How to Install Security Update on Exchange Server 2016 CU22

Summary: Exchange Server 2016 Cumulative Update 22 or CU22 was released in September 2021, introducing Microsoft Exchange Emergency Mitigation Service, a built-in version of the EOMT tool to mitigate risks and newer threats. With this release, the pre-requisites for upgrading the Exchange Server to CU22 or later have changed. In this blog, we have discussed steps to install the Exchange Server 2016 CU22 update and November 2021 Security Update by following Microsoft's recommendations.

Microsoft has released critical security updates to patch a remote code execution vulnerability CVE-2021-42321 found in Exchange 2016 (CU22) and 2019 (CU10, CU11, CU21). The November 2021 security updates are available for the following Exchange Server builds,

The vulnerability affects the on-premises Exchange Servers, including Hybrid Exchange. If your organization is running on earlier CU, we recommend you upgrade to the latest CU immediately to patch your server and continue receiving the latest Security Updates.

However, some users who upgraded to Exchange Server 2016 CU22 and installed the security patches released for CU22 reported failed installation issues. In such cases, you can’t roll back to the previous version and require to set up a new server if the problem is not fixed.

In this blog, we have discussed steps to install the CU22 and November 2021 security updates on Exchange Server 2016 correctly and avoid post-install issues or failed update scenarios that can render the server unusable.

Steps to Install Exchange 2016 Server Updates

To install Cumulative Update 22 (CU22) and November 2021 Security Updates on your Exchange Server 2016, follow these steps,

Image Source – Microsoft

Step 1: Download the Exchange Server CU22 Build

You can directly upgrade to CU22 from RTM or CU1 build. But before downloading the CU22 build, check your current CU by running the following command in Exchange Management Shell

Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion

Then visit this page to download the Exchange Server 2016 CU22 update and mount the downloaded ISO.

Step 2: Prepare Server for Upgrade

To install Exchange Server CU22 correctly and prevent issues after upgrading, install the pre-requisites and prepare the server for CU22 upgrade.

  • Install .NET 4.8 framework

    Download and install .NET 4.8 framework on your Exchange Server 2016.

    • Install IIS URL Rewrite Module 2.1

      Starting September 2021, Exchange Server 2016 CU22 requires the IIS URL Rewrite module for Microsoft Exchange Emergency Mitigation Service. Download and install the IIS URL Rewrite Module v2.1 on your Exchange Server 2016. Reboot the server after installing the IIS URL Rewrite module.

      • Prepare the Schema

        To prepare the Schema, open Command Prompt as administrator and navigate the mount location using the ‘cd’ command. For instance, cd F:

        Then run the following command to prepare the Schema,

        \Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareSchema

        • Prepare Active Directory

        To prepare Active Directory for CU22 upgrade, run the following command in elevated Command prompt window,

        \Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAD

        • Prepare All Domains

        To prepare all domains, run the following command in Command Prompt as administrator,

        \Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAllDomains

        Reboot the server.

        Step 3: Put the Exchange Server in Maintenance Mode

        To put your Exchange Server 2016 into maintenance mode for CU22 upgrade, run the following commands in Exchange Management Shell as administrator,

        Set-ServerComponentState -Identity “ServerName” -Component HubTransport -State Draining -Requester Maintenance

        The command sets the HubTransport component in the draining state.

        Set-ServerComponentState “ServerName” -Component ServerWideOffline -State Inactive -Requester Maintenance

        The command puts the server into maintenance mode. To verify the server is in maintenance mode, run the following command,

        Get-ServerComponentState “ServerName” | Select Component, State

        Step 4: Install Exchange Server 2016 CU22

        Now you are ready to install and upgrade the Exchange Server 2016 to CU22 build. You can launch the Setup.exe from the mount location to upgrade using the graphical user interface (GUI).

        You may also use elevated Command Prompt window to install the CU22 in unattended mode using the following command,

        <MountDriveLetter>\setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

        For instance,

        F:\ setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

        After the installation, remove the server from maintenance mode using the following command,

        Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance

        Run following command in EMS to verify the server is out of maintenance mode,

        Get-ServerComponentState

        Then restart the server and install the November 2021 Security Updates.

        Step 5: Install November 2021 Security Updates to CU22

        Download the November 2021 Security Updates released for Exchange Server 2016 CU22 build and follow these steps to install them,

        cd C:\Users\Administrator\Downloads\

        .\UpdateFileName.msp

        Or .\Exchange2016-KB5007409-x64-en.msp

        Step 6: Run HealthChecker Script

        HealthChecker.ps1 is a PowerShell script that helps you identify issues and vulnerabilities on your server. It helps you check the server’s health and patch your server against the new threat by providing detailed information. To run the HealthChecker.ps1 script, download the PowerShell script and then follow these steps,

        .\HealthChecker.ps1 –BuildHtmlServersReport

        Conclusion

        Before installing Exchange Server Security and Cumulative Updates, check the pre-requisites and Known issues listed on the KB pages. Also, install the builds on a test Exchange Server machine. It will help you identify and fix issues before deploying them to the production server.

        However, if the update fails, it can render the server unusable and require setting up a new Exchange Server. This can lead to extended downtime, especially when you don’t have a backup. In such cases, you can rely on Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from failed servers and export them to your newly set up Exchange Server directly. If you have any questions or need more help related to updating or recovering failed Exchange Server, leave a comment down below.

        Related Post

        Stellar Data Recovery

        Trial Download is for Desktop or Laptop. Put your email id to receive the download link




        Exit mobile version