Released: March 2018 Quarterly Exchange Updates


The March quarterly release updates for Exchange Server are now available on the download center (links below). These releases include all previously released updates, fixes for customer reported issues and limited new functionality. Exchange Server 2010 SP3 Update Rollup 20 was released as a security update previously this month as well.

Exchange Server Support for TLS 1.2

With the March 2018 updates, Exchange fully supports TLS 1.2 on all supported Exchange versions. Brian Day has taken on the task of documenting and helping customers de-mystify the complexity involved with transitioning to TLS 1.2. Customers looking to implement TLS 1.2 should definitely review the published guidance before attempting to move to TLS 1.2. While implementing TLS 1.2 support in Exchange, we have chosen to consume and support the version TLS settings provided via the underlying operating system. This should dramatically ease the adoption of newer versions of TLS go forward.

Support for .NET Framework 4.7.1

Reminder that customers should be in the process of moving to .NET Framework 4.7.1. .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases. Customers should plan to upgrade to .NET Framework 4.7.1 after applying March 2018 quarterly release to avoid blocking installation of the June 2018 quarterly releases for Exchange Server 2013 and 2016.

Release Details

KB articles that describe the fixes in each release are available as follows:

None of the updates released today include new Active Directory schema since the September 2017 quarterly updates were released. If upgrading from an older Exchange version or cumulative update, Active Directory schema updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU20, 2016 CU9) or the prior (e.g., 2013 CU19, 2016 CU8) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Team

Comments (11)
  1. I saw that CU8 there is an issue, which deny the full access through OWA when the source user do not have a mailbox. As workaround, I enabled mailboxes for those users blocking their access to MAPI, OWA and EAS. Is this issue was solved on CU9? I did not find any official fix for this. Thanks!!

  2. ajwreinhardt says:

    Can anyone confirm that the issue noted in KB4058297 (https://support.microsoft.com/en-us/help/4058297/hybridfblooksupfailsbetweenexchange2016cu8serverando365) has indeed been resolved in CU9? I have an active hybrid deployment I’m supporting, and I purposely kept the primary mailbox server inbound from O365 at CU7 because of this issue. I am ready to propose installing an update to stay in compliance, but I’d like to have re-assurances that CU9 doesn’t have free-busy issues. Thank you in advance.

    1. @ajwreinhardt – This was removed as a known issue in the blog post as the issue was resolved. It looks like the KB wasn’t properly published. We will take care of getting the CU9 KB updated and published. Thanks for bringing this to our attention.

      1. rblissitt says:

        Hi Brent, as of today, I still see a warning in yellow at https://blogs.technet.microsoft.com/exchange/2017/12/19/released-december-2017-quarterly-exchange-updates/. Could you direct us to an official Microsoft page that says CU8 is safe to deploy for hybrid environments? We could deploy CU9, of course, but it’s still pretty new and may have problems of its own.

  3. Installed this last night. Server 2016, was Exchange 2016, now CU9. Server is about 6 months old.

    Issues: First run failed out, appears the installer couldn’t edit or replace an XML file. The installer is running as domain admin.
    [ERROR] System.UnauthorizedAccessException: Access to the path ‘C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\SharedWebConfig.config’

    Second run eventually finished, but installer just closes, no summary or ‘job done’ message. Looking at logs, installer was stuck trying to start the same Windows service (not an Exchange one) for about 15 minutes. Manually starting this service pops up ‘Service started and then stopped normally’ message.
    Service ‘UALSVC’ failed to reach status ‘Running’ on this server after waiting for ‘25000’ milliseconds.

    At this point everything in Exchange seemed to be running ok, rebooted server anyway as had a UM language pack to install.

    Looking at event logs, there are still log files trying to be written to the hardcoded D:\ path. This was meant to be fixed a lot of versions ago.
    UAPErrorLog: Failed to create the log directory: D:\ActivityLogs\UAPErrorLog because of the error: Could not find a part of the path ‘D:\’.. Logs will not be generated until the problem is corrected.

    Aside from all that, we seem to be up and running ok.

    Double lined all text as this blog seems to remove whitespace.

  4. Anonymous says:
    (The content was deleted per user request)
  5. PepperdotNet says:

    Guys, please research the issue with installation of “in-between-CUs” security updates for Exchange and publish some guidance or recommendations on how to get them to actually install. More often than not, if I try to install one, I end up with a broken server that has to be scrapped and rebuilt, after I figure out how to migrate the data from it to somewhere else.

    I’ve shortened my comment, there must be some sort of filtering that was blocking it when I post a lot of detail.

    1. sime3000 says:

      Hello PepperdotNet.

      Did you have problems with the installation of the recent KB4092041 Security Update ?

      1. PepperdotNet says:

        Yes, that is why I posted here. I still haven’t got that server going again after I attempted to install kb4094021. The install went like this: Stop all services, do “something” for half an hour, then report failure. No amount of goat sacrifices or incantations can get the services to start anymore. Thankfully it was a new server and had no users migrated to it yet. Now I need to figure out the right way to decommission it and start over I guess.

  6. mcb says:

    When can we expect to see DKIM signing on outgoing mail? Office365 has had it for a long time, but why not Exchange Server? Third-party solutions for Exchange Server keep breaking with updates.

Comments are closed.

Skip to main content