Exchange 2016 CU22: Microsoft hardens security

In March, many Exchange servers came under attack and this forced many organizations to recover servers or start again because they didn’t have backups. Mass downtime and associated costs resulted because of these attacks. In the months that followed, Microsoft released patches to mitigate these risks and encouraged everyone running Exchange on-premises to patch servers. They provided detailed information on how to check the version you are on and how to upgrade to the latest Cumulative Update (CU). Exchange 2016 CU22 was released in September, and it came with a new feature called “Exchange Emergency Mitigation service.” What this service does is help secure your Exchange servers by applying mitigations to address potential threats. More can be found in this bulletin from Microsoft:

Exchange and IT admins experienced with running Cumulative Updates (CU) for Exchange know you should make sure to install all the prerequisites on the server before applying the CU. With the upgrade to CU22, you need to install the additional prerequisites listed below:

In my test lab, I did not need to install the second option, but the IIS module was required. Remember to reboot your server after installing the IIS Rewrite Module before attempting the upgrade or new installation.

Do not forget to run the commands to PrepareAD and PrepareSchema. Depending on your organization’s size, you may need to wait 15 minutes or a few hours for replication to complete. Once you start with the installation (and we will cover the command line install over the GUI install), there is some extra text that you need to add, as shown below:

As you know, you needed to enter the text IAcceptExchangeServerLicenseTerms in previous Exchange 2016 Cumulative updates (CU), but in CU22, it has to be written as follows: IAcceptExchangeServerLicenseTerms_DiagnosticDataOn or IAcceptExchangeServerLicenseTerms_DiagnosticDataOff. If you do not enter in the correct command line, you will get an error as shown below:

Once the correct command line is entered, the upgrade to CU22 on Exchange 2016 is just like the others you may have completed. I have been running Exchange 2016 CU22 in my labs and have not encountered any issues with Autodiscover or Outlook clients. As a test, Outlook 2021 works just fine with Exchange 2016 CU22 and Outlook 2019, 2016, and 2013.

In most Cumulative Updates, there are a number of fixes, and each CU contains all previous updates and fixes. Below is the list of fixes in this build. Notice that the list, taken from Microsoft, is quite long:

  • 5006980 Bad signature error using PerfView in Exchange Server 2019 and 2016 (KB5006980)
  • 5006982 On-premises Exchange queues back up because of incorrect default value (KB5006982)
  • 5006983 Exchange Server 2019 and 2016 certificates created during setup use SHA-1 hash (KB5006983)
  • 5006984 PrepareAD fails if Computers container or RODCs are renamed or moved in Exchange Server 2019 and 2016 (KB5006984)
  • 5006986 Opening an Outlook message from the desktop removes line spacing (KB5006986)
  • 5006988 Export of .pst file is unexpectedly triggered again in Exchange Server 2019 and 2016 (KB5006988)
  • 5006989 Accepted domains with wildcards for subdomains are not honored when Edge server maps AddressSpaces (KB5006989)
  • 5006992 No room lists found when trying to add a room in OWA in Exchange Server 2019 or 2016 (KB5006992)
  • 5006993 Can’t log on to OWA in Chrome if SSL is offloaded in Exchange Server 2019 and 2016 (KB5006993)
  • 5006994 BCC values not retained in Sent Items in a shared mailbox in Exchange Server 2019 and 2016 (5006994)
  • 5006995 Korean email messages display some recipients incorrectly in Exchange Server 2019 and 2016 (KB5006995)
  • 5006996 Export-AutoDiscoverConfig exposes admin password and does not work against domain controllers that require signing (KB5006997)
  • 5006997 Korean messages in OWA display “From” as “Start date” after you filter the list in Exchange Server 2019 and 2016
  • 5007042 Error window appears when you view features in OWA Virtual Directory (KB5007042)
  • 5007043 Exchange Server SU updates Add/Remove Programs incorrectly (KB5007043)

This Cumulative Update was pretty quick both in my lab and production environments. I am running ESET Mail Security in my lab on version 8.1, and I did not encounter any errors or issues with ESET, and the cluster option still worked fine.

If you did not run the PrepareAD command as listed at the beginning of the article when you run the command line upgrade to CU22, you will notice it does an Organization Preparation as shown in the image below:

Once the installation was completed, a reboot was done as recommended, and Exchange 2016 ran fine. As a rule of thumb, I always launch the Event Viewer and check for any errors or warnings that may come up in the log file, which should be addressed. If you did not reboot after the CU22 upgrade, you might see ASP warnings. These will clear after the reboot.

Check that your mail-flow is working, not just internally but externally. Check that Outlook on the Web (OWA) is working, and Outlook clients are connecting fine. If you do have a problematic server, you can take it off the load balancer or DNS round-robin to fix the issues.

You may recall that in CU21 for Exchange 2016, OWA stopped working if you used a load balancer and had a mix of Exchange Servers running CU21 and previous versions. From now on, I will disable some Exchange 2016 servers, perform the upgrade, and then put them back on. Then I will upgrade the rest to avoid any of those issues encountered with CU21.

Featured image: Shutterstock

1 thought on “Exchange 2016 CU22: Microsoft hardens security”

  1. Hi, the “Universal C Runtime in Windows KB2999226” does not seem to be applicable if your on (OS) Server 2016 and newer? Yes? Found this by clicking on the link in the article, and reading the supported OS versions. (just might be good to highlight this). Always good to read insightful writings on “techgenix”.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top