinimum OSMaximum OS
Exchange 2016 CU23Windows Server 2016Windows Server 2019
Exchange 2019
CU10–CU14		Windows Server 2019Windows Server 2022
Exchange 2019
CU15		Windows Server 2019Windows Server 2025
Exchange Server SE RTMWindows Server 2019 Windows Server 2025

For Exchange 2019 and up, deployment on Desktop or Core is supported. Support for Exchange 2013, older CUs for Exchange 2016 and Exchange 2019, and older operating systems (WS2008, WS2008 R2, WS2012, or WS2012 R2) has been removed since version 4.0 of the script.

Requirements

  • PowerShell 5.1 or later
  • Domain-joined system (Edge Server role is the exception)
  • An account with local administrator rights
  • When using -AutoPilot: the account must be able to configure and perform auto-logon
  • When creating a new Exchange organization (-Organization) or need to upgrade schema or domain configuration: Schema Admin and Enterprise Admin rights
  • Static IP address (running as an Azure VM is the exception)

Usage

The syntax for calling the script depends on which of the common scenarios you want to deploy. By default, it is to perform an installation:

Install-Exchange15.ps1 [-Organization] [-MDBName ] [-MDBDBPath ] [-MDBLogPath ] [-InstallPath ] [-SourcePath ] [-TargetPath ] [-AutoPilot] [-Credentials ] [-IncludeFixes] [-NoNet481] [-DoNotEnableEP] [-DoNotEnableEP_FEEWS] [-DisableSSL3] [-DisableRC4] [-EnableECC] [-NoCBC] [-EnableAMSI] [-DisableTLS10] [-DisableTLS11] [-DisableInsecureRenegotiation] [-DisableWeakCiphers] [-DisableWeakHashAlgorithms] [-DisableNonForwardSecretKeyExchange] [-DisableCredentialGuard] [-EnableTLS12] [-EnableTLS13] [-SCP ] [-DiagnosticData] [-Lock] [-SkipRolesCheck]

You can use it to install an Edge Transport server:

Install-Exchange15.ps1 -InstallEdge -EdgeDNSSuffix [-InstallPath ] [-SourcePath ] [-AutoPilot] [-Credentials ] [-IncludeFixes] [-NoNet481] [-DoNotEnableEP] [-DoNotEnableEP_FEEWS] [-DisableSSL3] [-DisableRC4] [-EnableECC] [-NoCBC] [-EnableAMSI] [-DisableTLS10] [-DisableTLS11] [-DisableInsecureRenegotiation] [-DisableWeakCiphers] [-DisableWeakHashAlgorithms] [-DisableNonForwardSecretKeyExchange] [-DisableCredentialGuard] [-EnableTLS12] [-EnableTLS13] [-DiagnosticData] [-Lock] [-SkipRolesCheck]

Or you can use it for recovery:

Install-Exchange15.ps1 -Recover [-InstallPath ] [-SourcePath ] [-AutoPilot] [-Credentials ] [-IncludeFixes] [-NoNet481] [-DoNotEnableEP] [-DoNotEnableEP_FEEWS] [-DisableSSL3] [-DisableRC4] [-EnableECC] [-NoCBC] [-EnableAMSI] [-DisableTLS10] [-DisableTLS11] [-DisableInsecureRenegotiation] [-DisableWeakCiphers] [-DisableWeakHashAlgorithms] [-DisableNonForwardSecretKeyExchange] [-DisableCredentialGuard] [-EnableTLS12] [-EnableTLS13] [-DiagnosticData] [-Lock] [-SkipRolesCheck]

The script Install-Exchange15.ps1 has a ton of options. An explanation of these is given in the table below. Depending on the operating mode (regular setup, preparation only, Edge Transport installation, or recovery), parameters may or may not become available.

