It is very important to keep updating your Exchange Servers to a supported Cumulative Update (CU). Simply put, your on-premises environments should always be ready to take an emergency security update (this applies to Exchange, Windows, and other Microsoft products you use on-premises). One thing we learned during the March 2021 release of Exchange Server security updates is that many of our customers were not ready to install security updates because they were not on supported cumulative update versions. With the threat landscape rapidly evolving, the importance of keeping your environment current should not be underestimated.
Please keep your Exchange Servers up to date. We want to continue helping you keep your environment secure, and this means your Exchange servers need to be up to date. This is a continuous process.
Once your Exchange servers are running a supported CU, ensure that the latest available Security Update (SU) is also installed. This will help address any vulnerabilities found since the release of the supported CU. To find recently released Exchange Server SUs, go to the Security Update Guide (filter on Exchange Server under Product Family). Exchange Server security updates are cumulative (an update released in April will also contain security fixes released in March, for example). We also announce all major updates on our blog.
We have prepared a set of questions and answers that cover what we hear most often about Exchange updates. If you are running into a different set of challenges keeping your environment up to date, please let us know in comments below!
I updated my Exchange Servers a few months ago! How come they are ‘not supported’ today?
For versions of Exchange that are within mainstream support (see product lifecycle), Microsoft supports (releases relevant security fixes for) the two latest CUs. Sometimes the latest two CUs are referred to as “N and N-1”. As a current example, if the latest released CU is CU9 (‘N’), and the server version is Exchange Server 2019, then Microsoft at this time supports two Exchange Server 2019 CUs, N and N-1 (CU9 and CU8). When CU10 is released, the “supported CU window” will slide toward the newly released CU10 (and what used to be the N-1 supported CU, CU8, will become unsupported).
Why does Microsoft release updates so often?
It is good that updates are released when issues are found. Microsoft (and other software vendors) release updates only when they are needed. CUs typically contain resolutions to feature problems that were reported to us by our customers (and can contain security updates from previous SUs) and are released quarterly. SUs are released only when actual security issues are found and fixed, and are typically released on a ‘patch Tuesday’. Let’s take an example of how a typical release flow for two CUs and two SUs we might release would look like:
- On a particular month (let’s say March), we might release CU4; CU4 is cumulative and will include fixes and updates from before.
- A month later we release CU4 SU1, a security update for CU4.
- In May we then release CU4 SU2, an additional security update for CU4. CU4 SU2 will include updates released in CU4 SU1 also.
- In June we release CU5, which will contain all updates released up to that point.
My Exchange Servers are working as expected, so why update them?
While we appreciate the ‘don’t fix what is not broken’ thinking, the reality is that keeping Exchange Server current allows you to ensure that it will keep working without major interruptions to functionality. Investing some time into Exchange Server maintenance (on your planned schedule) will give you a long-term benefit of well running system, with code as protected from vulnerabilities as you can get it.
Updating Exchange Server seems complicated; what exactly do I do?
Think of updating Exchange server in several stages:
- Take inventory: use the Exchange Server Health Checker script on GitHub to see if you are behind on your on-premises Exchange Server updates.
- Install updates: visit https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU. Then click the “Tell me the steps” button, to get a list of steps to follow.
- Troubleshoot (if needed): follow the ExchangeUpdateWizard instructions and best practices for installation of updates carefully, including when to use an elevated command prompt. If you encounter errors during or after installation, see Repair failed installations of Exchange Cumulative and Security updates.
Why did Microsoft suddenly start releasing Exchange Server security updates?
Releasing security updates for Exchange Server is not new. Microsoft has been releasing Exchange Server updates on ‘patch Tuesday’ for years (when issues are found). Keeping up with these updates is a best practice.
How can I update Exchange Server when (insert 3rd party application name here) does not support either of the latest supported Exchange Server CUs?
Work with your 3rd party vendor to bring their software current in a timely manner. Consider that your Exchange environment contains a lot of valuable company directory and messaging information. Your priority should be to keep your environment as secure as possible.
How can we stay current when we are a 24×7 business and have no time to take our servers down for maintenance?
Many customers require Exchange Server to work 24×7. In fact, our update process is designed for these high-demand businesses. You should use Database Availability Groups (DAGs) and put servers that you are updating in Maintenance mode to enable a graceful and non-disruptive update process for your users. See Performing maintenance on DAG members for more information.
If we are in Hybrid mode and don’t actively use our on-premises Exchange Server, do we still need to stay current?
Even if you are only using Exchange Server on-premises to manage Exchange-related objects, you need to keep the server current. Note that the Hybrid Configuration Wizard (HCW) does not need to be re-run after updates are installed.
I looked at recent security update releases and the Common Vulnerabilities and Exposures (CVE) severity was not very high; so why update?
Microsoft recommends that you apply all available security updates because it can be difficult to understand how even lower severity vulnerabilities disclosed in one month might interact with vulnerabilities disclosed and fixed a month later. An attack may trigger only specific low-impact functionality on a remote target machine and nothing else, causing the scoring for the CVE to be quite low one month. For example, in the following month an important issue with that functionality could be discovered, but it might be only triggered locally and require significant user interaction. That on its own might also not be scored highly. But if your software is behind in updates, these two issues could combine into an attack chain, thereby scoring at critical levels.
We find it difficult to update because Active Directory (AD) schema extensions and Exchange installations require different teams to take action.
In cases where different teams need to perform separate actions to prepare for installation of Exchange Cumulative Updates (as those might require AD schema extension) – we recommend you request schema changes when we release new CUs that require them. Even if you do not need to update to the very latest CU (because last two CUs are supported for Exchange versions that are still within support lifetime) – the fact that Active Directory schema will be up to date means that if you do find that you need to install the latest CU, AD schema will already be updated. We release CUs quarterly and not all of them will require AD schema updates. You can track this here for Exchange 2016 and here for Exchange 2019.