How to Install Exchange 2013/2016/2019 Cumulative Updates?

Software updates are critical as they bring new features, fix bugs, and patch vulnerabilities that threat actors may exploit to gain unauthorized access. Microsoft releases Security Updates (SUs) monthly and Cumulative Updates (CUs) for supported Exchange Server versions, such as Exchange 2013, 2016, and 2019, every quarter.

Cumulative Updates contain all the hotfixes and security updates released between the current and last CU releases. In addition, CUs also bring new features and updates that may improve the server's performance and reliability.

Moreover, Microsoft provides security updates for newer builds (CUs) and stops supporting the older Exchange Server CUs.

Thus, updating the Exchange Server to the latest Cumulative Update is critical to continue receiving new security updates and protect the Exchange environment from malicious attacks.

Below we have explained the complete process of downloading and applying the latest Cumulative Updates released by Microsoft for supported Exchange Server versions with step-by-step instructions. You can follow this guide to apply the Cumulative Updates to Exchange Server 2013, 2016, and 2019.

Things to Consider Before Installing Exchange Cumulative Update

Before you begin installing the Cumulative Update to Exchange Server, consider the following:

  • If you are running a standalone Exchange Server, the mail flow will stop until you finish applying the Cumulative Updates. Thus, it is critical to plan the update as it can take time to finish. Planning will also avoid issues or instances of failed installation that can render the server unusable.
  • After the upgrade, you can't uninstall Cumulative Updates as uninstalling CU will remove the Exchange Server.
  • Customizations made to Exchange Server, such as Web.config files, will be overwritten and require you to re-apply them after the CU upgrade is finished. Therefore, save all customized Exchange and IIS settings you have made.
  • Always test the Cumulative update in a test environment before deploying it to the production server.

IMPORTANT NOTE: Back up before you start installing the CU. If the update fails for any reason, you can use your backup to build a new server and restore mailbox databases. However, if the backup isn't available, you can use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from failed Exchange Server and export them to the new live Exchange Server directly.

Steps to Install Cumulative Update in Exchange Server 2013, 2016, and 2019

There are two ways to install Cumulative Updates,

  • Through Graphical Users Interface (GUI).
  • Using Command Prompt Unattended Mode.

Below we have discussed both ways to install the Cumulative Updates on standalone and DAG Exchange Servers.

Step 1: Download the Cumulative Update

Before downloading the latest CU for your Exchange Server, check the current version using the following Exchange Management Shell cmdlet,

Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion

Then visit Exchange Server build numbers and release dates page to check and download the latest Cumulative Update for your Exchange Server Version. Never download any security or cumulative updates from third-party or unofficial sites as they may contain malware.

download latest exchange cumulative update

Step 2: Put Exchange Server in Maintenance Mode

It is recommended to put Exchange Server in maintenance mode before updating or upgrading it. You can use the following PowerShell commands in Exchange Management Shell (EMS) to put your Exchange Server 2013, 2016, or 2019 into maintenance mode.

  • Set HubTransport to draining state,
Set-ServerComponentState -Identity "ServerName" -Component HubTransport -State Draining -Requester Maintenance
  • If you have another Exchange Server in the organization, redirect the queued message to that server
Redirect-Message -Server ServerName -Target ""
  • If the server belongs to the DAG group, run the following command; otherwise, skip to ServerWideOffline
Suspend-ClusterNode "ServerName-01"
  • Then disable database copy auto-activation and move the active copy of the database to another DAG member.
Set-MailboxServer "ServerName-01" -DatabaseCopyActivationDisabledAndMoveNow $true
  • Also, block the DatabaseCopyAutoActivationPolicy,
Set-MailboxServer "ServerName-01" -DatabaseCopyAutoActivationPolicy Blocked
  • Then put the Exchange Server into maintenance mode using the following command,
Set-ServerComponentState "ServerName" -Component ServerWideOffline -State Inactive -Requester Maintenance
  • To verify Exchange Server is in maintenance mode, run the following command,
Get-ServerComponentState "ServerName” | Select Component, State

The components must be in an inactive state.

check exchange server status maintenance mode

Restart the server.

