Exchange Cumulative Update
Install Exchange Security Update
Another month another Exchange Cumulative Update. Microsoft Exchange team releases Exchange Server Security Updates (SUs) when vulnerabilities are discovered.
Keep in mind that it can take time before it finishes. If you have only one Exchange Server, mail flow will not work at that time, whilst the update is been applied The following guide shows how to update Exchange in a DAG but can be followed if using a single server and the steps for the DAG skipped

Please Note
Firstly, after you upgrade Exchange to a newer CU, you can’t uninstall the new version to revert to the previous version. However, uninstalling the new version completely removes Exchange from the server.
Any customized Exchange or Internet Information Server (IIS) settings you made in Exchange XML application configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will overwrite when you install an Exchange CU. Be sure to save this information so you can easily re-apply the settings after the install.
Install Exchange Security Update best practice
Before the Security Update
- Ensure the patch schedule is to patch the passive node first then normal primary node several days after
- Secondly, check steps to update your Exchange to the latest available cumulative and security updates on the Microsoft tool as this may add or remove additional steps in the below guide Exchange Update Planner
- Meanwhile, ensure any additional software required for the CU is available for this example of installing CU22 IIS URL Rewrite Module is installed
- Likewise, verify that you have confirmed, working backups of your Active Directory.
- As well as confirming, working backups of your Exchange and databases.
- Verify that you have documented any customizations to your Exchange server that will need to be re-applied, such as custom OWA login pages, web.config changes, registry changes, or third party add-ons
- Moreover, its important to save all customized Exchange and (IIS) settings you’ve made, as they might be overwritten by the upgrade. for instance this could be anything you didn’t use PowerShell to modify, like custom registry entries, (OWA) customizations.
- Subsequently, verify that the PowerShell execution policy is set to Unrestricted as per KB981474
- Place the server in maintenance mode in the monitoring systems.
- So, Next, ensure you add yourself into Organization Management group in AD to allow patching and running of Exchange cmdlets as applicable.
- Above all ensure you add yourself into Enterprise Admins and Schema Admins groups in AD to allow the schema upgrade & Domain Upgrades etc if applicable otherwise the task will fail.
- In addition, ensure you check for Windows Updates and install the updates as applicable.
- Subsequently, Restart the server
- In addition, Put the server in maintenance mode
- Subsequently, temporarily disable any anti-virus software and backup software (Avoid where possible)
- Subsequently, Use an elevated command prompt to run the SU
After the Security Update
- Firstly, Restart the server
- Secondly, Check the event logs by filtering for errors and warnings
- In addition, Take the server out of maintenance mode
- Subsequently, Enable backup software (If disabled above)
- In addition, Enable anti-virus (If disabled above)
- Remove the server from maintenance mode in the monitoring systems, for example SCOM
Find Exchange Server version
Firstly we need to, find out the current Exchange version installed on both servers in the DAG, Browse to Control Panel > Programs and Features and check which Exchange Server version is installed.

- Check build version matches via shell. Start Exchange Management Shell as administrator and run the command
Get-ExchangeServer | Format-Table Name, Edition, AdminDisplayVersion
Name Edition AdminDisplayVersion
---- ------- -------------------
EXCHANGE01 Coexistence Version 15.1 (Build 2242.4)
EXCHANGE02 Coexistence Version 15.1 (Build 2242.4)
- Firstly, Verify the current build number via Exchange Server 2016 build numbers and general release versions In this example, it’s Exchange Server 2016 CU20 base
- Secondly, Download Exchange Security Update, Go to the Microsoft Security Update Guide
- In addition, For all the Security Updates, filter on product family Exchange Server. Finally locate the latest Security Update for Exchange 2016
- However, In this example, we will download Exchange Security Update for Exchange Server 2016 CU22.

- Finally, place the Exchange Security Update on the Exchange Server C:\install\exchange folder on both servers, if you don’t have an install folder, create one
Backup Exchange Customizations
Firstly, backup the below files manually to an area not affected by the CU as this will overwrite all settings made in here. Additional files may be required also.
File Use | Files / Folder location |
ActiveSync | %ExchangeInstallPath%FrontEnd\HttpProxy\Sync\web.config %ExchangeInstallPath%ClientAccess\Sync\web.config |
EWS | %ExchangeInstallPath%FrontEnd\HttpProxy\ews\web.config %ExchangeInstallPath%ClientAccess\exchweb\ews\web.config |
OWA | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\web.config %ExchangeInstallPath%ClientAccess\Owa\web.config |
Other Files | %ExchangeInstallPath%Bin\MsExchangeMailboxReplication.exe.config %ExchangeInstallPath%Bin\Microsoft.Exchange.Notifications.Broker.exe.config %ExchangeInstallPath%Bin\MSExchangeHMRecovery.exe.config %ExchangeInstallPath%Bin\MSExchangeMailboxAssistants.exe.config.template %ExchangeInstallPath%Bin\MSExchangeHMWorker.exe.config %ExchangeInstallPath%Bin\EdgeTransport.exe.config %ExchangeInstallPath%Bin\Microsoft.Exchange.AddressBook.Service.dll.config |
Backup Folder | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\Current\themes\resources %ExchangeInstallPath%ClientAccess\Owa\prem\Current\resources\styles |
Place Exchange 2016 into maintenance mode prior to patching
Run Exchange Management Shell as administrator. Set the Hub Transport Service to draining. It will stop accepting any more message
Set-ServerComponentState -Identity "EXCHANGE01" -Component HubTransport -State Draining -Requester Maintenance
Redirect any queued messages to EXCHANGE02. The target Server value has to be the target server’s FQDN. The target server shouldn’t be in maintenance mode.
Redirect-Message -Server "EXCHANGE01" -Target "EXCHANGE02.thetechevolution.com"
Confirm
Are you sure you want to perform this action?
Redirecting messages to "EXCHANGE02.thetechevolution.com".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
Pause the cluster node. Suspend Server EXCHANGE01 from the DAG.
Suspend-ClusterNode "EXCHANGE01"
Name ID State
---- -- -----
EXCHANGE01 1 Paused
Disable database copy automatic activation.
This command will also move any active database copies to other DAG members. So, assuming there are other healthy DAG members available. However, this is not instantaneous, and it can take several minutes for the moves to occur
Set-MailboxServer "EXCHANGE01" -DatabaseCopyActivationDisabledAndMoveNow $true
Make a note of the database copy automatic activation policy on the server. You can set it back to this value at the end of maintenance. The default setting is Unrestricted
Get-MailboxServer "EXCHANGE01" | Select DatabaseCopyAutoActivationPolicy
DatabaseCopyAutoActivationPolicy
--------------------------------
Unrestricted
Set it to Blocked to prevent any of the databases from becoming Active
Set-MailboxServer "EXCHANGE01" -DatabaseCopyAutoActivationPolicy Blocked
Check for any database copies that are still mounted on the server. It may take a while for the Active databases to move. This command should return no results. If any database copies are still active on the server and other DAG members host copies of the database, this can be completed by running for following PowerShell Command “Move-ActiveMailboxDatabase -Server EXCHANGE01 -ActivateOnServer EXCHANGE02”
Get-MailboxDatabaseCopyStatus -Server "EXCHANGE01" | Where {$_.Status -eq "Mounted"}
Once the active databases have been moved, we will check the transport queue. Queues should be empty or almost empty, as we will be disabling all server components. Any emails still pending in the queues will have a delay in delivery until the server is taken out from maintenance mode.
Identity DeliveryType Status MessageCount Velocity RiskLevel OutboundIPPool NextHopDomain
EXCHANGE01\Submission Undefined Ready 0 0 Normal 0 Submission
Set-ServerComponentState "EXCHANGE01" -Component ServerWideOffline -State Inactive -Requester Maintenance
Put the Server EXCHANGE01 into maintenance mode.
How to verify Exchange Server is in maintenance mode
Verify if the Exchange Server EXCHANGE01 has been placed into maintenance mode. All components should show Inactive except for Monitoring and RecoveryActionsEnabled.
