skip to Main Content

Install Exchange Security Update step by step

Microsoft Exchange team releases Exchange Server Security Updates (SUs) when vulnerabilities are discovered. You don’t want to wait and patch Exchange Servers immediately. Keep in mind that it can take time before it finishes. If you have only one Exchange Server, mail flow will not work at that time. Now, what is the best procedure to install Security Update in Exchange Server? In this article, you will learn how to install Exchange Security Update step by step.

Install Exchange Security Update best practice

Before the Security Update:

  • Check for Windows Updates and install the updates
  • Restart the server
  • Put the server in maintenance mode
  • Temporarily disable any anti-virus software
  • Temporarily disable any backup software
  • Place the server in maintenance mode in the monitoring systems, for example SCOM
  • Use an elevated command prompt to run the Security Update

After the Security Update:

  • Restart the server
  • Check the event logs by filtering for errors and warnings
  • Take the server out of maintenance mode
  • Enable backup software
  • Enable anti-virus
  • Take the server out of maintenance mode in the monitoring systems, for example SCOM

Find Exchange Server version

Before you start to install Exchange Security Updates, go to Control Panel > Programs and Features and check which Exchange Server version is installed.

Install Exchange Security Updates check version

We have seen that the Exchange Server build version is not always correctly shown in the Programs and Features window. A better way is to find Exchange Server version with PowerShell. Start Exchange Management Shell as administrator and run the command.

[PS] C:\>Get-ExchangeServer | Format-Table Name, Edition, AdminDisplayVersion

Name         Edition AdminDisplayVersion
----         ------- -------------------
EX01-2016 Enterprise Version 15.1 (Build 2176.2)
EX02-2016 Enterprise Version 15.1 (Build 2176.2)

In this example, it’s Exchange Server 2016 CU19.

Download Exchange Server Security Update

It’s good to know that when you download Exchange Server Security Update (SU), it’s not the Exchange Server Cumulative Update (CU). A Security Update is what you will install on top of a Cumulative Update. If the Exchange Server is not up to date with the latest CU, you need to install Exchange Server Cumulative Update first before applying the Security Update.

Microsoft releases Security Updates for the last two Exchange Server versions. They do not release SUs for every Exchange Server version because that is not only too much work for them, but older CUs are not recommend to run when new CUs are pushed. Always keep your Exchange Server up to date with the latest CU.

Let’s download Exchange Security Update. Go to the Microsoft Security Update Guide for all the Security Updates. Filter on product family Exchange Server. Click on Security Update.

In this example, we will download Exchange Security Update for Exchange Server 2016 CU19.

Install Exchange Security Updates MSRC

The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services. It provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected.

Download the Exchange Security Update.

Install Exchange Security Updates download

Place the Exchange Security Update on the Exchange Server C:\install folder. If you don’t have an install folder, create one.

Install Exchange Security Updates install folder

Put Exchange Server in maintenance mode

Read more in the article Put Exchange Server in maintenance mode.

Login on the Exchange Server EX01-2016. Run Exchange Management Shell as administrator. Set the Hub Transport Service to draining. It will stop accepting any more messages.

[PS] C:\>Set-ServerComponentState -Identity "EX01-2016" -Component HubTransport -State Draining -Requester Maintenance

Redirect any queued messages to EX02-2016. The target Server value has to be the target server’s FQDN. The target server shouldn’t be in maintenance mode.

[PS] C:\>Redirect-Message -Server "EX01-2016" -Target "EX02-2016.exoip.local"

Confirm
Are you sure you want to perform this action?
Redirecting messages to "EX02-2016.exoip.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

If the server is a DAG member, run the following commands. If your server is not a DAG member, skip to the command for setting ServerWideOffline.

Pause the cluster node. Suspend Server EX01-2016 from the DAG.

[PS] C:\>Suspend-ClusterNode "EX01-2016"

Name            ID    State
----            --    -----
EX01-2016       1     Paused

Disable database copy automatic activation. This command will also move any active database copies to other DAG members. Assuming there are other healthy DAG members available. This is not instantaneous, and it can take several minutes for the moves to occur. We’ll check it in one of the following commands.

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyActivationDisabledAndMoveNow $true

Make a note of the database copy automatic activation policy on the server. You can set it back to this value at the end of maintenance. The default setting is Unrestricted.

[PS] C:\>Get-MailboxServer "EX01-2016" | Select DatabaseCopyAutoActivationPolicy

DatabaseCopyAutoActivationPolicy
--------------------------------
                    Unrestricted

Set it to Blocked to prevent any of the databases from becoming Active.

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyAutoActivationPolicy Blocked

Check for any database copies that are still mounted on the server. It may take a while for the Active databases to move. This command should return no results. If any database copies are still active on the server and other DAG members host copies of the database, perform a manual switchover.

