Unpatched Exchange Servers are easily exploited by attackers. As an administrator, you must ensure that your Exchange Server remains up-to-date and protected against attacks that exploit vulnerabilities. Therefore, it is critical to install the latest Cumulative Updates (CUs), Security Updates (SUs), and Hot Fixes (HFs) for maintaining server security and performance.
Each Cumulative Update (CU), released by Microsoft, is in itself a full installation of the Exchange Server and is usually used to the update the current Exchange Server or installed on a new server. Cumulative Updates (CU) include:
- Security Updates: These include security patches for known vulnerabilities in the Exchange Server that would be exploited by attackers.
- Bug Fixes and Other Improvements: These updates also include bug fixes and new features for the Exchange Server to enhance functionality or performance.
In this article, we will explain step-by step process of installing CUs for Exchange Server 2013, 2016, and 2019.
Procedure to Install Exchange Server Cumulative Updates (CU)
You cannot just straightaway install the Cumulative Updates (CU). You need to first check compatibilities and other prerequisites. Below, we will explain the complete process of installing CUs – from checking prerequisites to verifying the installation.
Check Prerequisites
Before you start downloading and installing the CUs, it is important to check the requirements needed from the operating system side. These include the version of .NET Framework, storage requirements, and other information which is vital for installation of Cumulative Updates (CU). You should also take the full backup of the server.
Consult Microsoft Website
You shouldn’t just install the latest version of the updates. You should first consult the Microsoft website. You need to ensure that your Cumulative Update (CU) level can take the Cumulative Update (CU) you are going to install. If required, you need to install an interim Cumulative Update (CU) before going ahead with the update you want to install.
To verify and confirm the Cumulative Update (CU) installed on your Exchange Server, open the Exchange Management Shell (EMS) and run the following command:
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
This will give all the information needed. You can match the build number or other information on the Microsoft website.
Put Exchange Server in Maintenance Mode
Next, you need to put your Exchange Server in maintenance mode. If you have a single server, then run the following command in the Exchange Management Shell (EMS) to stop it from processing new messages:
Set-ServerComponentState -Identity "<server name>" -Component HubTransport -State Draining -Requester Maintenance
If you have a Database Availability Group (DAG), you need to redirect messages to another server in the cluster node. To do so, run the following command:
Redirect-Message -Server "<current server>" -Target "<new server name>"
Next, pause the server from the cluster and disable any automatic activation and database copy.
To pause the node in cluster, run the following command:
Suspend-ClusterNode "<server name>"
To disable automatic database copy activation and move all active databases on other servers, use the below command:
Set-MailboxServer "<server name>" -DatabaseCopyActivationDisabledAndMoveNow $true
Run the below command to disable any databases that are active on the server.
Get-MailboxServer "<server name>" | Select DatabaseCopyAutoActivationPolicy
The below command will set the server as blocked. In case something happens on the other server, no database copies will become active.
Set-MailboxServer "<server name>" -DatabaseCopyAutoActivationPolicy Blocked
Install the Cumulative Updates
Installation of the updates is easy. After downloading the Cumulative Update (CU), you can mount the image. But before starting, you should disable the antivirus or malware application and pause any backup jobs as these can interfere and hinder the installation process.
You can perform installation process via the Graphical User Interface (GUI) or Command Prompt in an unattended setup. Just follow the steps on the screen to install the updates.
Exit the Maintenance Mode
After the installation is complete, restart the server and exit the maintenance mode on the server.
If you have a standalone server, run the following command:
Set-ServerComponentState "<server name>" -Component HubTransport -State Active -Requester Maintenance
If you have a Database Availability Group (DAG), you need to resume the cluster node and enable database copy auto-activation. To do so, run the following commands:
Resume-ClusterNode -Name "<server name>"
Set-MailboxServer "<server name>" -DatabaseCopyAutoActivationPolicy Unrestricted
Conclusion
Patching the Exchange Server and installing the latest Cumulative Updates (CU) help protect the server from the known threats and malicious attacks. Above, we have explained the process of installing the latest Cumulative Updates. However, if your server is compromised or the database is damaged after a malicious attack or server failure, you can create a new server with the same name, IP address, and configuration, install the Exchange Server with /recover mode, and restore the databases from the backup. If, for any reason, the backup isn't available, you can use a professional Exchange Server recovery software, such as Stellar Repair for Exchange. It can help you to recover mailboxes from databases of your compromised Exchange Server and save them in PSTs. You may also export the extracted mailboxes, archives, public folders, disabled mailboxes, and shared mailboxes from corrupt or damaged Exchange Server database directly to the new Live Exchange Server in a few clicks and with no data loss.