Get-ServerComponentState "EXCHANGE01" | Select Component, State
Component State
--------- -----
ServerWideOffline Inactive
HubTransport Inactive
FrontendTransport Inactive
Monitoring Active
RecoveryActionsEnabled Active
AutoDiscoverProxy Inactive
ActiveSyncProxy Inactive
EcpProxy Inactive
EwsProxy Inactive
ImapProxy Inactive
OabProxy Inactive
OwaProxy Inactive
PopProxy Inactive
PushNotificationsProxy Inactive
RpsProxy Inactive
RwsProxy Inactive
RpcProxy Inactive
UMCallRouter Inactive
XropProxy Inactive
HttpProxyAvailabilityGroup Inactive
ForwardSyncDaemon Inactive
ProvisioningRps Inactive
MapiProxy Inactive
EdgeTransport Inactive
HighAvailability Inactive
SharedCache Inactive
MailboxDeliveryProxy Inactive
RoutingUpdates Inactive
RestProxy Inactive
DefaultProxy Inactive
Lsass Inactive
RoutingService Inactive
E4EProxy Inactive
CafeLAMv2 Inactive
LogExportProvider Inactive
Before starting with the updates, It is recommended to reboot the Exchange Server first. This will free up resources and clear any pending updates. After the reboot, you can start installing the updates
.NET Framework and Exchange Server Cumulative Update
When upgrading Exchange Server from an unsupported CU to the current CU and no intermediate CUs are available, you should first upgrade to the latest version of .NET that’s supported by your version of Exchange Server and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest supported CU. Microsoft makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services.
Please check the following link to see if the .Net version installed works as required with the latest Cumulative Update that you are installing. .Net Exchange 2016 Matrix
Prepare Schema and Domain Updates
Confirm the Exchange Active Directory versions are applicable to the cumulative update that you are installing his step can either be run in advance or run at the time of the upgrade either way the account you run the install / upgrade under will require the following permissions adding into your account Enterprise Admins and Schema Admins.
Run the below commands and note the version numbers
RangeUpper
Get-ADObject "CN=ms-Exch-Schema-Version-Pt,$((Get-ADRootDSE).schemaNamingContext)" -Property Rangeupper
Rangeupper : 15333
Object Version (Default)
Get-ADObject "CN=Microsoft Exchange System Objects,$((Get-ADRootDSE).defaultNamingContext)" -Property objectVersion
objectVersion : 13240
ObejectVersion (Configuration)
ObejectVersion (Configuration)
Get-ADObject (dir "AD:\CN=Microsoft Exchange,CN=Services,$((Get-ADRootDSE).configurationNamingContext)").DistinguishedName -Property objectVersion
objectVersion : 16220
Check the latest version in the release notes and also check the following Microsoft link to double check if schema updates are required Exchange Schema Updates Matrix
EXCHANGE | FOREST (RANGEUPPER) | DOMAIN (OBJECTVERSION) | FOREST (OBJECTVERSION) |
2016 CU22 | 15334 | 13242 | 16222 |
2016 Current Versions | 15333 | 13240 | 16220 |
Install Schema and Domain Updates
Run Command Prompt as administrator (not PowerShell) (Note: The setup paths will not be applicable and you will be required to browse to the drive letter hosting the ISO) Run the below command (requires Enterprise Admins and Schema Admins permissions, and must be performed in the same AD Site as the Schema Master on a server with the RSAT-ADDS-Tools feature installed – the Schema Master itself would meet these requirements)
setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms_DiagnosticDataON

setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
Run the above PowerShell command in each domain in your forest that contains Exchange servers or mailboxes. If you have a single domain, the previous step has already done this for you

Post Schema and Domain Checks
After the upgrade rerun the below commands and check that the new values match the applicable values of the update media been used for the cumulative update
RangeUpper
Get-ADObject "CN=ms-Exch-Schema-Version-Pt,$((Get-ADRootDSE).schemaNamingContext)" -Property Rangeupper
Rangeupper : 15334
Object Version (Default)
Get-ADObject "CN=Microsoft Exchange System Objects,$((Get-ADRootDSE).defaultNamingContext)" -Property objectVersion
objectVersion : 13242
ObejectVersion (Configuration)
Get-ADObject (dir "AD:\CN=Microsoft Exchange,CN=Services,$((Get-ADRootDSE).configurationNamingContext)").DistinguishedName -Property objectVersion
objectVersion : 16222
EXCHANGE | FOREST (RANGEUPPER) | DOMAIN (OBJECTVERSION) | FOREST (OBJECTVERSION) |
2016 CU22 | 15334 | 13242 | 16222 |
Install Exchange Update
- Firstly, before proceding its important to perform a restart of the server to clear any pending reboot status that will stop Exchange setup from running.
