skip to Main Content

January 2022 Exchange Server Security Updates

Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect the environment.

Note: These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

Exchange Server Security Updates

Microsoft has released Security Updates for vulnerabilities found in:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These Security Updates are available for the following specific versions of Exchange:

Read more on how to Install Exchange Security Update.

If you are not at these Exchange Server CU versions, please update right now and apply the above patch.

Read more on how to Install Exchange Cumulative Update.

Vulnerabilities addressed in the January 2022 Security Updates were responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.


The last SU that we installed is (a few months old). Do we need to install all SUs in order, to install the latest one?
The Exchange Server Security Updates are cumulative. If you are running the CU that the SU can be installed on, you do not need to install all the SUs in sequential order but can install the latest SU only.

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the January 2022 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on “Exchange Management Tools only” workstations?
Install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.

Further information



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 6 Comments

  1. Hi Ali, thanks for good info. I really enjoy reading various post from your site.
    I do have one question, I’ve sort of “draw the longest stick” of managing a small Exchange 2016 setup at the office. Three servers in DAG pool. Got about 2500-3000 users (all on-prem). I finally got installed CU21, so we’re officially in a supported “prod” version. My next steps are to start pushing the Security Updates that has not been coming as our CU was to low of version… I tried to find info around this, but are the “Security Updates” also cumulative, or do I need to patch then version by version (oldest toward latest).
    This info was a problem with the “other” patches that has this in the name “Cumulative Update v21 or v22 etc) but I’m unsure about the SU.
    Thanks again. Sneaky_Pete

    1. The latest CU for Exchange Server 2016 is CU22 and not CU21. So you better upgrade to CU22.

      You should only install the latest SU for your CU.

      For example, Exchange Server 2016 CU22 is, at the moment, the latest version. There are three SUs released for that version:

      – Exchange Server 2016 Jan22SU
      – Exchange Server 2016 Nov21SU
      – Exchange Server 2016 Oct21SU

      You only have to install the latest SU (Jan22SU) on Exchange Server 2016 CU22.

      More information: Microsoft Exchange Server vulnerability check.

      Glad that you enjoy the posts!

      1. Hi Ali, thanks for your info. Good to know that the SU are also “cumulative”. One more question, do I need to place the node to be patched with SU in maintanence mode first, patch, restart server, take MM off?
        I’m patching from WSUS, so no need to play around with “command promt in admin mode” etc…

        Thanks again Ali, keep up the good work.

Leave a Reply

Your email address will not be published. Required fields are marked *