News

Microsoft Slowing the Pace of Exchange Server Cumulative Update Releases

• By Kurt Mackie
• 04/20/2022

Microsoft on Wednesday announced the release of its latest cumulative updates (CUs) for Exchange Server 2016 and Exchange Server 2019, while also outlining a coming CU release-cycle change from quarterly to biannual releases.

Microsoft released CU 12 for Exchange Server 2019, which adds support for Windows Server 2022 and permits IT pros to use multifactor authentication with the "Hybrid Management PowerShell module." Microsoft also threw in "a product key for Exchange 2019 hybrid servers at no additional charge" with this CU 12 release.

Also released was CU 23 for Exchange Server 2016, which eliminates an attack approach using UNC paths, according to this Knowledge Base article description.

Additionally, Microsoft is planning to drop an Exchange Server management requirement for "hybrid" (cloud services plus on-premises server) Exchange users.

New Biannual CU Release Cycle
Under its newly announced plan, Exchange Server CU releases will occur in "H1 and H2 of each calendar year, with general target release dates of March and September," the announcement explained.

This new CU release schedule officially will begin this year, starting with the H2 release. Microsoft did label this week's CU releases as "H1" releases, though.

The new CU release cycle will be in effect just for Exchange Server 2019, since that product still falls under Microsoft's "mainstream" support-phase period (the first five years). Other servers, such as Exchange Server 2013 and Exchange Server 2016, have shifted out of mainstream support and are in Microsoft's "extended" support phase (the last five years). Microsoft just provides security fixes (no product updates) during the extended phase.

Regarding this shift to biannual CU releases, Microsoft explained that its customers deemed four CU releases per year to be "too frequent," hindering their ability to keep Exchange Server properly updated. It's a Microsoft requirement for organizations running hybrid Exchange Server implementations to be patched at least with "the immediately previous" CU or update rollup release.

Microsoft may not rigidly stick with this new biannual CU release cycle, though. It also could release Exchange Server hotfixes in various months.

"A CU release every 6 months might be too long to wait for some updates, so we may also release hotfixes between CU releases," the announcement noted.

Exchange Online Management Requirement Change
Microsoft has been requiring Exchange Online users that also use Active Directory for identity and access management to have an Exchange Server instance installed just for management purposes. That requirement to "manage recipients" is getting dropped with the CU 12 release for Windows Server 2019, which contains an "updated Exchange Management Tools role."

This new Management Tools role will let IT pros get rid of Exchange Server implementations just used for management purposes. Here's Microsoft's explanation to that effect:

The updated Management Tools role eliminates the need to have a running Exchange server for recipient management in this scenario. If you have only a single Exchange server that you use only for recipient management, you can install the updated tools on a domain-joined workstation, shut down your last Exchange server, and manage recipients using Windows PowerShell. For more information, see Manage recipients in Exchange Server 2019 Hybrid environments.

This change is likely to be a welcome one for organizations, since Exchange Online users may not be subject to the kinds of attacks carried out last year by the "Nobelium" advanced persistent threat espionage group. The attacks were thought to have used Exchange Server exploits to exfiltrate Exchange Online e-mail.