Exchange – The latest cumulative update for Exchange 2016 and Exchange 2019 is available and introduce new prerequisites

Exchange

If you are still managing on-premises Exchange environment you know you have to keep up with the cumulative update to keep your environment secure and supported.

Well, the latest Exchange cumulative update for Exchange 2016 and Exchange 2019 (Exchange 2016 CU 22 and Exchange 2019 CU 11) is now available and is not the usual cumulative update as it introduces new security capability, new prerequisites and changes in command line deployment.

First stop, this CU now requires to have the IIS URL Rewrite module (available here for download http://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi).

The URL Rewrite module is required because of the new Exchange Server Emergency Mitigation (EM).

The new Exchange Server Emergency Mitigation is a built-in version of the Exchange On-Premises Mitigation Tool (EOMT – released earlier in March One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 – Microsoft Security Response Center) which communicate with the Office Config Service (OCS) to provide protection against known Exchange threats by connecting to https://officeclient.microsoft.com/getexchangemitigations. This means your Exchange servers need to have internet connectivity.

The service (Microsoft Exchange Emergency Mitigation Service – MSExchangeMitigation) is checking hourly for new known threats; when a new threat is detected, identified and fixed, the service will be notified and implement automatically the pre-configured settings.

The use of ESEM is optional but always installed, you can turn it off after the installation using the commands:

  • If you want to disable it at the organization level. With this parameter, mitigation will not be automatically applied regardless the parameter at the server level

Set-OrganizationConfig -MitigationsEnabled $false

  • If you want to disable it at the server level. With this paramater, mitigation will not be automatically applied on the server if at the organization level it is set to true

Set-ExchangeServer -Identity <ServerName> -MitigationsEnabled $false

The EM service will create a new virtual directory (PushNotifications) below the Exchange Back End site in IIS

image

You get use the new PowerShell script – Get-Mitigations.ps1 – to get the list of available mitigations.

Finally, the last important update for you with this CU is the command line parameters have been changed.

If you install your CU using the command line, you now need to use /IAcceptExchangeServerLicenseTerms_DiagnosticDataON or /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF instead of /IAcceptExchangeServerLicenseTerms.