Step 3: Prepare for Cumulative Update

On the download page, check the system requirement section to learn the pre-requisites you need to install.

check system requirements known issues

Usually, you need to install the following:

install net framework

Step 4: Install RSAT-ADDs Feature

Before extending the Active Directory Schema, you must install the RSAT-ADD feature (Remote Tools Administration Pack) on the domain controller and Exchange Server. For this, open PowerShell as administrator and run the following command,

Install-windows feature RSAT-ADDS

Restart the server.

Step 5: Prepare Schema, AD, and Domains

To prepare the Schema, Active Directory, and Domains, open Command Prompt as administrator and navigate the mounted CU ISO location using the CD command. For instance,

cd F:

Then run the following commands to prepare the Schema, AD, and all Domains,

\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareSchema
prepare schema
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAD
prepare active directory
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAllDomains or /PrepareDomain
prepare domains

NOTE: Starting from September 2021 CU, you need to use the /IAcceptExchangeLicenseterms_DiagnosticDataOFF or/IAcceptExchangeLicenseterms_DiagnosticData_ON for unattended installs.

Restart the server in between to clear any pending reboots.

Step 6: Install Cumulative Updates via Unattended Setup or GUI

After installing the pre-requisites on your server, mount the downloaded Cumulative Update ISO image.

mount download exchnage cu

You can install Cumulative Update using the Command Prompt or directly launch the Setup.exe file from the mount location.

upgrade to latest cumulative update gui

To run the installation in unattended mode via Command Prompt, open an elevated command prompt and execute the following command,

cd F:
\Setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

Step 7: Remove Server from Maintenance Mode

Once the installation is finished, restart the server and then check the current version using the following command in EMS,

Get-ExchangeServer | Fl
check exchnage server version after upgrade

Once verified, remove the server from the maintenance mode using the following command in Exchange Management Shell:

Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance
Set-ServerComponentState ServerName –Component HubTransport –State Active –Requester Maintenance

On the DAG member server, you need to perform the following commands to remove maintenance mode,

Resume-ClusterNode –Name ServerName
Set-MailboxServer ServerName –DatabaseCopyAutoActivationPolicy Unrestricted
Set-MailboxServer Servername –DatabaseCopyActivationDisabledAndMoveNow $false
Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance
Set-ServerComponentState ServerName –Component HubTransport –State Active –Requester Maintenance

To verify the DAG member server is out of maintenance mode,

Get-ClusterNode "ServerName"

Step 8: Install Pending Security Updates (SUs)

Once you have updated your Exchange Server to the latest Cumulative Updates, check any pending Security Updates. You can run healthChecker.ps1 script on your server to find the vulnerabilities and then apply the SUs to patch them.

healthcheckerscript vulnerabilities

To install Security updates, navigate to the folder where Security updates are downloaded (.msp files) and run the following command in the elevated Command Prompt window,


Follow the wizard to complete the installation and then reboot.

IMPORTANT UPDATE: From May 2023, Microsoft will release the Security Updates and Hot Fixes as self-extracting auto-elevating executable files. Thus, one can directly install the May 2023 or later SUs and HFs as administrators or with admin privileges like any other program.


Microsoft recommends its Exchange customers to install the latest updates—whether Security Updates (SUs) or Cumulative Updates (CUs)—as they arrive to protect the organization from known threats and malicious attacks. Attacks on unpatched Exchange Server often rise immediately after Microsoft releases the patches or updates, increasing the chances of your organization getting compromised. To prevent the risks, install the updates as soon as possible.

However, if the server is compromised or the database is damaged after a malicious attack or server failure, create a new server and restore the mailboxes from the backup. Never use the compromised server, even if you can fix it.

If the backup isn't available, use Exchange server recovery software, such as Stellar Repair for Exchange, to recover mailboxes from your compromised Exchange Server and save them as PSTs. You may also export the extracted mailboxes from corrupt or damaged Exchange database directly to your new Live Exchange Server or Office 365 tenant in a few clicks.

Was this article helpful?
About The Author
author image
Ravi Singh linkdin Icon

Senior Writer at Stellar®. He is an expert Tech Explainer.

Table of Contents


Why Choose Stellar?
  • 0M+


  • 0+

    Years of Excellence

  • 0+

    R&D Engineers

  • 0+


  • 0+


  • 0+

    Awards Received