In the announcement of the most recent set of Cumulative Updates for Exchange Server 2019 and 2016, Microsoft introduced some changes – features if you will – as well, which were received with enthusiasm. An overview of these Cumulative Updates and the features introduced was given in an earlier article. In this article however, I would like to zoom in on one of those features, which also happens to be a popular topic among customers running Exchange Hybrid deployments, “The Last Exchange Server”.
Up to Exchange 2019 CU12 (2022 H1), customers that migrated to Exchange Online were still required to leave Exchange-related components running on-premises. Even today, with all the information published around this topic, I am surprised this still surprised customers. This Exchange server running on-premises is to be used for managing recipients which have their source of authority in Active Directory, leveraging Active Directory Connect to propagate objects to Azure Active Directory and thus Exchange Online. Also, when there is a need to relay messages from applications or multi-functional devices, customers often need to have an Exchange server on-premises to accept these messages, as Exchange is the only supported mail relay product for hybrid deployments.
The Exchange Team released the quarterly half-yearly Cumulative Updates for Exchange Server 2019 and Exchange 2016. You read that right, half-yearly updates are replacing the cadence of quarterly update servicing model for Exchange Server. Effectively, this will be Exchange 2019 only, as Exchange 2016 will be out of mainstream support in H2 of 2022, and will therefor only receive Security Updates after this round. Note that this change also alters the effective ‘current’ state (n-1 or later) of your Exchange Server environment from half year to one year.
And that’s not the only good news that comes with these sets of updates. In short:
If you run Exchange 2019 in Hybrid only for the purpose of managing recipients, you can now use Exchange 2019 CU12’s Exchange Management Tools to accomplish this; no more need to have an Exchange server running just for this. More details here.
Exchange 2019 CU12 will reintroduce the Hybrid Key option. Its Hybrid Configuration Wizard supports this licensing method.
Exchange 2019 CU12 support managing the Hybrid Agent with MFA-enabled accounts.
Exchange 2019 CU12 adds support for Windows Server 2022, both for its underlying operating system, as well as deployment in environments running Windows Server 2022 Domain Controllers.
Note that while Windows Server 2022 supports TLS 1.3, Exchange 2019 CU12 on WS2022 does not yet support it. Adding support is scheduled for somewhere next year.
The supportability matrix has been updated for the supported Windows Server 2022 scenarios.
Exchange Server is now also part of Microsoft’s Bounty Program, which is an indication of continued focus for customers still running Exchange Servers on-premises.
Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.
Apart from DST changes and the fixes mentioned below, these Cumulative Updates also contain a change which will not allow using UNC paths with several cmdlets. More information about this change and cmdlets affected can be found here: KB5014278.
Exchange 2019 CU12 fixes:
5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
5012758 Start-MailboxAssistant is not available in Exchange Server 2019
5012760 You can’t access OWA or ECP after installing the July 2021 security update
5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
5012762 PST creation is unexpectedly triggered again during multiple mailbox export
5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
5012766 Transport Services fail repeatedly because of * Accepted Domain
5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
5012770 No response from public folder for users migrating to Microsoft Exchange 2019
5012772 Items are skipped at the start of a new search page request
5012773 OWAMailboxPolicy is bypassed and high resolution profile images can be uploaded
5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
5012775 No additional global catalog column in the address book service logs
5012776 Exchange Server 2019 help link in OWA redirects users to online help for Exchange Server 2016
5012777 Can’t find forwarded messages that contain attachments in Exchange Server 2019
5012778 Exchange Server stops responding when processing PDF files with set transport rule
5012779 Invalid new auth certificate for servers that are not on UTC time zone
5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
5012785 Read Only Domain Controllers (RODCs) in other domains do not get desired permissions
5012786 Forwarded meeting appointments are blocked or considered spam
5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
5012789 Can’t use Copy Search Results after eDiscovery & Hold search
5012790 OWA doesn’t remove the “loading” image when a message is opened in Chrome and Edge browsers
5012791 MailboxAuditLog doesn’t work in localized (non-English) environments
Exchange 2016 CU23 fixes:
5012757 “Migration user… can’t be found” error when using Start-MigrationUser after batch migration fails
5012760 You can’t access OWA or ECP after installing the July 2021 security update
5012761 External attendees see “Send the Response Now” although no response was requested in Exchange Server
