How to install Exchange CU 23?

SenhorDolas 1,271 Reputation points

Hey All
On the back of the Hafnium threat I need to install the latest CU to be able to install the out of band patches.
We are hybrid and only use the internal exchange servers (these are on CU20) for management and the email relay for internal systems.
Never done this before.
How should I install CU23?
Do I need to prepare schema or is like any other next next update?
Anything I should be aware of?
Thanks a million guys.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,498 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,998 questions
{count} votes

Accepted answer
  1. Andy David - MVP 145.1K Reputation points MVP

    Follow these steps, rebooting after EACH step and running from an ELEVATED PROMPT.

    Run each step separately:
    Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
    Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD
    Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains

    Install .net 4.8

    Then install CU23:

    Then install the security patch:

    Critical Patch:

    Once you are patched, you need to investigate to see if your server has been compromised and scan your server for known exploits:

    Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server

    If you find no evidence of actual compromise, then you are probably ok, but look to getting a quality anti-malware solution for Exchange for ongoing protection.

    If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. KyleXu-MSFT 26,246 Reputation points


    I noticed that you deployed hybrid in your organization. The attack is using 443 port, although you may restrict the IP addresses allowed to connect, I still recommend that you update Exchange to the latest CU and install the patch for safety reasons.

    As the information that provided by AndyDavid, you need to install .net 4.7.2 or 4.8, then update(Double-click the installation package) Exchange 2013 to CU 23 and install the patch(Run PowerShell with administrator right, then run this patch from PowerShell).

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments