Released: September 2017 Quarterly Exchange Updates

The latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013 are now available on the download center.  These releases include fixes to customer reported issues, all previously reported security/quality issues and updated functionality.

Minimum supported Forest Functional Level is now 2008R2

In our blog post, Active Directory Forest Functional Levels for Exchange Server 2016, we informed customers that Exchange Server 2016 would enforce a minimum 2008R2 Forest Functional Level requirement for Active Directory.  Cumulative Update 7 for Exchange Server 2016 will now enforce this requirement.  This change will require all domain controllers in a forest where Exchange is installed to be running Windows Server 2008R2 or higher.  Active Directory support for Exchange Server 2013 remains unchanged at this time.

Support for latest .NET Framework

The .NET team is preparing to release a new update to the framework, .NET Framework 4.7.1.  The Exchange Team will include support for .NET Framework 4.7.1 in our December Quarterly updates for Exchange Server 2013 and 2016, at which point it will be optional.  .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases.  Customers should plan to upgrade to .NET Framework 4.7.1 between the December 2017 and June 2018 quarterly releases.

The Exchange team has decided to skip supporting .NET 4.7.0 with Exchange Server.  We have done this not because of problems with the 4.7.0 version of the Framework, rather as an optimization to encourage adoption of the latest version.

Known unresolved issues in these releases

The following known issues exist in these releases and will be resolved in a future update:

  • Online Archive Folders created in O365 will not appear in the Outlook on the Web UI
  • Information protected e-Mails may show hyperlinks which are not fully translated to a supported, local language

Release Details

KB articles that describe the fixes in each release are available as follows:

Exchange Server 2016 Cumulative Update 7 does include new updates to Active Directory Schema.  If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required.  These updates will apply automatically during setup if the logged on user has the required permissions.  If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade.  The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current.

Exchange Server 2013 Cumulative Update 18 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 18. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU18, 2016 CU7) or the prior (e.g., 2013 CU17, 2016 CU6) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes.  You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Team

Comments (48)
  1. sime3000 says:

    Security hotfix KB4036108 for Exchange 2016 RU6 and Exchange 2013 RU17 kills those servers.

    Is the hotfix in KB4036108 included in Exchange 2016 RU7 and Exchange 2013 RU18 or does Microsoft plan on issuing a separate hotfix that will kill RU7/RU18 installations as well?

  2. sime3000 says:

    Security hotfix KB4036108 for Exchange 2016 CU6 and Exchange 2013 CU17 kills those servers.

    Is the hotfix in KB4036108 included in Exchange 2016 CU7 and Exchange 2013 CU18 or does Microsoft plan on issuing a separate hotfix that will kill CU7/CU18 installations as well?

    1. As noted above, these releases include all previously released security updates. The fixes for KB4036108 are included in today’s releases. We are not tracking any known issues with the fixes included in KB4036108. We are investigating reports of the KB4036108 installer leaving search indexes in a failed state. This is related to the installer however, not the actual fixes. The install process invoked by patching is not identical to installing a cumulative update. We have not seen the failed index problem installing today’s releases.

      1. Derek Gabriel says:

        Probably because it was easier for folks like me to recover my server than open a support incident with MS… the support site is crap… check out this thread:

        1. Reno Mardo says:

          i stopped using the technet forums as i find more and more people there gives you the RTFM treatment. most specially one Exchange MVP.

  3. Josue Ogando says:

    Any news for the organizations willing to disable TLS 1.0 and 1.1. And only operate with TLS 1.2?

  4. Joe Kocan says:

    KB4036108 broker our Exchange server both times it was installed. The install failed and the only way to get it back is to restore from a backup.

  5. robk says:

    Sep 11 security update KB4036108 does look like a major issue for Exchange 2013 and Exchange 2016 servers. Its safer to wait until next CU update than to apply it and get screwed. My company recently decided that it will be a really good idea to apply the patches the minute Microsoft releases them, without doing any homework and checking on the Internet to see if other admins ran into any issues. I;m really glad that i managed to convince the upper management and do diligence first before patching. Anyhow for more details regarding this fiasco see this link

    thanks Microsoft

  6. MarcK4096 says:

    What are customers running Exchange Server 2016 that deployed it before 2008 R2 functional level was required supposed to do? Are security fixes going to continue to be released for CU6 for customers that are unable to upgrade their 2008 DCs. Windows Server 2008 doesn’t go EOL for another couple of years.

