Exchange CU security update procedure

Marc 631 Reputation points
2022-10-21T10:16:45.33+00:00

I am not an expert into update the Exchange CU security update (Exchange Server 2016 CU23 Oct22SU) and I would like some help to understand the options available to do this task.
Reading the micrisoft documentation (https://learn.microsoft.com/en-us/exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019)
it seems if want to install the CU I have 2 steps:

Download the CU ISO file

1) - Prepare AD

     E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema  
     E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"Contoso Corporation"  
     E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains  

2) - Install Exchange CU

   1. Install an Exchange CU using the Setup wizard  
   2. Install an Exchange CU using unattended Setup from the command line (E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /Mode:Upgrade /DomainController:dc01.contoso.com)  

What about to install/update just the Security update (Exchange Server 2016 CU23 Oct22SU)?
I have to download and install it or do I need to do the first step as well -->prepare AD?
Do I have also execute the maintenance scripts:
---Start-ExchangeServerMaintenanceMode v1.8.ps1
---Stop-ExchangeServerMaintenanceMode v1.5.ps1.

PS: What exactly do they do?

Thanks

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,708 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 150.4K Reputation points MVP
    2022-10-21T11:30:39.49+00:00

    When installing a SU, unless specifically called out in the KB, you do not need to PrepareAD
    https://techcommunity.microsoft.com/t5/exchange-team-blog/released-october-2022-exchange-server-security-updates/ba-p/3646263
    253008-image.png

    Since you are applying updates, I would still run the maintenance scripts to ensure the servers are not being accessed by clients or handle mail flow etc..

    0 comments No comments

  2. Marc 631 Reputation points
    2022-10-23T20:15:02.14+00:00

    Although Windows Extended Protection (EP) is enabled the health Check has found vulnerability to all CUs below (CU23 October).
    How do I download them?
    Are the steps below the right one?

    https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-october-11-2022-kb5019077-b5ae8793-5e5c-4faa-972d-9228945973e5

    253381-image.png
    253362-image.png
    253391-image.png
    253372-image.png


  3. LilyLi2-MSFT 1,981 Reputation points
    2022-10-24T03:11:33.6+00:00

    Hi @Marc ,

    Agree Andy, you do not need to PrepareAD. It is recommended that you run the maintenance script to put the server into maintenance mode before installing SU and exit maintenance mode after the installation is complete.

    Extended Protection enhances the existing authentication functionality in Microsoft Exchange Server to help mitigate authentication relay or "man in the middle" attacks.

    Yes, your steps are right.
    You can also get this Exchange SU through the method in the official article.

    For more information about installing the Exchange SU, you can refer to: install-exchange-security-update
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  4. Marc 631 Reputation points
    2022-10-30T20:47:09.66+00:00

    The installation went well , but, unfortunately after installed the extended protection I received two inconveniences:

         1) Public ecp link was not reachable.   
         2) Public folrder were not visible   
    

    Most likely the problem is due to the KEMP that standing in the middle is unable to manage the SSL traffic generated after enabling the extended protection.
    https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/
    255482-ssl.png

    I had to do a roll-back

    I found someone had the same issue using this solution :

    Set-OutlookAnywhere -Identity 'Exch_SERVER1\RPC (Default Web Site)' -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true

    Run this command could help?
    Any advice?
    Thanks


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.