- After the restart, ensure you do not launch EMS as the install will fail prechecks and then launch an elevated CMD prompt, and run the following command from the folder where the Exchange setup files are located
setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms_DiagnosticDataON
So, after the cumulative update has installed, restart the server. When the server has been restarted, perform a basic health check of the server:
- Firstly, review event logs for new or excessive errors and warnings
- Secondly, check that auto-start services on the server have started
Install the latest applicable security update (SU)
- Firstly, If applicable install the latest Security Update for the cumulative update steps to install the update are as below and more details can be found here Exchange Server build numbers and release dates
- Select Start, and then enter cmd.
- In the results, right-click Command prompt, and then select Run as administrator.
- If the User Account Control box appears, verify that the default action is the action that you want, and then select Continue
- Enter the full path of the .msp file, and then press Enter. IMPORTANT: When installing the security update manually you must run it from an elevated command prompt. If you don’t, the install might complete, but the server won’t be protected.
- Finally, reboot the server.
Restore Customizations
After you have completed updating your servers you will need to re-apply any customizations that you had documented during the preparation steps above. if replaced for example, web.config, sharedweb.config files or the EdgeTransport.exe.config file
Take Exchange Server out of maintenance mode
Firstly, after the update, we want to get the Exchange Server ‘EXCHANGE01’ to be active again. Run Exchange Management Shell as administrator.
Secondly, you can now remove the server from maintenance mode. Note: If the server is not a DAG member, only the first and last commands are necessary. However, if the server is a DAG member, you need to run all the commands. Use the database copy auto-activation policy value that was set on the server. The default is Unrestricted.
Set-ServerComponentState "EXCHANGE01" -Component ServerWideOffline -State Active -Requester Maintenance
Resume-ClusterNode -Name "EXCHANGE01"
Name ID State
EXCHANGE01 1 Up
Set-MailboxServer "EXCHANGE01" -DatabaseCopyAutoActivationPolicy Unrestricted
Set-MailboxServer "EXCHANGE01" -DatabaseCopyActivationDisabledAndMoveNow $false
Set-ServerComponentState "EXCHANGE01" -Component HubTransport -State Active -Requester Maintenance
Rebalance Database Availability Groups
Throughout the update process, the database copies will move between DAG members. Return your active database copies to their most preferred DAG member. Use the PowerShell script supplied by Microsoft.
cd $exscripts
.\RedistributeActiveDatabases.ps1 -DagName "DAG-01" -BalanceDbsByActivationPreference -SkipMoveSuppressionChecks
Verify out of maintenance mode
Verify if the Exchange Server EXCHANGE01 is back up and running. Run the following commands.
The cluster node needs to have the state up.
Get-ClusterNode "EXCHANGE01"
Name ID State
EXCHANGE01 1 Up
Get-ClusterNode
Name ID State
EXCHANGE01 1 Up
EXCHANGE02 2 Up
Check that all the required services are running
Test-ServiceHealth "EXCHANGE01"
Role : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC,
MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}
Check that the required services are running on all the Exchange Servers.
Get-ExchangeServer | Test-ServiceHealth
Role : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC,
MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeMailboxReplication, MSExchangeRPC,
MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning : {}
Role : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}
Test the MAPI Connectivity
Test-MAPIConnectivity -Server "EXCHANGE01"
MailboxServer Database Result Error
EXCHANGE01 MDB-01 Success
Get the result of the DAG Copy Status Health on all the Exchange Servers.
Get-MailboxDatabaseCopyStatus * | Sort Name | Select Name, Status, Contentindexstate
Name Status ContentIndexState
MDB-01\EXCHANGE01 Mounted Healthy
MDB-01\EXCHANGE01 Healthy Healthy
Check the Replication Health
Test-ReplicationHealth -Server "EXCHANGE01"
Server Check Result Error
EXCHANGE01 ClusterService Passed
EXCHANGE01 ReplayService Passed
EXCHANGE01 ActiveManager Passed
EXCHANGE01 TasksRpcListener Passed
EXCHANGE01 TcpListener Passed
EXCHANGE01 ServerLocatorService Passed
EXCHANGE01 DagMembersUp Passed
EXCHANGE01 MonitoringService Passed
EXCHANGE01 ClusterNetwork Passed
EXCHANGE01 QuorumGroup Passed
EXCHANGE01 DatabaseRedundancy Passed
EXCHANGE01 DatabaseAvailability Passed
Check the Replication Health on all the Exchange Servers.
Get-DatabaseAvailabilityGroup | Select -ExpandProperty:Servers | Test-ReplicationHealth | Sort Name
Server Check Result Error
EXCHANGE01 ReplayService Passed
EXCHANGE01 ActiveManager Passed
EXCHANGE01 TasksRpcListener Passed
EXCHANGE01 ClusterService Passed
EXCHANGE02 DBDisconnected Passed
EXCHANGE02 DBLogCopyKeepingUp Passed
EXCHANGE02 DBLogReplayKeepingUp Passed
EXCHANGE01 TcpListener Passed
EXCHANGE01 QuorumGroup Passed
EXCHANGE01 DatabaseRedundancy Passed
EXCHANGE01 DatabaseAvailability Passed
EXCHANGE01 ClusterNetwork Passed
EXCHANGE01 ServerLocatorService Passed
EXCHANGE01 DagMembersUp Passed
EXCHANGE01 MonitoringService Passed
EXCHANGE02 TcpListener Passed
EXCHANGE02 ServerLocatorService Passed
EXCHANGE02 DagMembersUp Passed
EXCHANGE02 TasksRpcListener Passed
EXCHANGE02 ClusterService Passed
EXCHANGE02 ReplayService Passed
EXCHANGE02 ActiveManager Passed
EXCHANGE02 MonitoringService Passed
EXCHANGE02 DBCopySuspended Passed
EXCHANGE02 DBCopyFailed Passed
EXCHANGE02 DBInitializing Passed
EXCHANGE02 DatabaseAvailability Passed
EXCHANGE02 ClusterNetwork Passed
EXCHANGE02 QuorumGroup Passed
EXCHANGE02 DatabaseRedundancy Passed
Ensure Database Activation Policy is showing as “Unrestricted”
Get-MailboxServer "EXCHANGE01" | Select Name, DatabaseCopyAutoActivationPolicy
Name DatabaseCopyAutoActivationPolicy
EXCHANGE01 Unrestricted
Verify the Database Activation Policy is set to Unrestricted on all the Exchange Servers.
Get-MailboxServer | Select Name, DatabaseCopyAutoActivationPolicy
Name DatabaseCopyAutoActivationPolicy
EXCHANGE01 Unrestricted
EXCHANGE02 Unrestricted
Checks to complete after update
- Test the mail flow via the SMTP service is working
- Test access to Exchange Management Shell from the updated Exchange server
- Test that Exchange Admin Centre is working
Install Cumulative Update on all Exchange Servers
If more than one Exchange Server running in the organization then perform the same steps on all the Exchange Servers, the servers can have any of the below roles on them.
- Exchange Mailbox server
- Exchange Edge server
- Exchange Hybrid server
Check that Exchange Server is up to date
Run the Exchange Health Checker script (make sure you download the latest version from GitHub).
Download and place the HealthChecker.ps1 PowerShell script on the Exchange Server C:\scripts folder. If you have any errors running the script please check its set to Unblock in the properties of the file itself.