    I think it’s a dirty move to switch the AD requirement of a released product like this. An AD functional requirement change should go along with a new major release.

  7. Amjad Naseer says:

    Guys, I have been through 3 of your support teams. Office 365 support, Partner advisory and Partner support. No one can find me the exact details on what the Active Directory Schema changes are for Exchange 2016 CU6. You mention in your earlier post on CU6 “Exchange Server 2016 Cumulative Update 6 does include new updates to Active Directory Schema”, yet in the CU link I can only see listings for CU3:
    Can you please get this to me as I need to update an Exchange 2016 Server running on Windows 2016 this weekend. The client is chasing me for the specific schema changes. Thank You

    1. Amjad Naseer says:

      Glad to see you corrected your stance on CU6 Schema changes and updated your CU information links to include CU6 and CU7 amendments.

    1. robk says:

      Running Windows 2016 latest CU and Exchange 2016 CU7 and get-help for any commands does not work. Maybe you have to let it go to Internet for the updated Get-Help or maybe Exchange needs help? :)

      1. robk says:

        You can use this link to try to get most up to date help definition cab file using Update-ExchangeHelp -Verbose switch. Maybe that will help resolving the issue of using Get-Help New-Mailbox or any command for that matter.

        the funny thing is the article specifically mentions the use the -Verbose switch to get detailed information, but of course like I mentioned already in this thread the -Verbose switch just does not work anymore. Looks like support people are not really in sync with the developers of the product. Please bring back the verbosity functionality back to Exchange.

  8. JohnKirkHMR says:

    Regarding the PowerShell Script Execution Policy, would it be possible for Microsoft to digitally sign all the scripts that Exchange uses? That seems like a better option than “run any script from any author”.

    1. Jeff says:

      The Microsoft article on signing powershell scripts is over 9 years old, and the Exchange team hasn’t read it yet.

      Don Jones
      In the January 2008 Windows PowerShell column, I stressed the importance of digitally signing your Windows PowerShell scripts. And I described some scenarios where any execution policy other than AllSigned could create significant security vulnerabilities in your environment.

  9. Question for Exchange team: after upgrade Ex2016 from CU6 to CU7 several databases has Content Index State value “HealthyAndUpgrading”. I waited 24 hours, after that removed Index and reseeded it. After reseed it is again “HealthyAndUpgrading”. Is it ok? In previous versions I never had that status.
    Also, I noticed, that OWA design slightly changed. Where we can see all changes and new features of this update?

    1. Also, appeared undeletable folder “Archive” in Outlook, that annoying users…

      1. Andi says:

        i have the same issues

        1. Chance says:

          Did this ever resolve for either of you? I just upgrade a member of a DAG and hit the same thing as well.

        2. I just upgraded to CU7 and experienced the same issue. Did your exchange servers finish the content index upgrade or is it still stuck there?

        3. chriZa says:

          Content index state: HealthyAndUpgrading – same issue in my environment!

        4. MSchueler says:

          Me too.
          Users are amazed about an additional folder “archive” (“Archiv”) in there outlook folder structure, which constantly being restored, if mailbox user move or delete this folder.

      2. Roy Minton says:

        I have these same issues. Anyone opened cases about it?

        1. Roy Minton says:

          After a couple of days the ContentIndexState is now reporting Healthy

      3. Michael says:

        We have the same issue with the Archive folder, anybody know more about this? Are there any way to delete this Folder? Even I’m owner of it I’m not allowed to delete the Folder. In OWA is the Option delete even grayed out.

    2. Jan De says:

      Same issue. After update cu6 to cu7.

    3. Travis says:

      One of my databases is also stuck at HealthandUpgrading for the last several days.

    4. Todd341287 says:

      It looks to be expected behavior based on the event logs and performance monitor showing that it is progressing.

    5. Tobias says:

      Same issue here, I upgraded 3 servers in my DAG.
      On the last one, 2 Databases have the Indexstate “HealthyAndUpgrading”

      Reseeding doesn’t fix that problem.

