The Exchange product group released the June 2026 Security Updates for Exchange Server SE, Exchange 2019, and Exchange 2016. There were no updates released in January, so if you missed those, you didn’t. The SE SU is available to the public. Security updates for Exchange 2019 and Exchange 2016 will be available to organizations enrolled in the Extended Security Update program.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
Be advised that these Security Updates do not remove any previously applied mitigations for CVE-2026-42897, whether through the EMS service (M2.1.0) or via manual configuration using the EOMT.ps1 script. More information about both options is described here. The recommendation is to keep mitigation in place. If you still wish to remove them, be advised that you need to take steps to prevent the mitigation from getting reapplied. These steps are also contained in the aforementioned article.
Because of a server-side change, Exchange Servernot patched with this June 2026 SU will stop processing emergency mitigations published after June 2026. As a result, their Emergency Mitigation Service (EMS) and Flighting Service cannot process any updates, and the Application event log will contain the following entries:
Event type: Error Event ID: 1008 Event source: MSExchange Mitigation Service Exception encountered while fetching mitigations: This XML is not deemed safe to consume since Response xml’s leaf certificate is from unknown issuer or has EKU mismatch
Any previously applied mitigations will continue to function.
Notes
Security updates are specific to the Cumulative Update level. You cannot apply the Exchange 2019 CU15 security update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft includes the KB article number as a reference, but I would still tag the filename with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the urgency level.
Back in 2013, I published an unattended installation script for Exchange Server 2013, together with a walkthrough on this blog. At the time, the goal was simple: make Exchange deployments more predictable, repeatable, and less error‑prone by removing as much manual interaction as possible.
Exchange has evolved, deployment practices have matured, and automation expectations are much higher. Over the past years, I have continued to maintain and refine the script to keep pace with those changes. Recently, I completed a major cleanup and refresh. Those watching my GitHub have likely seen the incremental changes.
This post serves as a refresher and high‑level overview on the current state.
Goal
This script automates the unattended installation of Microsoft Exchange Server 2016, 2019, and Exchange Server SE on Windows Server 2016 through 2025. For this, it follows a state machine process. This is necessary because some steps require a reboot before continuing.
The script handles the full installation lifecycle: Windows features, prerequisites (.NET, VC++ runtimes, IIS components), Active Directory preparation, Exchange setup, and post-configuration and hardening. With the -AutoPilot switch, the script manages automatic reboots and logon cycles, tracking progress in a JSON state file to track where it is in the process.
Supported Builds and Operating Systems
Exchange Version
Minimum OS
Maximum OS
Exchange 2016 CU23
Windows Server 2016
Windows Server 2019
Exchange 2019 CU10–CU14
Windows Server 2019
Windows Server 2022
Exchange 2019 CU15
Windows Server 2019
Windows Server 2025
Exchange Server SE RTM
Windows Server 2019
Windows Server 2025
For Exchange 2019 and up, deployment on Desktop or Core is supported. Support for Exchange 2013, older CUs for Exchange 2016 and Exchange 2019, and older operating systems (WS2008, WS2008 R2, WS2012, or WS2012 R2) has been removed since version 4.0 of the script.
Requirements
PowerShell 5.1 or later
Domain-joined system (Edge Server role is the exception)
An account with local administrator rights
When using -AutoPilot: the account must be able to configure and perform auto-logon
When creating a new Exchange organization (-Organization) or need to upgrade schema or domain configuration: Schema Admin and Enterprise Admin rights
Static IP address (running as an Azure VM is the exception)
Usage
The syntax for calling the script depends on which of the common scenarios you want to deploy. By default, it is to perform an installation:
The script Install-Exchange15.ps1 has a ton of options. An explanation of these is given in the table below. Depending on the operating mode (regular setup, preparation only, Edge Transport installation, or recovery), parameters may or may not become available.
Parameter
Description
-SourcePath
Path to Exchange setup EXE folder or ISO file
-Organization
Exchange organization name to create. Omit to skip AD preparation.
-InstallEdge
Install the Edge Transport server role instead of Mailbox
-AutoPilot
Fully automated mode — handles reboots and resumes automatically
-Credentials
Credentials AutoPilot uses for automatic logon after each reboot
-InstallPath
Working folder for state file, logs, and downloaded prerequisites (default: C:\Install)
This post replaces the previous articles on the installation script, which are still there for historical purposes (and to show what has been updated or replaced over time):
The Exchange product group released the February 2026 Security Updates for Exchange Server SE, Exchange 2019, and Exchange 2016. There were no updates released in January, so if you missed those, you didn’t. The SE SU is available to the public. Security updates for Exchange 2019 and Exchange 2016 will be available to organizations enrolled in the Extended Security Update program.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.
The Exchange product group released the December 2025 Security Update for Exchange Server SE. Organizations that enrolled in the Extended Security Update program will also have access to December 2025 security updates for Exchange Server 2019 and Exchange Server 2016. These ESU updates will not be made available publicly.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.
These Security Updates are the SUs for Exchange Server 2016 and 2019 that will be publicly available. Any Extended Security Updates (ESU) that might be released between now and April 2026 for these products need to be acquired by contacting your Microsoft Account Teams.
Auth Certificate Export
Be advised that after deploying the October SU, as a security measure, Export-ExchangeCertificate can no longer be used to export of the Auth Certificate. For more information, see KB5069337.
Notes
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.