Today, the Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019, Exchange 2016 and Exchange 2013.

The KB articles that describe the fixes in each release, and product downloads are available as follows:

Version	Build	KB	Download	UMLP	Schema
Exchange 2019 CU2	15.2.397.3	KB4488401	VLSC		N
Exchange 2016 CU13	15.1.1779.2	KB4488406	Download	UMLP	N
Exchange 2013 CU23	15.0.1497.2	KB4489622	Download	UMLP	N

These updates contain the following important changes and notes (more information in the original article):

• Reduced required permissions of Exchange in Active Directory.
• Introduction of support for .NET Framework 4.8, with 4.7.2 becoming the minimum required version.
• Introduction of Organization-level Authentication Policies.
• Upcoming support for Modern Authentication for Exchange Hybrid deployments.
• Controlled Public Folder visibility for Exchange 2019 & 2016.

Exchange 2019 CU2 fixes:

• 4502134 Can’t get all the emails when searching mailbox by using an end date that’s different from today in Exchange Server 2019
• 4502135 Correct the error message that you receive when installing Exchange Server 2019 in an organization that has Exchange Server 2010 installed
• 4502154 Providing information to administrators when auto forward limit is reached in Exchange Server 2019 and 2016
• 4502155 “The primary SMTP address must be specified when referencing a mailbox” error when you use impersonation in Exchange Server 2019 and 2016
• 4502156 Audit logs aren’t updated when “-WhatIf” is used as $false in the command in Exchange Server 2019 and 2016
• 4502157 The Find command not returning the HasAttachments element in Exchange Server 2019 and 2016
• 4502158 SyncFolderItems contains duplicated ReadFlagChange items in Exchange Server 2019 and 2016
• 4502131 “TLS negotiation failed with error UnknownCredentials” error after you update TLSCertificateName on Office 365 send connector in Exchange Server 2019 hybrid environment
• 4502132 Can’t reply to old emails after migration even though old legacyExchangeDN is set to migrated mailbox in Exchange Server 2019 and 2016
• 4502136 The response of FETCH (BODYSTRUCTURE) command of IMAP violates RFC 3501 in Exchange Server 2019 and 2016
• 4502140 Can’t preview an eDiscovery search when there are multiple domains in Exchange Server 2019 and 2016
• 4502141 Appointment that’s created by responding to an email message doesn’t show in any Outlook calendar views in Exchange Server 2019 and Exchange Server 2016
• 4502133 Can’t use Outlook on the web to reply a partner email through mutual TLS in Exchange Server 2019 and 2016
• 4488396 Can’t search any results in manually added shared mailbox in Outlook in Exchange Server 2019 and 2016
• 4488078 Public folder contact lists don’t show contact’s profile picture in Outlook on the web in Exchange Server 2019 and 2016
• 4499503 Heavy organizational forms traffic because of materialized restriction when organization forms library has more than 500 items in Exchange Server 2019 and 2016
• 4503027 Description of the security update for Microsoft Exchange Server 2019 and 2016: June 11, 2019

Exchange 2016 CU13 fixes:

• 4502154 Providing information to administrators when auto forward limit is reached in Exchange Server 2016
• 4502155 “The primary SMTP address must be specified when referencing a mailbox” error when using impersonation in Exchange Server 2016
• 4502156 Audit logs aren’t updated when “-WhatIf” is used as $false in the command in Exchange Server 2016
• 4502157 The Find command not returning the HasAttachments element in Exchange Server 2016
• 4502158 SyncFolderItems contains duplicated ReadFlagChange items in Exchange Server 2016
• 4502131 “TLS negotiation failed with error UnknownCredentials” error after updating TLSCertificateName on Office 365 send connector in Exchange Server 2016 hybrid environment
• 4502132 Can’t reply to old emails after migration even though old legacyExchangeDN is set to migrated mailbox in Exchange Server 2016
• 4502136 The response of FETCH (BODYSTRUCTURE) command of IMAP violates RFC 3501 in Exchange Server 2016
• 4502140 Can’t preview an eDiscovery search when there are multiple domains in Exchange Server 2016
• 4502141 Appointment that’s created by responding to an email message doesn’t show in any of Outlook calendar views in Exchange Server 2016
• 4502133 Can’t use Outlook on the web to reply a partner email through mutual TLS in Exchange Server 2016
• 4488396 Can’t search any results in manually added shared mailbox in Outlook in Exchange Server 2016
• 4488078 Public folder contact lists don’t show contact’s profile picture in Outlook on the web in Exchange Server 2016
• 4499503 Heavy organizational forms traffic due to materialized restriction when organization forms library has more than 500 items in Exchange Server 2016
• 4503027 Description of the security update for Microsoft Exchange Server 2019 and 2016: June 11, 2019

Exchange 2013 CU23 fixes:

• 4502131 “TLS negotiation failed with error UnknownCredentials” error after updating TLSCertificateName on Office 365 send connector in Exchange Server 2013 hybrid environment
• 4503028 Description of the security update for Microsoft Exchange Server 2013 and 2010: June 11, 2019

Notes:

• These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update. However, due to changes in the permissions architecture, you need to run setup /PrepareAD to implement these changes as well as apply any RBAC changes, before deploying or updating Exchange servers.
• When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
• Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
• When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
• If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
• Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
• Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
• The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.