How to Install Security Update on Exchange Server 2016 CU22

Microsoft has released critical security updates to patch a remote code execution vulnerability CVE-2021-42321 found in Exchange 2016 (CU22) and 2019 (CU10, CU11, CU21). The November 2021 security updates are available for the following Exchange Server builds,

• Exchange Server 2013 CU23
• Exchange Server 2016 CU21 and CU22
• Exchange Server 2019 CU10 and CU11

The vulnerability affects the on-premises Exchange Servers, including Hybrid Exchange. If your organization is running on earlier CU, we recommend you upgrade to the latest CU immediately to patch your server and continue receiving the latest Security Updates.

However, some users who upgraded to Exchange Server 2016 CU22 and installed the security patches released for CU22 reported failed installation issues. In such cases, you can’t roll back to the previous version and require to set up a new server if the problem is not fixed.

In this blog, we have discussed steps to install the CU22 and November 2021 security updates on Exchange Server 2016 correctly and avoid post-install issues or failed update scenarios that can render the server unusable.

Steps to Install Exchange 2016 Server Updates

To install Cumulative Update 22 (CU22) and November 2021 Security Updates on your Exchange Server 2016, follow these steps,

Step 1: Download the Exchange Server CU22 Build

You can directly upgrade to CU22 from RTM or CU1 build. But before downloading the CU22 build, check your current CU by running the following command in Exchange Management Shell

Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion

Then visit this page to download the Exchange Server 2016 CU22 update and mount the downloaded ISO.

Step 2: Prepare Server for Upgrade

To install Exchange Server CU22 correctly and prevent issues after upgrading, install the pre-requisites and prepare the server for CU22 upgrade.

• Install .NET 4.8 framework

Download and install .NET 4.8 framework on your Exchange Server 2016.

• Install IIS URL Rewrite Module 2.1

Starting September 2021, Exchange Server 2016 CU22 requires the IIS URL Rewrite module for Microsoft Exchange Emergency Mitigation Service. Download and install the IIS URL Rewrite Module v2.1 on your Exchange Server 2016. Reboot the server after installing the IIS URL Rewrite module.

• Prepare the Schema

To prepare the Schema, open Command Prompt as administrator and navigate the mount location using the ‘cd’ command. For instance, cd F:

Then run the following command to prepare the Schema,

\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareSchema

• Prepare Active Directory

To prepare Active Directory for CU22 upgrade, run the following command in elevated Command prompt window,

\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAD

• Prepare All Domains

To prepare all domains, run the following command in Command Prompt as administrator,

\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAllDomains

Reboot the server.

Step 3: Put the Exchange Server in Maintenance Mode

To put your Exchange Server 2016 into maintenance mode for CU22 upgrade, run the following commands in Exchange Management Shell as administrator,

Set-ServerComponentState -Identity “ServerName” -Component HubTransport -State Draining -Requester Maintenance

The command sets the HubTransport component in the draining state.

Set-ServerComponentState “ServerName” -Component ServerWideOffline -State Inactive -Requester Maintenance

The command puts the server into maintenance mode. To verify the server is in maintenance mode, run the following command,

Get-ServerComponentState “ServerName” | Select Component, State

Step 4: Install Exchange Server 2016 CU22

Now you are ready to install and upgrade the Exchange Server 2016 to CU22 build. You can launch the Setup.exe from the mount location to upgrade using the graphical user interface (GUI).

You may also use elevated Command Prompt window to install the CU22 in unattended mode using the following command,

<MountDriveLetter>\setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

For instance,

F:\ setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

After the installation, remove the server from maintenance mode using the following command,

Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance

Run following command in EMS to verify the server is out of maintenance mode,

Get-ServerComponentState

Then restart the server and install the November 2021 Security Updates.

Step 5: Install November 2021 Security Updates to CU22

Download the November 2021 Security Updates released for Exchange Server 2016 CU22 build and follow these steps to install them,

• Open the Command Prompt as administrator and navigate to the location using the ‘cd’ command where security updates are downloaded. For instance,

cd C:\Users\Administrator\Downloads\

• Then run following command to start installing the security updates,

.\UpdateFileName.msp

Or .\Exchange2016-KB5007409-x64-en.msp

• Click ‘Open‘ and then follow the wizard to install the security updates.

Step 6: Run HealthChecker Script

HealthChecker.ps1 is a PowerShell script that helps you identify issues and vulnerabilities on your server. It helps you check the server’s health and patch your server against the new threat by providing detailed information. To run the HealthChecker.ps1 script, download the PowerShell script and then follow these steps,

• Open Command Prompt as administrator
• Run the following command,

.\HealthChecker.ps1 –BuildHtmlServersReport

•  This creates an HTML report at the same location where the script is located. Open the HTML report to check the server’s health. Fix the issues and patch the vulnerabilities if found.

Conclusion

Before installing Exchange Server Security and Cumulative Updates, check the pre-requisites and Known issues listed on the KB pages. Also, install the builds on a test Exchange Server machine. It will help you identify and fix issues before deploying them to the production server.

However, if the update fails, it can render the server unusable and require setting up a new Exchange Server. This can lead to extended downtime, especially when you don’t have a backup. In such cases, you can rely on Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from failed servers and export them to your newly set up Exchange Server directly. If you have any questions or need more help related to updating or recovering failed Exchange Server, leave a comment down below.

Was this article helpful?

YES0

NO

About The Author

Ravi Singh

Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 7 years of experience in technical writing. He writes about Microsoft Exchange, Microsoft 365, Email Migration, Linux, Windows, Mac, DIY Tech, and Smart Home. Ravi spends most of his weekends working with IoT (DIY Smart Home) devices and playing Overwatch. He is also a solo traveler who loves hiking and exploring new trails.