[PS] C:\>Get-MailboxDatabaseCopyStatus -Server "EX01-2016" | Where {$_.Status -eq "Mounted"}

Once the active databases have been moved, we will check the transport queue. Queues should be empty or almost empty, as we will be disabling all server components. Any emails still pending in the queues will have a delay in delivery till the server is taken out from maintenance mode.

[PS] C:\>Get-Queue

Identity             DeliveryType               Status MessageCount Velocity RiskLevel OutboundIPPool NextHopDomain
--------             ------------               ------ ------------ -------- --------- -------------- -------------
EX01-2016\4          SmtpDeliveryToMailbox      Ready  0            0        Normal    0              db2
EX01-2016\8          SmtpDeliveryToMailbox      Ready  0            0        Normal    0              db4
EX01-2016\15         SmartHostConnectorDelivery Ready  0            0        Normal    0              mx1.spambull.com
EX01-2016\20         SmtpDeliveryToMailbox      Ready  0            0        Normal    0              db5
EX01-2016\22         SmartHostConnectorDelivery Ready  0            0        Normal    0              mx2.spambull.com
EX01-2016\Submission Undefined                  Ready  0            0        Normal    0              Submission
EX01-2016\Shadow\3   ShadowRedundancy           Ready  0            0        Normal    0              ex02-2016.exoip.local

Put the Server EX01-2016 into maintenance mode.

[PS] C:\>Set-ServerComponentState "EX01-2016" -Component ServerWideOffline -State Inactive -Requester Maintenance

Check the load balancer

Do you have the Exchange Server configured in a load balancer? Verify that the load balancer health checks have taken the server out of the pool or marked it as offline/inactive. If the load balancer does not automatically do this, manually mark the server as offline/inactive. Log into your load balancer and set any virtual services you have to disable any connections to Server EX01-2016. Typically there would be SMTP and HTTPS virtual services. This will force any future connections to Server EX01-2016.

How to verify Exchange Server is in maintenance mode

Verify if the Exchange Server EX01-2016 has been placed into maintenance mode. All components should show Inactive except for Monitoring and RecoveryActionsEnabled.

[PS] C:\>Get-ServerComponentState "EX01-2016" | Select Component, State

Component                     State
---------                     -----
ServerWideOffline          Inactive
HubTransport               Inactive
FrontendTransport          Inactive
Monitoring                   Active
RecoveryActionsEnabled       Active
AutoDiscoverProxy          Inactive
ActiveSyncProxy            Inactive
EcpProxy                   Inactive
EwsProxy                   Inactive
ImapProxy                  Inactive
OabProxy                   Inactive
OwaProxy                   Inactive
PopProxy                   Inactive
PushNotificationsProxy     Inactive
RpsProxy                   Inactive
RwsProxy                   Inactive
RpcProxy                   Inactive
UMCallRouter               Inactive
XropProxy                  Inactive
HttpProxyAvailabilityGroup Inactive
ForwardSyncDaemon          Inactive
ProvisioningRps            Inactive
MapiProxy                  Inactive
EdgeTransport              Inactive
HighAvailability           Inactive
SharedCache                Inactive
MailboxDeliveryProxy       Inactive
RoutingUpdates             Inactive
RestProxy                  Inactive
DefaultProxy               Inactive
Lsass                      Inactive
RoutingService             Inactive
E4EProxy                   Inactive
CafeLAMv2                  Inactive
LogExportProvider          Inactive

Install Exchange Server Security Update

Run Command Prompt as administrator on the Exchange Server and browse to the C:\install path. After that, type in the file name and click on Enter.

Important: Install the Exchange Security Update through Command Prompt with administrator privileges.
Install Exchange Security Updates command prompt

If a security warning shows up, click on Open.

Install Exchange Security Updates open file security warning

Wait for the setup to compute space requirements.

Install Exchange Security Updates step 1

Click on Next.

Install Exchange Security Updates step 2

Accept the License Terms and click on Next.

Install Exchange Security Updates step 3

The Security Update installation for Exchange Server will:

  • Stop the services
  • Copy the files
  • Create backup files
  • Install the files
  • Start the services
  • Remove backup files
Install Exchange Security Updates step 4

One more screen as the Exchange Security Update installation proceeds further.

Install Exchange Security Updates step 5

Exchange Security update finished. Click Finish.

Install Exchange Security Updates step 6

Click Yes to restart the Exchange Server.

Install Exchange Security Update step 7
You might not get a reboot message shown. Always reboot the Exchange Server after a Security Update.

Testing

Check the event logs by filtering for errors and warnings. If there are errors, make sure to troubleshoot and fix them.

Take Exchange Server out of maintenance mode

Read more in the article Take Exchange Server out of maintenance mode.

After the update, we like to get the Exchange Server EX01-2016 to be active again. Run Exchange Management Shell as administrator.

