Exchange CU security update procedure

Marc 591 Reputation points

I am not an expert into update the Exchange CU security update (Exchange Server 2016 CU23 Oct22SU) and I would like some help to understand the options available to do this task.
Reading the micrisoft documentation (
it seems if want to install the CU I have 2 steps:

Download the CU ISO file

1) - Prepare AD

     E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema  
     E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"Contoso Corporation"  
     E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains  

2) - Install Exchange CU

   1. Install an Exchange CU using the Setup wizard  
   2. Install an Exchange CU using unattended Setup from the command line (E:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /Mode:Upgrade /  

What about to install/update just the Security update (Exchange Server 2016 CU23 Oct22SU)?
I have to download and install it or do I need to do the first step as well -->prepare AD?
Do I have also execute the maintenance scripts:
---Start-ExchangeServerMaintenanceMode v1.8.ps1
---Stop-ExchangeServerMaintenanceMode v1.5.ps1.

PS: What exactly do they do?


Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,012 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 133.8K Reputation points MVP

    When installing a SU, unless specifically called out in the KB, you do not need to PrepareAD

    Since you are applying updates, I would still run the maintenance scripts to ensure the servers are not being accessed by clients or handle mail flow etc..

    0 comments No comments

  2. Marc 591 Reputation points

    Although Windows Extended Protection (EP) is enabled the health Check has found vulnerability to all CUs below (CU23 October).
    How do I download them?
    Are the steps below the right one?


  3. LilyLi2-MSFT 1,976 Reputation points

    Hi @Marc ,

    Agree Andy, you do not need to PrepareAD. It is recommended that you run the maintenance script to put the server into maintenance mode before installing SU and exit maintenance mode after the installation is complete.

    Extended Protection enhances the existing authentication functionality in Microsoft Exchange Server to help mitigate authentication relay or "man in the middle" attacks.

    Yes, your steps are right.
    You can also get this Exchange SU through the method in the official article.

    For more information about installing the Exchange SU, you can refer to: install-exchange-security-update
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  4. Marc 591 Reputation points

    The installation went well , but, unfortunately after installed the extended protection I received two inconveniences:

         1) Public ecp link was not reachable.   
         2) Public folrder were not visible   

    Most likely the problem is due to the KEMP that standing in the middle is unable to manage the SSL traffic generated after enabling the extended protection.

    I had to do a roll-back

    I found someone had the same issue using this solution :

    Set-OutlookAnywhere -Identity 'Exch_SERVER1\RPC (Default Web Site)' -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true

    Run this command could help?
    Any advice?