Create Exchange Servers report
Run Exchange Management Shell as administrator. Change the path to the scripts folder.
cd C:\scripts
C:\scripts>
#Verify the signature before running the script with the Get-AuthenticodeSignature cmdlet.
Get-AuthenticodeSignature -FilePath ".\HealthChecker.ps1" | ft -AutoSize
Directory: C:\scripts
SignerCertificate Status Path
ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B Valid HealthChecker.ps1
Run the cmdlet to create a report for all Exchange Servers. It will run the HTML report and open it automatically.
Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html
If the report does not open automatically, you can find the report in the C:\scripts folder.
Check Exchange Servers report for vulnerabilities
The HTML Report will show as below screen. All should be ok as the environment has been patched with latest CU and SU on the Exchange Servers with the mailbox role.

If you’re not up to date or not patched, it will show you that you have vulnerabilities. If you see red or yellow warnings in the Exchange Server report these should be investigated and fixes where applicable. The vulnerabilities do not necessary related to patches as per the below example
Fault Finding
No guide would be complete without some fault finding steps so please see below for any of the most common issues seen when patching Microsoft Exchange Server
Check ECP Access
It is important to verify the ECP access remains following the above task.
https://webmail.thetechevolution.com/ecp(Check from Local Device and both EXCHANGE01 and 02)
https://127.0.0.1/ecp/(Check access from both EXCHANGE01 and 02)
If this shows an error please check Event Viewer to see if the below is visible prior to using the fix.
Error details
Event code: 3008 Event message: A configuration error has occurred. Event time: 06/23/2022 3:18:28 PM Event time (UTC): 06/23/2022 3:18:28 PM Event ID: 7e35d47a79aa443fa8dc63d407ac27fa Event sequence: 1 Event occurrence: 1 Event detail code: 0 Application information: Application domain: /LM/W3SVC/2/ROOT/ecp-1239-132890597087176142 Trust level: Full Application Virtual Path: /ecp Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp\ Machine name: EXCHANGE01 Process information: Process ID: 13460 Process name: w3wp.exe Account name: NT AUTHORITY\SYSTEM Exception information: Exception type: ConfigurationErrorsException Exception message: Could not load file or assembly 'Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified. at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, Boolean checkAptcaBit) at System.Web.Configuration.Common.ModulesEntry.SecureGetType(String typeName, String propertyName, ConfigurationElement configElement) at System.Web.Configuration.Common.ModulesEntry..ctor(String name, String typeName, String propertyName, ConfigurationElement configElement) at System.Web.HttpApplication.BuildIntegratedModuleCollection(List`1 moduleList) at System.Web.HttpApplication.GetModuleCollection(IntPtr appContext) at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) Could not load file or assembly 'Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified. at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMarkHandle stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName, ObjectHandleOnStack type) at System.RuntimeTypeHandle.GetTypeByName(String name, Boolean throwOnError, Boolean ignoreCase, Boolean reflectionOnly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean loadTypeFromPartialName) at System.Type.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase) at System.Web.Compilation.BuildManager.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase) at System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) Request information: Request URL: https://localhost:444/ecp/exhealth.check Request path: /ecp/exhealth.check User host address: 127.0.0.1 User: Is authenticated: False Authentication Type: Thread account name: NT AUTHORITY\SYSTEM
The Fix
If the above event is visible then open PowerShell as Admin and run the below commands
cd " C:\Program Files\Microsoft\Exchange Server\V15\Bin"
C:\Program Files\Microsoft\Exchange Server\V15\Bin>.\UpdateCas.ps1
C:\Program Files\Microsoft\Exchange Server\V15\Bin>.\UpdateConfigFiles.ps1
In addition, once the above has been completed please restart IIS (not by forcing the service) and retest this should resolve the issues and is due to customized features not been redeployed as required.
Remove Permissions
- Please reverse any admin privileges’ granted when carrying out this task as applicable.
If the above has helped you in carry out an Exchange Cumulative Update then please let us know by leaving a comment or feel free to share the article below. If you have any errors or require more details on anything covered then please comment. Also, please ensure you check our other Exchange posts