ParameterDescription
-SourcePathPath to Exchange setup EXE folder or ISO file
-OrganizationExchange organization name to create. Omit to skip AD preparation.
-InstallEdgeInstall the Edge Transport server role instead of Mailbox
-AutoPilotFully automated mode — handles reboots and resumes automatically
-CredentialsCredentials AutoPilot uses for automatic logon after each reboot
-InstallPathWorking folder for state file, logs, and downloaded prerequisites (default: C:\Install)
-MDBNameName of the initial mailbox database
-MDBDBPathPath for the mailbox database file
-MDBLogPathPath for the mailbox database transaction logs
-TargetPathExchange binaries installation path (default: C:\Program Files\Microsoft\Exchange Server\V15)
-SCPAutodiscover Service Connection Point URL to set after installation. Use - to clear.
-IncludeFixesInstall additional recommended hotfixes and security updates
-DisableSSL3Disable SSL 3.0
-DisableRC4Disable the RC4 cipher suite
-EnableECCConfigure Elliptic Curve Cryptography
-EnableTLS12Configure TLS 1.2
-EnableTLS13Configure TLS 1.3 (WS2022/WS2025 with Exchange 2019 CU15+)
-EnableAMSIEnable AMSI body scanning for ECP, EWS, OWA, and PowerShell virtual directories
-DisableTLS10Disable TLS 1.0
-DisableTLS11Disable TLS 1.1
-DisableInsecureRenegotiationDisallow insecure TLS renegotiation (AllowInsecureRenegoClients and AllowInsecureRenegoServers set to 0)
-DisableWeakCiphersDisable weak SCHANNEL ciphers: NULL, DES 56/56, RC4 40/128, RC4 56/128, RC4 64/128, RC4 128/128, Triple DES 168
-DisableWeakHashAlgorithmsDisable weak SCHANNEL hash algorithms: MD5 and SHA-1
-DisableNonForwardSecretKeyExchangeDisable non-forward-secret key exchange (PKCS/static RSA)
-DisableCredentialGuardDisable Credential Guard (LsaCfgFlags and EnableVirtualizationBasedSecurity set to 0)
-NoSetupInstall prerequisites only; skip Exchange setup
-RecoverRun in RecoverServer mode
-NoNet481Use .NET 4.8 instead of 4.8.1
-DoNotEnableEPSkip enabling Extended Protection (Exchange 2019 CU14+)
-LockLock the workstation screen during installation
-DiagnosticDataSet the initial diagnostic data collection mode

Because of the number of parameters, you might want to use splatting when calling the script, for example:

$Cred = Get-Credential
$Params = @{
    Organization                   = 'Fabrikam'
    SourcePath                     = '\\server\iso\ExchangeServer2019-x64-CU15.iso'
    InstallPath                    = 'C:\Install'
    Credentials                    = $Cred
    MDBName                        = 'MDB1'
    MDBDBPath                      = 'C:\MailboxData\MDB1\DB'
    MDBLogPath                     = 'C:\MailboxData\MDB1\Log'
    SCP                            = 'https://autodiscover.fabrikam.com/autodiscover/autodiscover.xml'
    AutoPilot                      = $true
    DisableSSL3                    = $true
    DisableRC4                     = $true
    DisableTLS10                   = $true
    DisableTLS11                   = $true
    DisableInsecureRenegotiation   = $true
    DisableWeakCiphers             = $true
    DisableWeakHashAlgorithms      = $true
    DisableNonForwardSecretKeyExchange = $true
    EnableTLS12                    = $true
    EnableECC                      = $true
    EnableAMSI                     = $true
    Verbose                        = $true
}
.\Install-Exchange15.ps1 @Params
Capture2

More information

More information and recent documentation updates will be published on GitHub, including instructions in the README and changes in CHANGELOG.MD.

Download

The script is available from GitHub.

References

This post replaces the previous articles on the installation script, which are still there for historical purposes (and to show what has been updated or replaced over time):

Exchange Deployment & Compliance Assessment

Posted on by
Reply

[6May2026] Updated to reflect conversion to PowerShell module.

Exchange on‑premises environments remain a critical part of many organizations’ messaging infrastructure. That also makes them frequent audit targets and attractive attack surfaces. Over time, configuration drift, mixed Exchange versions, and evolving security guidance make it increasingly difficult to keep the server compliant, especially in less strict managed environments.

