Summary: Exchange Server 2016 Cumulative Update 22 or CU22 was released in September 2021, introducing Microsoft Exchange Emergency Mitigation Service, a built-in version of the EOMT tool to mitigate risks and newer threats. With this release, the pre-requisites for upgrading the Exchange Server to CU22 or later have changed. In this blog, we have discussed steps to install the Exchange Server 2016 CU22 update and November 2021 Security Update by following Microsoft's recommendations.
Microsoft has released critical security updates to patch a remote code execution vulnerability CVE-2021-42321 found in Exchange 2016 (CU22) and 2019 (CU10, CU11, CU21). The November 2021 security updates are available for the following Exchange Server builds,
The vulnerability affects the on-premises Exchange Servers, including Hybrid Exchange. If your organization is running on earlier CU, we recommend you upgrade to the latest CU immediately to patch your server and continue receiving the latest Security Updates.
However, some users who upgraded to Exchange Server 2016 CU22 and installed the security patches released for CU22 reported failed installation issues. In such cases, you can’t roll back to the previous version and require to set up a new server if the problem is not fixed.
In this blog, we have discussed steps to install the CU22 and November 2021 security updates on Exchange Server 2016 correctly and avoid post-install issues or failed update scenarios that can render the server unusable.
To install Cumulative Update 22 (CU22) and November 2021 Security Updates on your Exchange Server 2016, follow these steps,
You can directly upgrade to CU22 from RTM or CU1 build. But before downloading the CU22 build, check your current CU by running the following command in Exchange Management Shell
Get-ExchangeServer | fl Name,Edition,AdminDisplayVersion
Then visit this page to download the Exchange Server 2016 CU22 update and mount the downloaded ISO.
To install Exchange Server CU22 correctly and prevent issues after upgrading, install the pre-requisites and prepare the server for CU22 upgrade.
Download and install .NET 4.8 framework on your Exchange Server 2016.
Starting September 2021, Exchange Server 2016 CU22 requires the IIS URL Rewrite module for Microsoft Exchange Emergency Mitigation Service. Download and install the IIS URL Rewrite Module v2.1 on your Exchange Server 2016. Reboot the server after installing the IIS URL Rewrite module.
To prepare the Schema, open Command Prompt as administrator and navigate the mount location using the ‘cd’ command. For instance, cd F:
Then run the following command to prepare the Schema,
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareSchema
To prepare Active Directory for CU22 upgrade, run the following command in elevated Command prompt window,
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAD
To prepare all domains, run the following command in Command Prompt as administrator,
\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOff /PrepareAllDomains
Reboot the server.
To put your Exchange Server 2016 into maintenance mode for CU22 upgrade, run the following commands in Exchange Management Shell as administrator,
Set-ServerComponentState -Identity “ServerName” -Component HubTransport -State Draining -Requester Maintenance
The command sets the HubTransport component in the draining state.
Set-ServerComponentState “ServerName” -Component ServerWideOffline -State Inactive -Requester Maintenance
The command puts the server into maintenance mode. To verify the server is in maintenance mode, run the following command,
Get-ServerComponentState “ServerName” | Select Component, State
Now you are ready to install and upgrade the Exchange Server 2016 to CU22 build. You can launch the Setup.exe from the mount location to upgrade using the graphical user interface (GUI).
You may also use elevated Command Prompt window to install the CU22 in unattended mode using the following command,
<MountDriveLetter>\setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
For instance,
F:\ setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
After the installation, remove the server from maintenance mode using the following command,
Set-ServerComponentState “ServerName” –Component ServerWideOffline –State Active –Requester Maintenance
Run following command in EMS to verify the server is out of maintenance mode,
Get-ServerComponentState
Then restart the server and install the November 2021 Security Updates.
Download the November 2021 Security Updates released for Exchange Server 2016 CU22 build and follow these steps to install them,
cd C:\Users\Administrator\Downloads\
.\UpdateFileName.msp
Or .\Exchange2016-KB5007409-x64-en.msp
HealthChecker.ps1 is a PowerShell script that helps you identify issues and vulnerabilities on your server. It helps you check the server’s health and patch your server against the new threat by providing detailed information. To run the HealthChecker.ps1 script, download the PowerShell script and then follow these steps,
.\HealthChecker.ps1 –BuildHtmlServersReport
Before installing Exchange Server Security and Cumulative Updates, check the pre-requisites and Known issues listed on the KB pages. Also, install the builds on a test Exchange Server machine. It will help you identify and fix issues before deploying them to the production server.
However, if the update fails, it can render the server unusable and require setting up a new Exchange Server. This can lead to extended downtime, especially when you don’t have a backup. In such cases, you can rely on Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from failed servers and export them to your newly set up Exchange Server directly. If you have any questions or need more help related to updating or recovering failed Exchange Server, leave a comment down below.
Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 7 years of experience in technical writing. He writes about Microsoft Exchange, Microsoft 365, Email Migration, Linux, Windows, Mac, DIY Tech, and Smart Home. Ravi spends most of his weekends working with IoT (DIY Smart Home) devices and playing Overwatch. He is also a solo traveler who loves hiking and exploring new trails.
Hi there, I enjoy reading through your article.
I like to write a little comment to support you.
When installing Exchange 2016 CU22 security updates, do I need to install all of the preceding update as well?
I have E2016 CU22, if I install CU22 SU3 do I need to install CU22 SU1 and CU22 SU2 as well ?
No, you don’t need to install any previous CUs.