Microsoft has released critical security updates to patch a remote code execution vulnerability CVE-2021-42321 found in Exchange 2016 (CU22) and 2019 (CU10, CU11, CU21). The November 2021 security updates are available for the following Exchange Server builds,
The vulnerability affects the on-premises Exchange Servers, including Hybrid Exchange. If your organization is running on earlier CU, we recommend you upgrade to the latest CU immediately to patch your server and continue receiving the latest Security Updates.
However, some users who upgraded to Exchange Server 2016 CU22 and installed the security patches released for CU22 reported failed installation issues. In such cases, you can’t roll back to the previous version and require to set up a new server if the problem is not fixed.
In this blog, we have discussed steps to install the CU22 and November 2021 security updates on Exchange Server 2016 correctly and avoid post-install issues or failed update scenarios that can render the server unusable.
Steps to Install Exchange 2016 Server Updates
To install Cumulative Update 22 (CU22) and November 2021 Security Updates on your Exchange Server 2016, follow these steps,
Image Source – Microsoft Step 1: Download the Exchange Server CU22 Build
You can directly upgrade to CU22 from RTM or CU1 build. But before downloading the CU22 build, check your current CU by running the following command in Exchange Management Shell
Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion
Then visit this page to download the Exchange Server 2016 CU22 update and mount the downloaded ISO.
Step 2: Prepare Server for Upgrade
To install Exchange Server CU22 correctly and prevent issues after upgrading, install the pre-requisites and prepare the server for CU22 upgrade.
- Install .NET 4.8 framework
Download and install .NET 4.8 framework on your Exchange Server 2016.
- Install IIS URL Rewrite Module 2.1
Starting September 2021, Exchange Server 2016 CU22 requires the IIS URL Rewrite module for Microsoft Exchange Emergency Mitigation Service. Download and install the IIS URL Rewrite Module v2.1 on your Exchange Server 2016. Reboot the server after installing the IIS URL Rewrite module.
To prepare the Schema, open Command Prompt as administrator and navigate the mount location using the ‘cd’ command. For instance, cd F:
Then run the following command to prepare the Schema,
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareSchema
To prepare Active Directory for CU22 upgrade, run the following command in elevated Command prompt window,
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAD
To prepare all domains, run the following command in Command Prompt as administrator,
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAllDomains
Reboot the server.
Step 3: Put the Exchange Server in Maintenance Mode
To put your Exchange Server 2016 into maintenance mode for CU22 upgrade, run the following commands in Exchange Management Shell as administrator,
Set-ServerComponentState -Identity “ServerName” -Component HubTransport -State Draining -Requester Maintenance
The command sets the HubTransport component in the draining state.
Set-ServerComponentState “ServerName” -Component ServerWideOffline -State Inactive -Requester Maintenance
The command puts the server into maintenance mode. To verify the server is in maintenance mode, run the following command,
Get-ServerComponentState “ServerName” | Select Component, State
Step 4: Install Exchange Server 2016 CU22
Now you are ready to install and upgrade the Exchange Server 2016 to CU22 build. You can launch the Setup.exe from the mount location to upgrade using the graphical user interface (GUI).
You may also use elevated Command Prompt window to install the CU22 in unattended mode using the following command,
<MountDriveLetter>\setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
For instance,
F:\ setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
After the installation, remove the server from maintenance mode using the following command,
Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance
Run following command in EMS to verify the server is out of maintenance mode,
Get-ServerComponentState
Then restart the server and install the November 2021 Security Updates.
Step 5: Install November 2021 Security Updates to CU22
Download the November 2021 Security Updates released for Exchange Server 2016 CU22 build and follow these steps to install them,
- Open the Command Prompt as administrator and navigate to the location using the ‘cd’ command where security updates are downloaded. For instance,
cd C:\Users\Administrator\Downloads\
- Then run following command to start installing the security updates,
.\UpdateFileName.msp
Or .\Exchange2016-KB5007409-x64-en.msp
- Click ‘Open‘ and then follow the wizard to install the security updates.
Step 6: Run HealthChecker Script
HealthChecker.ps1 is a PowerShell script that helps you identify issues and vulnerabilities on your server. It helps you check the server’s health and patch your server against the new threat by providing detailed information. To run the HealthChecker.ps1 script, download the PowerShell script and then follow these steps,
- Open Command Prompt as administrator
- Run the following command,
.\HealthChecker.ps1 –BuildHtmlServersReport
- This creates an HTML report at the same location where the script is located. Open the HTML report to check the server’s health. Fix the issues and patch the vulnerabilities if found.
Conclusion
Before installing Exchange Server Security and Cumulative Updates, check the pre-requisites and Known issues listed on the KB pages. Also, install the builds on a test Exchange Server machine. It will help you identify and fix issues before deploying them to the production server.
However, if the update fails, it can render the server unusable and require setting up a new Exchange Server. This can lead to extended downtime, especially when you don’t have a backup. In such cases, you can rely on Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from failed servers and export them to your newly set up Exchange Server directly. If you have any questions or need more help related to updating or recovering failed Exchange Server, leave a comment down below.
