The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016.
Be advised that these CUs will introduce something which is called the Exchange Emergency Mitigation Service. This service is designed to distribute and implement mitigations addressing potential threats. For this, the URL Rewrite Module needs to be installed on the Exchange server. When you have Exchange running on Windows Server 2012 R2, you will also need an update for the Universal C Runtime (KB2999226). Periodically, the EEM service will reach out to the Office Config Service (OCS) through endpoint https://officeclient.microsoft.com, and update its set of configured mitigations. More on EEM and managing its configuration here.
Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.
| Version | Build | KB | Download | UMLP | Schema | AD |
| Exchange 2019 CU11 | 15.2.986.5 | KB5005334 | Download | N | Y | |
| Exchange 2016 CU22 | 15.1.2375.7 | KB5005333 | Download | UMLP | N | Y |
Exchange 2019 CU11 fixes:
- 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
- 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
- 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
- 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
- 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
- 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
- 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
- 5006990 Exchange CU installation fails after you configure fallback to use default character set (5006990)
- 5006991 Mail quota warning messages no longer sent daily in Exchange Server 2019 (KB5006991)
- 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
- 5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
- 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
- 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
- 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
- 5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
- 5006999 “401” error and Outlook repeatedly prompts for credentials in Exchange Server 2019 (KB5006999)
- 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
- 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)
- 5007044 Start-MailboxAssistant not available in EMS in Exchange Server 2019 (KB5007044)
Exchange 2016 CU22 fixes:
- 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
- 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
- 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
- 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
- 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
- 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
- 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
- 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
- 5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
- 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
- 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
- 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
- 5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
- 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
- 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)
Notes:
- If these Cumulative Updates contain schema changes compared to the Cumulative Update you have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
- When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
- Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
- When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
- If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
- Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
- Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
- The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.
Caution:
As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
EighTwOne (821) 
– Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
Indeed strange; did a fresh 2019 CU10 install and https://aka.ms/ExchangeHealthChecker got me the SHA-1 hash warning on the freshly installed server. Guess they fixed it now.
LikeLike
Hi Michel,
Thanks again for the great posts, really helpful.
I was under the impression that CU21 would be the last voor EX2016. Do you know what the current schedule for CU’s for EX2016 is?
LikeLike
If I choose the unattended installation option IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF
Is it possible to change it after the installation to DiagnosticDataON for example with powershell?
LikeLike
Yes, use Set-ExchangeServer -Identity -DataCollectionEnabled $true
LikeLike
Already found it (;
https://docs.microsoft.com/en-us/exchange/diagnostic-data-exchange-server?view=exchserver-2019
Set-ExchangeServer -Identity -DataCollectionEnabled:$false
and
Set-ExchangeServer -Identity -DataCollectionEnabled:$true
LikeLike