October 2022 Exchange Server Security Updates

Microsoft Exchange Servers security updates have been released for October 2022.

These updates are available for the following specific versions of Exchange Server:

Exchange Server 2013 CU23
Exchange Server 2016 CU22 and CU23
Exchange Server 2019 CU11 and CU12

The recommendation is to install these updates immediately to protect your environment.
In the scenario where you do a Cumulative Update(CU), you need to make security updates. Otherwise, remember that you have to do the Cumulative Update(CU) first and then the Security Update(SU).

The following update paths are available:


These vulnerabilities only affect Exchange Server.
Exchange Online customers are already protected from the vulnerabilities addressed.

Note: Don't double-click the 'MSP file' to run it. Run Command Prompt (not Powershell) as an Administrator.


Additional Action Require!

As you know, we were doing /PrepareSchema and /PrepareAD operations before CU operations.
There is a new difference in the updates released in May.

The following actions should be taken in addition to the application of May 2022 security updates:

After doing cumulative update and security update then run the following Command Prompt command once using Setup.exe in your Exchange Server installation path "\Program Files\Microsoft\Exchange Server\v15\Bin"

"Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /P"

Microsoft says that the step is necessary “because of additional security hardening work for CVE-2022-21978,” which is one of the vulnerabilities addressed by the updates.

When running a Database Availability Group, do not forget to put the Exchange Server Cluster(DAG) in maintenance mode.


Have a nice day!

Exchange Server Cluster(DAG) Maintenance

If you are planning to make cumulative updates to your Exchange Servers, you must first put the server on which you will install the update into maintenance mode.
To perform maintenance on Exchange Servers, follow these steps:

  • First of all, if you are using a load-balancer, make sure that there is no mail traffic to the server you will maintain.
  • Pre-Check 1 – Get-ServerComponentState ExchServerName | ft Component,State -Autosize
  • Pre-Check 2 – Get-MailboxServer ExchServerName | ft DatabaseCopy* -Autosize
  • Pre-Check 3 – Get-ClusterNode ExchServerName| fl
  • Pre-Check 4 – Get-Queue
  • Maintenance 1 – Set-ServerComponentState ExchServerName -Component HubTransport -State Draining -Requester Maintenance
  • Maintenance 2 – Restart-Service MSExchangeTransport
  • Maintenance 3 – Get-Queue
  • Maintenance 4 – CD $ExScripts
    .\StartDagServerMaintenance.ps1 -serverName ExchServerName -MoveComment Maintenance -PauseClusterNode
  • Maintenance 5 – Redirect-Message -Server ExchServerName -Target OtherServerName
  • Maintenance 6 – Suspend-ClusterNode ExchServerName
  • Maintenance 7 – Set-MailboxServer ExchServerName -DatabaseCopyActivationDisabledAndMoveNow $True
  • Maintenance 8 – Set-MailboxServer ExchServerName -DatabaseCopyAutoActivationPolicy Blocked
  • Maintenance 9 – Set-ServerComponentState ExchServerName -Component ServerWideOffline -State Inactive -Requester Maintenance
  • Control 1 – Get-ServerComponentState ExchServerName | ft Component,State -Autosize
  • Control 2 – Get-MailboxServer ExchServerName | ft DatabaseCopy* -Autosize
    Get-ClusterNode ExchServerName | fl

By the way, if you have made changes to the configuration files (Web.config,Edgetransport.exe.config etc) before starting the update process, it is recommended to backup them, because the changes you made after the update will return to their default settings.

You can now update the server.

After completing the update process we need to take the server out of maintenance mode.

  • After 1 – Set-ServerComponentState ExchServerName -Component ServerWideOffline -State Active -Requester Maintenance
  • After 2 – CD $ExScripts
    .\StopDagServerMaintenance.ps1 -serverName ExchServerName
  • After 3 – Set-ServerComponentState ExchServerName -Component HubTransport -State Active -Requester Maintenance
  • After 4 – Restart-Service MSExchangeTransport
  • After 5 – Get-ServerComponentState ExchServerName | ft Component,State -Autosize


If you have specific configuration backups, you can compare them with your backups and rearrange them. (Don’t forget to restart the server)

Now you can add your server to the load-balancer again and include it in the mail traffic.


Have a nice day !