The Exchange product group released the July 2026 updates for Exchange Server SE, as well as Exchange 2019 and 2016. The Security Update for Exchange SE is available to the public. Security updates for Exchange 2019 and Exchange 2016 are available to organizations enrolled in the Extended Security Update Period 2 program.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
As a reminder, you may remove implemented mitigations for CVE-2026-42897. These mitigations could be deployed using Exchange Emergency Mitigation Service (EMS), or manually using the EOMT.ps1 script. If you used EMS, block the mitigation (M2.1.0) from re-applying, then remove its IIS rules. If you used the EOMT.ps1 script, use it to roll back the mitigation.
Notes
Security updates are specific to the Cumulative Update level. You cannot apply the Exchange 2019 CU15 security update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft includes the KB article number as a reference, but I would still tag the filename with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the urgency level.
It is that time of year again. The new edition of Microsoft 365 for IT Pros is out, and this one brings the biggest structural change we have made in years. What used to be one large book with a single companion volume has now grown into a bundle of four focused books. Splitting the content allows us to go deeper while keeping the main book maintainable. Together, they deliver more than 1,700 pages of practical guidance for people who run Microsoft 365 every day.
A bit of history
The series goes back to May 2015, when it started life as Office 365 for Exchange Professionals. Over time, the platform expanded, the audience broadened, and the book evolved with it. This year also marks the move from Office 365 for IT Pros to Microsoft 365 for IT Pros. The name changed, but the focus did not. We still cover the services and workloads administrators, architects, and technologists rely on.
I joined the writing team in 2024. What stood out to me from day one is that this is not a traditional technical book. Most books age the moment they are published. This one does not. We update it every month and keep tracking the constant stream of changes across Microsoft 365. That evergreen model, combined with real-world experience, is what makes this book stand out. It is written for people who manage Microsoft 365 daily and need the most up-to-date content.
What you get
The bundle now consists of four books, each focusing on a specific area:
Microsoft 365 for IT Pros is the core book. It covers the Microsoft 365 ecosystem from an administrative perspective, including identity, Exchange Online, SharePoint Online, Teams, OneDrive, and overall tenant management. This edition adds a dedicated AI and Agents chapter covering architecture, licensing, deployment, governance, monitoring, and cost control for Copilot and related technologies.
Automating Microsoft 365 with PowerShell is the PowerShell / automation book. It focuses on automating Microsoft 365 with PowerShell and Microsoft Graph, providing practical examples you can apply in real-world environments.
Microsoft Purview for IT Pros is a new standalone book. It covers compliance and data governance, including data lifecycle management, eDiscovery, data loss prevention, information protection, and communication compliance.
Power Platform for IT Pros is the 2nd new standalone book. It focuses on the administration and governance of the Power Platform, including environments, Dataverse, solutions, application lifecycle management, and platform security through policies and controls. It also covers scenarios for Power Apps, Power Automate, AI Builder, and Copilot Studio.
Splitting the content into separate books allows for more depth and focus, while making the core book easier to consume and maintain. And for those who need it, each companion book is available separately, offering the same monthly updates for that book throughout the subscription.
Who this is for
Tenant administrators, consultants, architects, engineers, and technical leads will get the most value from this edition. If your job involves Exchange Online, Entra ID, SharePoint Online, Teams, OneDrive, Purview, Power Platform, Copilot, PowerShell, or Microsoft Graph, this set has been designed for you.
Availability
We use Gumroad.com to publish and distribute the books. All books are available in EPUB and PDF formats and can be converted for use on Kindle devices.
The Exchange product group released the June 2026 Security Updates for Exchange Server SE, Exchange 2019, and Exchange 2016. There were no updates released in January, so if you missed those, you didn’t. The SE SU is available to the public. Security updates for Exchange 2019 and Exchange 2016 will be available to organizations enrolled in the Extended Security Update program.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
Be advised that these Security Updates do not remove any previously applied mitigations for CVE-2026-42897, whether through the EMS service (M2.1.0) or via manual configuration using the EOMT.ps1 script. More information about both options is described here. The recommendation is to keep mitigation in place. If you still wish to remove them, be advised that you need to take steps to prevent the mitigation from getting reapplied. These steps are also contained in the aforementioned article.
Because of a server-side change, Exchange Servernot patched with this June 2026 SU will stop processing emergency mitigations published after June 2026. As a result, their Emergency Mitigation Service (EMS) and Flighting Service cannot process any updates, and the Application event log will contain the following entries:
Event type: Error Event ID: 1008 Event source: MSExchange Mitigation Service Exception encountered while fetching mitigations: This XML is not deemed safe to consume since Response xml’s leaf certificate is from unknown issuer or has EKU mismatch
Any previously applied mitigations will continue to function.
