The Exchange Team released Exchange Server 2019 Cumulative Update H1 2023, or CU13. This is Exchange 2019 only; no Exchange 2016 CU.
Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following functionality enhancements:
Modern Authentication On-Premises Support
After dropping support for Basic Authentication in Exchange Online, organizations that remained on-premises for various reasons, and could not deploy Exchange Hybrid, were left out in doubt how to proceed. Last year, Microsoft gave them some perspective, following a roadmap announcement.
This CU is a first step, allowing organizations running AD FS 2019 to deploy Exchange 2019 CU13, and configure AD FS as their authentication provider. Be advised that this also requires clients to support this change in authentication logic. First, Outlook for Windows will contain support for this in build 16327.20200 and later. Support for other Outlook clients has an ETA of end of year. Outlook on the Web already supports claims-based authentication using AD FS, which is a form of Modern Authentication.
Finally, organization running Exchange 2016 can deploy Exchange 2019 CU13 in front of those Exchange 2016 servers, allowing then to handle clients request, and thus authenticate them using AD FS. After deployment, organizations can enable Modern Authentication on the organization or at the mailbox level, using Exchange’s Authentication Policies.
For more information about deploying Modern Authentication with Exchange on-premises, see Enabling Modern Auth in Exchange On-Premises. The page also includes an insightful diagram on the authentication flow.
Administrators might tweak configuration files belonging to their Exchange deployment, e.g. web.config. Deploying CUs meant that those files were overwritten, and administrators had to re-apply changes. With CU13, setup will now preserve a fixed set of elements in those configuration files. For more information, see Exchange Server custom configuration preservation.
Unfortunately, nothing yet about TLS 1.3 support.
Earlier Exchange Versions
Exchange 2013 reached end of life early April. No Cumulative Update for Exchange 2016 CU23, which is in extended support, and will only receive security updates until October, 2025. Exchange 2016 is supported when you run CU23 with the March 2023 Security Update applied.
Link to the update as well as a description of changes and fixes are below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, in order to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.
Exchange 2019 CU13 fixes:
- 5027150 Enable Modern Auth for pure On-Premises Exchange users
- 5026134 “InvalidRecipientsException” when you try to run MRM
- 5026135 CertificateDeploymentServicelet failure in multiple domain forest Exchange deployments
- 5026136 Microsoft Exchange Transport doesn’t re-encrypt IRM messages
- 5026138 Users receive reminders although the meeting reminder is set to None
- 5026139 You can’t move the public folder mailbox
- 5026142 Journal message returns “ConversionFailedException”
- 5026143 OAB shadow distribution threshold must be reduced or made configurable
- 5026146 Expiry notification is sent to moderator and sender for approved and delivered messages
- 5026147 BlockLegacyAuthentication fail Organization Policy because of BackendRehydrationModule implementation
- 5026149 Group metrics generation doesn’t finish in multidomain environment
- 5026150 Edge server Filtering Agent removes journal attachments
- 5026151 Oab-Processing-Threshold is set to 0 for On-Premises
- 5026152 Microsoft Exchange ActiveSync or Current Requests counter inaccurately counts requests
- 5026153 Delivery Flow Control setting override is now available
- 5026154 On-premises Exchange has 35MB file size limit for online archiving
- 5026155 “No support for this operation” error on an Exchange 2019 DAG member server
- 5026156 Outlook search fails in a shared On-Premises mailbox if the primary user mailbox is migrated to Exchange Online
- 5026158 The body of recurring meeting is not clear if it has Chinese characters
- 5026159 IconIndex returns Default value when Server Assisted Search is used in Outlook
- 5026266 “Could not start MS Exchange Service Host service” error and Exchange stops responding
- 5026267 OWA stops responding in an Exchange 2019 and 2016 coexistence topology
- 5026268 Store Worker process crashes and returns “System.NullReferenceExceptions” multiple times per day
- 5026269 Block deserialization error when using eDiscovery
- 5026271 IIS URL Rewrite Module link is incorrect
- 5026273 Outlook configuration fails in Android or iOS
- 5026274 Hybrid Agent Validation fails after Extended Protection is enabled
- 5026277 Mail configuration fails on iOS device after Extended Protection is enabled
- 5026278 Mailbox migration fails after Extended Protection is enabled
- If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
- When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
- Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
- When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
- Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to inability to validate script signatures.
- If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
- Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
- Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
- The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.
As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.