The Exchange Deployment & Compliance Assessment (EDCA) was created to answer that question with evidence. It’s a PowerShell-based assessment tool, implemented as a PowerShell module, that collects information from Exchange servers and the Exchange organization. This information is then analyzed and evaluated against best practices and some well-known compliance control frameworks. The result is an (interactive) HTML report that can be used to check and monitor compliance, as well as to review remediation steps for each control. Edge Transport servers can also be added to the analysis; you only need to collect their data separately, as they are usually standalone servers. Their data file can then be added to the other data files to produce a single overview.

I have published a sample interactive report here.

Key features

  • Support for Exchange 2016, Exchange 2019, and Exchange Subscription Edition (SE)
  • Evaluate Exchange Server on-premises with Mailbox Server and Edge Transport roles against 7 compliance frameworks, including common Best Practices.
  • Uses Remote PowerShell to connect to Exchange servers, and can use WinRM to collect system info from domain controllers; no Exchange Management Shell or Active Directory module dependency.
  • Produces an interactive HTML report with framework scoring, with options for filtering and searching.
  • Reported controls provide context, impact, and remediation instructions.
  • The Report offers dark mode support, a print/PDF function, and the ability to hide skipped controls.
  • If more reports are found, a trend chart is added to the scoring widgets.
  • Option to generate a sample remediation script for failed controls (experimental).

EDCA is read‑only by design, not altering configuration items, changing system state, or automatically applying remediations. Even if controls can be automated (some cannot), the underlying process usually needs to follow a change process that also reviews the impact. The remediation steps or generated remediation script should be treated as a template with reviewable PowerShell sample code.

Usage

The EDCA module is published on the PowerShell Gallery, so to install and import the EDCA module, you need to run:

Install-Module -Name EDCA
Import-Module EDCA

EDCA uses a collection, analysis, and reporting step. These steps are run when you do not specify any additional parameters when calling Invoke-EDCA:

Invoke-EDCA

When you run this on a server in an Exchange organization, provided you have sufficient permissions, it will discover all Exchange servers, collect information about Mailbox servers, and the Exchange organization. The collected information is stored in the Data folder, where analysis results will also be stored. The generated Report will be stored in a folder named Output.

When you run this on an Edge Transport server, it will collect information from the local server, similar to running EDCA with the -Local switch, so you can pick up the data file for further processing. More on usage scenarios and operating modes in the README here.

The parameters of interest are:

  • Local runs against the local Exchange server.
  • Collect runs against the local Exchange environment or Edge Transport server.
  • Servers run against one or more specified Exchange servers.
  • ThrottleLimit limits the number of Exchange servers interrogated in parallel.
  • Report produces a Report using collected data or, when Collect is not specified, using info from the Data subfolder.
  • Framework to limit the Frameworks being used to check for compliance.
  • RemediationScript to generate a template to remediate failed controls.
  • DataPath to override the default Data.
  • OutputPath to override the default Output.

For example, to call Invoke-EDCA and only use the CIS framework, you would use:

Invoke-EDCA -Framework CIS

The default Data and Output folders are created in the current working folder.

Note that, to produce a report, information will first be analyzed; the result is stored in an analysis_xxx.json file in the Data folder. This can also be used for further processing, as it contains metadata and structures for compliance scores and findings.

Frameworks

FrameworkOfficial Reference(s)Official URL
Best PracticeCommon best practices for Exchange Server deployments, including CSS Exchange recommendations
ANSSI 🇫🇷Mise en œuvre sécurisée d’un serveur Windows
Recommandations de sécurité relatives à TLS
Sécuriser la journalisation dans un environnement Microsoft AD
Transition post-quantique de TLS 1.3		messervices.cyber.gouv.fr
BSI 🇩🇪IT-Grundschutz-Kompendium Edition 2023
Modules: SYS.1.1 · SYS.1.2.3 · APP.2.2 · APP.5.2		bsi.bund.de
CIS 🇺🇸CIS Microsoft Exchange Server 2019 Benchmark
CIS Microsoft Windows Server 2019/2022 Benchmark
CIS Controls v8		cisecurity.org
CISA 🇺🇸Microsoft Exchange Server Security Best Practices Guide
Advisory AA21-062A: Mitigate Exchange Server Vulnerabilities
Binding Operational Directive 18-01
Known Exploited Vulnerabilities Catalog		cisa.gov
DISA 🇺🇸Microsoft Exchange 2019 Mailbox Server STIG
Microsoft Exchange 2016 Mailbox Server STIG		public.cyber.mil/stigs
NIS2 🇪🇺🇳🇱NIS2 Directive (EU) 2022/2555
NCSC-NL TLS Guidelines 2025-05		eur-lex.europa.eu
ncsc.nl
ISM 🇦🇺Information Security Manual, published by Australian Signals Directorate (ASD)cyber.gov.au

