Exchange 2013 CU20 Released


Exchange 2013 CU20 has been released to the Microsoft download centre!  Exchange 2013 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.    CUs are a complete installation of Exchange 2013 and can be used to install a fresh server or to update a previously installed one.  Exchange 2013 SP1 was in effect CU4, and CU20 is the sixteenth post SP1 release.

Download Exchange 2013 CU20

This is build 15.00.1367.003 of Exchange 2013 and the update is helpfully named Exchange2013-x64-cu20.exe.  Which is a great improvement over the initial CUs that all had the same file name!  Details for the release are contained in KB 4055221.

Whether or not your AD Schema needs to be updated depends upon your initial Exchange 2013 version.  This will dictate if the AD Schema needs to be modified.  Check the values as noted in this post.  There may be additional RBAC definitions, so PrepareAD should be executed prior to installing CU20.  If setup detects that PrepareAD is required it should be automatically executed if the account running setup has the necessary permissions.  This was an issue first discussed in the MessageCopyForSentAsEnabled  post and in Unexpected Exchange AD Object Values.

Exchange 2007 is no longer supported, updates are not provided once a product has exited out of extended support.

Updates Of Particular Note

.NET framework 4.7.1 is fully supported.    Currently this is an optional item, but will be required with the June 2018 CU.  Plan accordingly!   Customers should test, verify and install CU20 then move to update to .NET 4.7.1 which will be required for the June 2018 CU install.

.NET Framework 4.7 is not supported.

TLS 1.2 is now supported on all supported Exchange versions.  Expect to see additional guidance on this subject.  The first post in this series is already available.   This is a work stream that will require attention as Office 365 will enforce TLS 1.2 on October 31st 2018.  This is an extension to the previous announcement, and details are available here.

4073392 Description of the security update for Microsoft Exchange: March 13, 2018

4073096 Emails sent from a shared mailbox aren't saved in Sent Items when MessageCopyForSentAsEnabled is True

4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016

4057216 Health mailbox's password is exposed in logs for a failed probe in Exchange Server 2016 and 2013

 

CU20 includes the security fixes released to address the issues in the March 2018 security bulletin.

CU20 also includes the latest DST updates.

 

Issues Resolved

4073392 Description of the security update for Microsoft Exchange: March 13, 2018

4073094 Emails outside a UID range are returned when you request for emails by using IMAP

4073097 Monitoring probes of ECP.Proxy health checks fail on all CAS roles in Exchange Server 2013 and 2016

4057216 Health mailbox's password is exposed in logs for a failed probe in Exchange Server 2016 and 2013

4058384 Get-CalendarDiagnosticAnalysis shows DateTime in 12-hour clock in Exchange Server 2016 and 2013

4057290 Incorrect user is returned in the ECP when one user's display name matches another user's alias

4055433 User is added to an entire series when accepting a single instance through Exchange ActiveSync

4058401 Administrator audit logging does not record Set-ServerComponentState cmdlet details in Exchange Server 2013 or 2016 environment

4073095 "550 5.6.0 CAT.InvalidContent.Exception" and email isn't delivered in Exchange Server 2016 and 2013

4058379 All cross-forest meeting updates have to be accepted again in Exchange Server 2016 and 2013

4073093 Save issues occur when you use the plain Text Editor in OWA of Exchange Server 2013

4073096 Emails sent from a shared mailbox aren't saved in Sent Items when MessageCopyForSentAsEnabled is True

Some Items For Consideration

As with previous CUs, this one also follows the new servicing paradigm which was previously discussed on the blog.  The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2013 installation.  You do not need to install Cumulative Update 4 or 5 for Exchange Server 2013 when you are installing the latest CU.  Cumulative Updates are well, cumulative.  What else can I say…

For customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).

After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange 2013. If you uninstall this cumulative update package, Exchange 2013 is removed from the server.

  • Test the CU in a lab which is representative of your environment

  • Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server

  • Follow your organisation’s change management process, and factor the approval time into your change request

  • Provide appropriate notifications as per your process.  This may be to IT teams, or to end users.

  • After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange. If you uninstall this cumulative update package, Exchange is removed from the server.

  • Place the server into SCOM maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

  • Place the server into Exchange maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

  • I personally like to restart prior to installing CUs.  This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations.  3rd party AV products are often guilty of this

  • Restart the server after installing the CU

  • Ensure that all the relevant services are running

  • Ensure that event logs are clean, with no errors

  • Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment.  This includes archive, backup, mobility and management services

  • Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application.  FIM and 3rd party user provisioning solutions are examples of the latter

  • Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  See KB981474

  • Disable file system antivirus prior to installing.  Do this through the appropriate console.  Typically this will be a central admin console, not the local machine

  • Verify file system antivirus is actually disabled

  • Once server has been restarted, re-enable file system antivirus

  • Note that customised configuration files are overwritten on installation.  Make sure you have any changes fully documented!

  • While CU20 does not add any new AD Schema changes.  If you are on an out-dated CU currently, then deploying CU20 may contain AD Schema updates for your organisation – please test and plan accordingly!  Whether or not your AD Schema needs to be updated depends upon your initial Exchange 2013 version.  This will dictate if the AD Schema needs to be modified.  Check the values as noted in this post.  Additional RBAC definitions may also be required.

Please enjoy the update responsibly!

What do I mean by that?  Well, you need to ensure that you are fully informed about the caveats with the CU  and are aware of all of the changes that it will make within your environment.  Additionally you will need to test the CU your lab which is representative of your production environment.

Cheers,

Rhoderick

Comments (5)

  1. Jason says:

    We are using a hybrid deployment only for the purposes of migrating fully to Exchange online. We have CU18. Is this supported?

    1. Hi Jason,

      That’s the point of hybrid, to allow you to migrate, and yes you need to follow the support policy with is N or N-1 for Exchange updates.

      Cheers,
      Rhoderick

  2. ZakBhai says:

    We are on Exchange 2013 CU5 on Prem only, if I straight jump to CU20. is there any reported issues or concerns?
    Also TLS 1.2, do I have to make any change on Exchange 2013 On prem to be compliant with TLS 1.2 since we are using EOP for email security, or it does not impact on Premises exchange with EOP?

    1. Oh my – that is quite the jump… You will need to review the changes in each of the last 15 CUs to look at what has changed. The short answer is a lot….

      I’m referring all TLS questions to this series of posts:
      https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

      And yes, need to focus on this as it will apply to EOP

      Cheers,
      Rhoderick

Skip to main content