Exchange 2013 CU22 Released
Exchange 2013 CU22 has been released to the Microsoft download centre! Exchange 2013 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously. CUs are a complete installation of Exchange 2013 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 SP1 was in effect CU4, and CU22 is the eighteenth post SP1 release.
Update: Please see this post to correct the cosmetic Add/Remove programs issue with CU22.
This is build 15.00.1473.003 of Exchange 2013 and the update is helpfully named Exchange2013-x64-cu22.exe. Which is a great improvement over the initial CUs that all had the same file name! Details for the release are contained in KB 4345836.
Exchange 2007 is no longer supported, updates are not provided once a product has exited out of extended support.
Exchange 2010 will transition out of support on the 14th of January 2020.
Updates Of Particular Note
While Exchange 2013 CU21 was the last planned CU for this version of Exchange, a new CU was required to address security issues. This update provides a security advisory in Microsoft Exchange. For more information, see Security Advisory ADV190004 for. It also resolves some vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2019-0686 and Microsoft Common Vulnerabilities and Exposures CVE-2019-0724.
Note that there are changes in Exchange EWS functionality with this release, so please review all of the notes contained within the release post
Also pay attention to Decreasing Exchange Rights in the Active Directory. This is covered in KB 4490059 -- Reducing permissions required to run Exchange Server by using Shared Permissions Model. In order to apply these changes, a directory admin will need to run the cumulative update setup program with the /PrepareAD parameter. When multiple Exchange versions co-exist in a single Active Directory forest, the cumulative update matching the latest version of Exchange deployed should be used to run /PrepareAD
.NET Framework 4.7.2 Support was added to Exchange 2013 CU21 previously.
- 4487603 "The action cannot be completed" error when you select many recipients in the Address Book of Outlook in Exchange Server 2013
- 4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access
- 4490059 Reducing permissions required to run Exchange Server using Shared Permissions Mod
Some Items For Consideration
As with previous CUs, this one also follows the new servicing paradigm which was previously discussed on the blog. The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2013 installation. You do not need to install Cumulative Update 4 or 5 for Exchange Server 2013 when you are installing the latest CU. Cumulative Updates are well, cumulative. What else can I say…
For customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).
After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange 2013. If you uninstall this cumulative update package, Exchange 2013 is removed from the server.
Test the CU in a lab which is representative of your environment
Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server
Follow your organisation’s change management process, and factor the approval time into your change request
Provide appropriate notifications as per your process. This may be to IT teams, or to end users.
After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange. If you uninstall this cumulative update package, Exchange is removed from the server.
Place the server into SCOM maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
I personally like to restart prior to installing CUs. This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations. 3rd party AV products are often guilty of this
Restart the server after installing the CU
Ensure that all the relevant services are running
Ensure that event logs are clean, with no errors
Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment. This includes archive, backup, mobility and management services
Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application. FIM and 3rd party user provisioning solutions are examples of the latter
Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. See KB981474
Disable file system antivirus prior to installing. Do this through the appropriate console. Typically this will be a central admin console, not the local machine
Verify file system antivirus is actually disabled
Once server has been restarted, re-enable file system antivirus
Note that customised configuration files are overwritten on installation. Make sure you have any changes fully documented!
Please enjoy the update responsibly!
What do I mean by that? Well, you need to ensure that you are fully informed about the caveats with the CU and are aware of all of the changes that it will make within your environment. Additionally you will need to test the CU your lab which is representative of your production environment.