5012765 Email stuck in queue starting from “2022/1/1 00:01:00 UTC+0” on all Exchange on-premises servers
5012768 Start-MigrationUser and Stop-MigrationUser are unavailable for on-premises Exchange Server 2019 and 2016
5012769 Invalid New Auth Certificate for servers that are not on UTC time zone
5012774 Can’t change default path for Trace log data in Exchange Server 2019 and 2016
5012779 Invalid new auth certificate for servers that are not on UTC time zone
5012780 Disable-Mailbox does not remove LegacyExchangeDN attribute from on-premises Exchange 2019
5012781 Exchange Server 2019 and 2016 DLP doesn’t detect Chinese resident ID card numbers
5012782 MS ExchangeDiagnostic Service causes errors during service startup and initialization in Microsoft Exchange 2019
5012783 Can’t restore data of a mailbox when LegacyDN is empty in the database
5012784 Exchange 2016 CU21 and Exchange 2019 CU10 cannot save “Custom Attributes” changes in EAC
5012786 Forwarded meeting appointments are blocked or considered spam
5012787 Download domains created per CVE-2021-1730 don’t support ADFS authentication in OWA
5012789 Can’t use Copy Search Results after eDiscovery & Hold search
5012791 MailboxAuditLog doesn’t work in localized (non-English) environments
5012829 Group metrics generation fails in multidomain environment
Notes:
If these Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.
Caution:
As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016.
Be advised that these CUs will introduce something which is called the Exchange Emergency Mitigation Service. This service is designed to distribute and implement mitigations addressing potential threats. For this, the URL Rewrite Module needs to be installed on the Exchange server. When you have Exchange running on Windows Server 2012 R2, you will also need an update for the Universal C Runtime (KB2999226). Periodically, the EEM service will reach out to the Office Config Service (OCS) through endpoint https://officeclient.microsoft.com, and update its set of configured mitigations. More on EEM and managing its configuration here.
Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.
5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
5006990 Exchange CU installation fails after you configure fallback to use default character set (5006990)
5006991 Mail quota warning messages no longer sent daily in Exchange Server 2019 (KB5006991)
5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
5006999 “401” error and Outlook repeatedly prompts for credentials in Exchange Server 2019 (KB5006999)
5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)
5007044 Start-MailboxAssistant not available in EMS in Exchange Server 2019 (KB5007044)
Exchange 2016 CU22 fixes:
5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)
Notes:
If these Cumulative Updates contain schema changes compared to the Cumulative Update you have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.
Caution:
As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Be advised that Exchange 2016 will receive its final CU in March, 2021.
Links to the updates as well as a description of changes and fixes are described below.
4588297 Attachments can’t be downloaded or previewed from Outlook Web App
4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2019
4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2019
4583533 Exchange Server 2019 installation fails with error “The user has insufficient access rights”
4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2019
4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2019
4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2019
4583537 Update Korean word breaker in Exchange Server 2019
4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2019
4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2019
4583542 Server assisted search in Outlook doesn’t return more than 175 items in Exchange Server 2019
4583544 Lots of LDAP requests for FE MAPI w3wp lead to DDoS on DCs in Exchange Server 2019
4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2019
4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020
Exchange 2016 CU19 fixes:
4588297 Attachments can’t be downloaded or previewed from Outlook Web App
4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2016
4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2016
4583533 Exchange Server 2016 installation fails with error “The user has insufficient access rights”
4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2016
4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2016
4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2016
4583537 Update Korean word breaker in Exchange Server 2016
4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2016
4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2016
4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2016
4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020
Notes:
These Cumulative Updates contain schema changes compared to the previous Cumulative Update. This requires you to run /PrepareSchema. Also, Active Directory changes require you to run PrepareAD (which also can perform the schema update, depending permissions). Consult the Exchange schema versions page for object version numbers.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to trail at most one version (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.
Caution:
As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.
EighTwOne (821) 