  10. robk says:

    Another issue with Exchange (any version) is the powershell commands do not honor the -verbose switch. As long as you use Windows 2008R2 as OS the -Verbose switch will work and will give more details of what the command is doing. As soon as your OS is Windows 2012 or higher you suddenly loose the ability to utilize the switch. This has been going on for few years now and nobody can tell me why is this happening or who’s fault it is OS or Exchange. Can Microsoft provide some clearance why we no longer can use the switch as in Get-Mailbox user -Verbose. The funny thing is when you type the command in Exchange powershell and type -V then tab you still get -Verbose switch displayed so its built in but does not work at all.

    thank you

    1. sime3000 says:

      Hey Robk
      Microsoft is very evasive about the way the shell behaves which is a nicer way of saying that they really don’t care.
      It took me 6 months to get a condescending response to another shell question:

  11. Ron Buie says:

    Still haven’t fixed the Get-Help feature in PowerShell for Exchange 2016 running on Windows Server 2016. When are you going to fix this?

  12. edts says:

    Has anyone successfully deployed CU18 which contains KB4036108 without issue? Looks like it’s only the installer of the standalone hotfix that has an issue?

  13. Bram Hendriks says:

    Please note that Exchange 2016 CU07 will block you from running the HCW since the cmdlet Set-FederatedOrganizationIdentifier doesn’t work. This bug has been confirmed. The solution is to run the HCW from CU06.

  14. Jan Dye says:

    Installed Exchange 2016 CU7 over the weekend. Mounted databases all have the “Healthy and Upgrading” status for their content indexes. Users also see the “Archive” folder in their Outlook folder tree. Is there a way to get rid of the “Archive” folder for everyone? Also, what is meant by the Healthy and Upgrading message? Is there something we can do to hurry this up?

  15. Tobias says:

    Outlook Web Add-In API 1.4?

    Any chance that the Outlook Client API 1.4 has already made it in any CU or is it planned to add it to Exchange 2016 in the near future?


  16. Joshua Pelligrino says:

    Is back pressure for Exchange 2016 ever going to be addressed? Would be nice to have the ability to change thresholds, or disable all together.

  17. nikih beukes says:

    how can I get it

  18. Dime I. says:

    CU 18 for exchange 2013 breaks certificate authentication for activesync. It switches off certificate authentication in IIS. I had to redo every single certificate for activesync to work on iPhones again after switching it back on for some reason. Why microsoft?

    1. Reno Mardo says:

      good gwief! good thing i always upgrade monthssssss later everytime a CU comes out.

  19. Alexander Zammit says:

    Have identified a problem with CU7 Install-AntiSpamAgents.ps1. I have documented this (together with solution) here:

    1. Jose P says:

      Same issue here with “HealthyandUpgrading” for the content index on the last DAG member that was upgraded to EX2016CU7. Tried reseeding and now it says “FailedandSuspended”. I followed the same process i always follow for this issue but now for some reason it doesn’t say, Crawling or Seeding.

  20. paul david says:

    How do we get this Content index state: HealthyAndUpgrading fixed ? Anybody with any idea or open a Case with MS

  21. ericsberg says:

    In this thread: on October 3, 2017 Rhoderick Milne said “This is still the best reference on the TLS aspect:
    and that article states “•(For now) Wait to disable TLS 1.0 on the Exchange server”

    The trouble (as I see it) is that the second article is from July 2015. Rhoderick Milne indicates the Exchange TLS SSL Best Practices article has been updated since then, but there aren’t any obvious date stamps to indicate exactly when those updates were made. Also, it’s closed to comments so we can’t ask if it’s up to date. The article also doesn’t mention Exchange versions, and information on Exchange 2016 + TLS 1.0 is also hard to find.

  22. james says:

    Will the december update feature a fix for EMS for 2010 admin for those on win10 1709? Users who upgrade have their powershell instances break.

  23. David-Mac says:

    Will CU7 fix the below issue??
    I have 4 Exchange 2016 servers running CU2 behind a hardware load balancer. I disabled #4 in the hardware load balancer, put it in maintenance mode, upgraded to CU4, installed .NET 4.6.2 and then install CU5. Did not see any errors. When I take #4 out of maintenance mode and enable it in the hardware load balancer users start getting disconnected from Outlook and or getting repeated logon prompts. Affected users are on all servers and databases. Any input would be greatly appreciated.

Comments are closed.

Skip to main content