We are currently upgrading our Exchange 2016 servers to CU14 Exchange 2016 and started to install CU14 on servers that host only relayed copies.
CU14 Exchange 2016 is a bridge CU. It is compatible with .NET 4.7.2 and compatible with .NET 4.8 as well. You can upgrade from .Net 4.7.2 to .Net 4.8 after you have CU14 Exchange 2016 in place.
The patch is classified important and should be installed after CU14 has been installed.
You can read more about the mentioned vulnerability and download the patch from Microsoft here.
Tasks before installing CU14 Exchange 2016:
Backup your web.config files where you have modified parameters or have added new keys.
As we experienced it still only the web.config file in the OWA directory takes over parameters and keys you have modified before. To be safe I recommend backup every web.config file you have ever touched/modified. So you can easily reapply the changes you have made.
- Disable Check for publisher’s certificate revocation in IE.
- Make sure you have enough free space on the install drive.
I noticed from 2010 and 2013 times a recommendation for at least 10GB of free space.
- Take a look at the supportability matrix if you plan to upgrade to .NET 4.8
- Check Auth methods on service directories like Powershell, OWA, and ECP and note the output.
- Switch mailbox databases and put the server in maintenance mode.
Order of install:
- Install the regular Windows patches ( if necessary )
- Install CU14 Exchange 2016
- Install patch KB4536987 for Exchange Server 2016 CU14 from an elevated Command Prompt
The CU installation itself took between 2 and 3 hours on the servers in our environment.
Experiences after CU14 Exchange 2016 has been installed:
- We had mailtips disabled. Mailtips were enabled afterward.
- To go for sure we checked the Authentication methods on the Virtual Directories again and validated them against the output we made before. All fine.
- The web.config files in the following directories have been overwritten. Changes needed to be reapplied.
Active Sync – [ We have an increased attachment size ] :
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync
ECP – [ We have additional keys in place. ] :
C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews
Anyway, I always check the OWA web.config as well:
OWA – [ We have additional keys in place ] :
C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa
- Virtual directories for additional OWA and ECP needed to be recreated.
Experiences vulnerability patch KB4536987:
The following command displayed the cause:
The Microsoft Exchange Search Host Controller Service is not running on server Servername
After restarting the Microsoft Exchange Search Host Controller Service the ContentIndexState went back to AutoSuspend.
It took about 45 – 60 minutes to install the patch.
The following subreddit gave me a hint. Thx! No problems appeared on servers where the patch has been installed through an elevated Command Prompt.
Start the patch from an elevated Command Prompt.
After installing KB4536987 on the last of our servers one of the mailbox database copies switched to failed and suspended and could not be resumed. A reseed failed with:
The cause was once again the Microsoft Exchange Search Host Controller Service. We installed KB4536987 through an elevated command prompt. The service was in a running state after the patch has been installed. So we restarted the service. After that, we were able to reseed the copy.
A general description how to install a Cumulative Update on Exchange 2016 can be found here:
Install CU Exchange 2016