You can now remove the server from maintenance mode. Note: If the server is not a DAG member, only the first and last commands are necessary. If the server is a DAG member, you need to run all the commands. Use the database copy auto-activation policy value that was set on the server. The default is Unrestricted.

[PS] C:\>Set-ServerComponentState "EX01-2016" -Component ServerWideOffline -State Active -Requester Maintenance

[PS] C:\>Resume-ClusterNode -Name "EX01-2016"

Name             ID    State
----             --    -----
EX01-2016        1     Up

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyAutoActivationPolicy Unrestricted

[PS] C:\>Set-MailboxServer "EX01-2016" -DatabaseCopyActivationDisabledAndMoveNow $false

[PS] C:\>Set-ServerComponentState "EX01-2016" -Component HubTransport -State Active -Requester Maintenance

Rebalance Database Availability Groups

Read more in the article Balance mailbox databases in Exchange DAG.

Throughout the update process, the database copies will move between DAG members. Return your active database copies to their most preferred DAG member. Use the PowerShell script supplied by Microsoft.

[PS] C:\>cd $exscripts
 
[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts\>.\RedistributeActiveDatabases.ps1 -DagName "DAG01-2016" -BalanceDbsByActivationPreference -SkipMoveSuppressionChecks

Verify out of maintenance mode

Verify if the Exchange Server EX01 is back up and running. Run the following commands.

The cluster node needs to have the state up.

[PS] C:\>Get-ClusterNode "EX01-2016"

Name              ID    State
----              --    -----
EX01-2016         1     Up

Check that the cluster node has the state up on all the Exchange Servers.

[PS] C:\>Get-ClusterNode

Check that all the required services are running.

[PS] C:\>Test-ServiceHealth "EX01-2016"


Role                    : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS, MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
                          MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC, MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning      : {}

Role                    : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost, MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning      : {}

Check that the required services are running on all the Exchange Servers.

[PS] C:\>Get-ExchangeServer | Test-ServiceHealth

Test the MAPI Connectivity.

[PS] C:\>Test-MAPIConnectivity -Server "EX01-2016"

MailboxServer           Database           Result    Error
-------------           --------           ------    -----
EX01-2016               DB1                Success
EX01-2016               DB2                Success
EX01-2016               DB3                Success
EX01-2016               DB4                Success
EX01-2016               DB5                Success

Test the MAPI Connectivity on all the Exchange Servers.

[PS] C:\>Get-ExchangeServer | Test-MAPIConnectivity

Get the result of the DAG Copy Status Health.

[PS] C:\>Get-MailboxDatabaseCopyStatus -Server "EX01-2016" | Sort Name | Select Name, Status, Contentindexstate

Name           Status  ContentIndexState
----           ------  -----------------
DB1\EX01-2016 Mounted            Healthy
DB2\EX02-2016 Mounted            Healthy
DB3\EX01-2016 Mounted            Healthy
DB4\EX02-2016 Mounted            Healthy
DB5\EX01-2016 Mounted            Healthy

Get the result of the DAG Copy Status Health on all the Exchange Servers.

[PS] C:\>Get-MailboxDatabaseCopyStatus * | Sort Name | Select Name, Status, Contentindexstate

Check the Replication Health.

[PS] C:\>Test-ReplicationHealth -Server "EX01-2016"

Server          Check                      Result     Error
------          -----                      ------     -----
EX01-2016       ClusterService             Passed
EX01-2016       ReplayService              Passed
EX01-2016       ActiveManager              Passed
EX01-2016       TasksRpcListener           Passed
EX01-2016       TcpListener                Passed
EX01-2016       ServerLocatorService       Passed
EX01-2016       DagMembersUp               Passed
EX01-2016       MonitoringService          Passed
EX01-2016       ClusterNetwork             Passed
EX01-2016       QuorumGroup                Passed
EX01-2016       FileShareQuorum            Passed
EX01-2016       DatabaseRedundancy         Passed
EX01-2016       DatabaseAvailability       Passed
EX01-2016       DBCopySuspended            Passed
EX01-2016       DBCopyFailed               Passed
EX01-2016       DBInitializing             Passed
EX01-2016       DBDisconnected             Passed
EX01-2016       DBLogCopyKeepingUp         Passed
EX01-2016       DBLogReplayKeepingUp       Passed

Check the Replication Health on all the Exchange Servers.

[PS] C:\>Get-DatabaseAvailabilityGroup | Select -ExpandProperty:Servers | Test-ReplicationHealth | Sort Name

Verify the Database Activation Policy is set to Unrestricted.

[PS] C:\>Get-MailboxServer "EX01-2016" | Select Name, DatabaseCopyAutoActivationPolicy

Name         DatabaseCopyAutoActivationPolicy
----         --------------------------------
EX01                             Unrestricted

Verify the Database Activation Policy is set to Unrestricted on all the Exchange Servers.

