Microsoft has released Exchange Server 2016 CU8 (download) and Exchange Server 2013 CU19 (download) for on-premises servers today. This is exactly three months to the day since their last release (which I discussed in this blog post: September 2017 Quarterly Exchange Updates).
The Microsoft blog post on the topic can be found here: Released: December 2017 Quarterly Exchange Updates.
Little has changed, quite frankly. But both updates include the security patches released last week.
Most notable changes:
- Support for .NET Framework 4.7.1 in both Exchange 2013 and Exchange 2016. You must apply the update to the .NET Framework AFTER you install the Cumulative Update!
- Exchange no longer changes the TLS configuration for an Exchange Server when a CU is applied. The Exchange Team has promised that recommendations for the TLS configuration will soon be forthcoming.
- If you are running hybrid, there is now support for Hybrid Modern Authentication (this is discussed in detail here).
Please remember a few things:
You should always test in a lab first.
Your installation of a CU may fail or take significantly longer if you don’t disable anti-virus and anti-malware software before the installation.
If you have a large number of servers, you should probably drain and place each server in maintenance mode before applying the CU (and then return them to operational mode after!).
I generally find that things go more smoothly if you reboot your server “very first thing”.
Not every CU may contain changes to the Active Directory Schema, or to RBAC roles, or many other things. But life can often be made simpler by doing a PrepareSchema and a PrepareAllDomains before executing the upgrade. On my first server to be upgraded, my normal process is this:
setup /IAcceptExchangeServerLicenseTerms /PrepareSchema
setup /IAcceptExchangeServerLicenseTerms /PrepareAllDomains
setup /IAcceptExchangeServerLicenseTerms /m:upgrade
Use an elevated cmd.exe session, not a PowerShell session. (PowerShell searches the path differently than cmd.exe – PowerShell will find the setup.exe in $exbin instead of the setup.exe in the current folder.)
After the upgrade, you should again reboot. Then re-enable your anti-virus and anti-malware. Finally, place the server back in operational mode.
Please follow me on twitter! @EssentialExch
4 Replies to “December 2017 Quarterly Exchange Updates”
The Exchange Team has promised that recommendations for the TLS configuration will soon be forthcoming.
Does this mean that we still can’t disable tls 1.0 and 1.1 and enable only tls 1.2 on exchange 2013?
That is unfortunately correct.
I expect that we will see something in the next CU or so. It wasn’t until .NET 4.7 that the “system plumbing” was really ready for it. And with today’s releases we see that Microsoft will no longer overwrite pre-existing TLS settings (I wish that they wouldn’t override pre-existing WinRM settings either, but that’s another discussion). And we see 4.7.1 support – so I think it’s coming.
Thanks for the clarification.