Feedback

EDCA is currently released as a preview. I strongly recommend using it in test or lab environments first, especially while controls, scoring, and reporting continue to be tweaked and evolve. Feedback is very welcome.

The project is published on GitHub at https://github.com/michelderooij/EDCA, where you can also submit any issues or other suggestions. If you are not keen on using GitHub for this, use the comments section below.

The README.MD includes more details on permission and connectivity requirements, usage examples, and the latest updates.

Security Updates Exchange 2016-2019 & SE (Feb2026)

Posted on by
Reply

The Exchange product group released the February 2026 Security Updates for Exchange Server SE, Exchange 2019, and Exchange 2016. There were no updates released in January, so if you missed those, you didn’t. The SE SU is available to the public. Security updates for Exchange 2019 and Exchange 2016 will be available to organizations enrolled in the Extended Security Update program.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2026-21527SpoofingImportantCVSS:3.1 6.5 / 5.7

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE5Download15.2.2562.37KB5074992KB5071876
Exchange 2019 CU157ESU Program15.2.1748.43KB5074993KB5071875
Exchange 2019 CU1410ESU Program15.2.1544.39KB5074994KB5071874
Exchange 2016 CU2321ESU Program15.1.2507.66KB5074995KB5071873

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.

Security Updates Exchange 2016-2019 & SE (Dec2025)

Posted on by
2

The Exchange product group released the December 2025 Security Update for Exchange Server SE. Organizations that enrolled in the Extended Security Update program will also have access to December 2025 security updates for Exchange Server 2019 and Exchange Server 2016. These ESU updates will not be made available publicly.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2025-64666Elevation of PrivilegeImportantCVSS:3.1 7.5 / 6.5
CVE-2025-64667SpoofingImportantCVSS:3.1 5.3 / 4.6

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE4Download15.2.2562.29KB5071876KB5066366
Exchange 2019 CU156ESU Program15.2.1748.42KB5071875KB5066367
Exchange 2019 CU149ESU Program15.2.1544.37KB5071874KB5066368
Exchange 2016 CU2320ESU Program15.1.2507.63KB5071873KB5066369

Fixed Issues

The issue addressed in these hotfixes is:

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.

Security Updates Exchange 2016-2019 & SE (Oct2025)

Posted on by
Reply

The Exchange product group released the October 2025 Security Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
​​​​​​​​​​​​​​CVE-2025-59249Elevation of PrivilegeImportantCVSS:3.1 8.8 / 7.7
CVE-2025-53782Elevation of PrivilegeImportantCVSS:3.1 8.4 / 7.3
CVE-2025-59248SpoofingImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE3Download15.2.2562.29KB5066366KB5063224
Exchange 2019 CU155Download15.2.1748.39KB5066367KB5063221
Exchange 2019 CU148Download15.2.1544.36KB5066368KB5063222
Exchange 2016 CU2319Download15.1.2507.61KB5066369KB5063223

Last SU for Exchange 2019 and Exchange 2016

These Security Updates are the SUs for Exchange Server 2016 and 2019 that will be publicly available. Any Extended Security Updates (ESU) that might be released between now and April 2026 for these products need to be acquired by contacting your Microsoft Account Teams.

Auth Certificate Export

Be advised that after deploying the October SU, as a security measure, Export-ExchangeCertificate can no longer be used to export of the Auth Certificate. For more information, see KB5069337.

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.