[PS] C:\>Get-MailboxServer | Select Name, DatabaseCopyAutoActivationPolicy

Load balancer

Do you have the Exchange Server configured in a load balancer? Verify that the load balancer health checks have taken the server in the pool or marked it as online/active. If the load balancer does not automatically do this, manually mark the server as online/active. Log into your load balancer and set any virtual services you have to enable any connections to Server EX01-2016. Typically there would be SMTP and HTTPS virtual services. This will enable connections to Server EX01-2016.

Verify Exchange Security Update installation

Go to Control Panel > Programs and features. In the program list, nothing changed to the Exchange Server Cumulative Update. That’s because it’s a Security Update and not a Cumulative Update.

Click on View installed updates.

Install Exchange Security Updates view installed updates

Verify that the Security Update for Exchange Server in the list. In this example, it’s Security Update for Exchange Server 2016 (Cumulative Update 19 (KB5001779).

Install Exchange Security Updates installed update

The Exchange Server Security Update is installed successfully.

What’s next?

Do you have more than one Exchange Server running in the organization? Do the same steps on all the Exchange Servers. It can be the:

  • Exchange Mailbox server
  • Exchange Edge server
  • Exchange Hybrid server

Check that Exchange Server is up to date

Read more in the article Microsoft Exchange Server vulnerability check.

How to verify that all the Exchange Servers in the organization are up to date? Run the Exchange Health Checker script (make sure you download the latest version from GitHub).

Download and place the HealthChecker.ps1 PowerShell script on the Exchange Server C:\scripts folder. If you don’t have a scripts folder, create one. Make sure to check if the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Install Exchange Security Updates healthchecker script

Create Exchange Servers report

Run Exchange Management Shell as administrator. Change the path to the scripts folder.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>

Verify the signature before running the script with the Get-AuthenticodeSignature cmdlet.

[PS] C:\scripts>Get-AuthenticodeSignature -FilePath ".\HealthChecker.ps1" | ft -AutoSize


    Directory: C:\scripts


SignerCertificate                        Status Path
-----------------                        ------ ----
ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B Valid  HealthChecker.ps1

Run the cmdlet to create a report for all Exchange Servers. It will run the HTML report and open it automatically.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

If the report does not open automatically, you can find the report in the C:\scripts folder.

Install Exchange Security Updates healthchecker script report

Check Exchange Servers report for vulnerabilities

The HTML Report will show as below screen. All looks great because the environment got two Exchange Servers with the mailbox role. Both of them are on Exchange 2016 CU19 and patched. The column Security Vulnerabilities shows both Exchange Servers as None.

Install Exchange Security Updates check report

If you’re not up to date or not patched, it will show you that you’re vulnerable. Do you see red or yellow warnings in the Exchange Server report? Look into it and fix it!

Conclusion

In this article, you learned how to install Exchange Security Updates step by step. It’s important to have the Exchange Servers up to date to simplify pushing the Security Updates. When new security patches are rolling out, you don’t have to update to the latest CU and patch, which takes much more time than immediately patching because you are already on the latest CU.

Did you enjoy this article? You may also like Restart Exchange services with PowerShell script. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 7 Comments

  1. hi thank you all for sharing this informations, I apreciate that.
    after following all update installation steps, it seems the owa is blocket , when connecting from the internet.

  2. I’ve been unable to find a definitive answer on this. If there was an issue installing an Exchange Security update (NOT a CU, but a monthly Exchange security update), such as server crashing during the update or forgetting to disable AV and it messes with the update, can you uninstall an Exchange Security update,and then try to re-install it? Or are Security updates similar to CUs where uninstalling it will actually uninstall Exchange?

    1. Yes, you can uninstall the Exchange Security Update. The Exchange Server will remain in place.

      I recommend rerunning the Security Update from Command Prompt (high privileges) instead of uninstalling and installing it again. It takes less time. But, as I said earlier, you can uninstall it. Don’t forget to reboot after each task.

      Also, I have seen that Exchange OWA/ECP sometimes will not work after a Security Update install/uninstall/reinstall. When that happens, run the RestartExchangeServices.ps1 PowerShell script to get that fixed. I did write about the script in the article Restart Exchange Services with PowerShell script.

  3. Hi Ali,

    Thanks for this article, but after i applied the april 2021 patch, there are so many component states that become inactive.

  4. Thanks for the tip on the temporarily stopping antivirus and backups. I normally do all of your steps except those two, and can see where there would be value in doing that.
    I do run a couple of your steps in a different order though:

    I temporarily disable monitoring first so that a reboot after windows updates doesn’t trigger an alert for others in the IT department.

    I put the server in maintenance mode before the Windows update reboot so that my databases don’t “failover” to another DAG node, and can be “switched” over automatically shortly after running the commands to put the server in maintenance mode.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top