Notes
Security updates are specific to the Cumulative Update level. You cannot apply the Exchange 2019 CU15 security update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft includes the KB article number as a reference, but I would still tag the filename with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the urgency level.
The Exchange product group released the May 2026 Hotfix update for Exchange Server SE. Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid application support.
The dedicated Exchange hybrid application supports Exchange Web Services workflows, enabling rich coexistence functionality. This hotfix adds Graph-based workflow support for rich co-existence features between Exchange SE and Exchange Online. After installing the May 2026 update on all your Exchange SE servers, make sure you configure and enable the dedicated Exchange Hybrid application in Entra.
The support page lists WW as the tenant environment that currently supports Graph-based workflows, e.g. not GCC nor DoD. In addition, rich coexistence still partially uses EWS as shown in the following table taken from the dedicated hybrid application page.
Functionality
EWS supported
Graph supported
Free/Busy
Yes
Yes
MailTips
Yes
Partial (Automatic Replies only)
Profile Pictures
Yes
Yes
Move to Archive (Archive Mailbox in cloud)
Yes
No
Important: If you previously configured the dedicated Exchange Hybrid application, you need to rerun the ConfigureExchangeHybridApplication.ps1 script. This will enable the new Graph-based workflow. Detailed steps for accomplishing this are described here.
What about Exchange 2019 and Exchange 2016?
Exchange 2016 and 2019 are out of support and will not receive this update when you are part of the ESU program. Therefore, with the upcoming deprecation of Exchange Web Services in Exchange Online, you must keep allowing EWS in your tenant as of October 2026 – when EWS gets disabled – and make sure you plan to have migrated to Exchange SE by April 2027 for continued rich coexistence functionality, when EWS gets permanently disabled in Exchange Online.
Back in 2013, I published an unattended installation script for Exchange Server 2013, together with a walkthrough on this blog. At the time, the goal was simple: make Exchange deployments more predictable, repeatable, and less error‑prone by removing as much manual interaction as possible.
Exchange has evolved, deployment practices have matured, and automation expectations are much higher. Over the past years, I have continued to maintain and refine the script to keep pace with those changes. Recently, I completed a major cleanup and refresh. Those watching my GitHub have likely seen the incremental changes.
This post serves as a refresher and high‑level overview on the current state.
Goal
This script automates the unattended installation of Microsoft Exchange Server 2016, 2019, and Exchange Server SE on Windows Server 2016 through 2025. For this, it follows a state machine process. This is necessary because some steps require a reboot before continuing.
The script handles the full installation lifecycle: Windows features, prerequisites (.NET, VC++ runtimes, IIS components), Active Directory preparation, Exchange setup, and post-configuration and hardening. With the -AutoPilot switch, the script manages automatic reboots and logon cycles, tracking progress in a JSON state file to track where it is in the process.
Supported Builds and Operating Systems
Exchange Version
Minimum OS
Maximum OS
Exchange 2016 CU23
Windows Server 2016
Windows Server 2019
Exchange 2019 CU10–CU14
Windows Server 2019
Windows Server 2022
Exchange 2019 CU15
Windows Server 2019
Windows Server 2025
Exchange Server SE RTM
Windows Server 2019
Windows Server 2025
For Exchange 2019 and up, deployment on Desktop or Core is supported. Support for Exchange 2013, older CUs for Exchange 2016 and Exchange 2019, and older operating systems (WS2008, WS2008 R2, WS2012, or WS2012 R2) has been removed since version 4.0 of the script.
Requirements
PowerShell 5.1 or later
Domain-joined system (Edge Server role is the exception)
An account with local administrator rights
When using -AutoPilot: the account must be able to configure and perform auto-logon
When creating a new Exchange organization (-Organization) or need to upgrade schema or domain configuration: Schema Admin and Enterprise Admin rights
Static IP address (running as an Azure VM is the exception)
Usage
The syntax for calling the script depends on which of the common scenarios you want to deploy. By default, it is to perform an installation:
The script Install-Exchange15.ps1 has a ton of options. An explanation of these is given in the table below. Depending on the operating mode (regular setup, preparation only, Edge Transport installation, or recovery), parameters may or may not become available.
Parameter
Description
-SourcePath
Path to Exchange setup EXE folder or ISO file
-Organization
Exchange organization name to create. Omit to skip AD preparation.
-InstallEdge
Install the Edge Transport server role instead of Mailbox
-AutoPilot
Fully automated mode — handles reboots and resumes automatically
-Credentials
Credentials AutoPilot uses for automatic logon after each reboot
-InstallPath
Working folder for state file, logs, and downloaded prerequisites (default: C:\Install)
This post replaces the previous articles on the installation script, which are still there for historical purposes (and to show what has been updated or replaced over time):