Current build numbers, overview of all updates and testing


Microsoft’s Exchange Server just can’t get away from bad headlines. In addition, you can no longer look through the Microsoft update jungle: Which CU is safe? Do I have all the patches? Has the prepare scheme been completed? In this guide we clarify what the current security updates are and how to easily perform a “vulnerability check” on the Exchange server.

Since March, Microsoft has been publishing security patches for its Exchange Server products almost monthly, which have security gaps that should not be underestimated. Admins are urged to keep their Exchange servers up to date. The Hafnium vulnerability in March, further patches in April and the new Pwn2Own vulnerabilities with the patch from May 2021. In addition, there are important security updates from July 2021. You should still have someone to see which patches are now installed. Fortunately, Microsoft is now offering a remedy here.

Microsoft Exchange Server: Find out the version and security patch of the server

Before starting the updates, you should get an overview of which version (CU) is currently being used. For this there is the already known command, which is executed in the Exchange Management Shell:

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

This provides the current build number in short format (AdminDisplayVersion), which can be assigned to a CU using the Microsoft overview. An Exchange Server 2016 with AdminDisplayVersion “Version 15.1 (Build 2242.4)”, thus build number “15.1.2242.4”, currently has CU 20.

Since this only helps to a limited extent in this case, the current status of the security patch (SU) can also be checked. To do this, copy the following command into the Exchange Management Shell as a whole, press Enter and wait a little:

$ExchangeServers = Get-ExchangeServer | Sort-Object Name
ForEach ($Server in $ExchangeServers) {
Invoke-Command -ComputerName $Server.Name -ScriptBlock { Get-Command Exsetup.exe | ForEach-Object { $_.FileversionInfo } }
}

Then we get the “FileVersion” displayed, which gives the build number in long format. In this example, the output “15.01.2242.012” would indicate the following update status, which means that all available updates for CU 20 have been installed:

Image: TechnikNews

Microsoft Exchange Server: Current Build Numbers (August 2021)

The long build version of the Exchange server shouldn’t at least If you have the following numbers, you should quickly start installing the latest security updates.

Important: A current version number does not necessarily mean that all previous security updates have been correctly installed. The latest security update from July 2021 only fixes older gaps up to and including March 2021. The security updates from April and May must be installed separately. To check whether you have really installed all updates – and also correctly – scroll down to “Vulnerability Check”.

See also  Lancia's future looks promising. The design will be personally taken care of by the group's chief designer

Exchange 2013

  • CU 23: 15.00.1497.023 (July 2021 security update installed)

Exchange 2016

  • CU 19: vulnerable, latest security update only available with CU 20
  • CU 20: 15.01.2242.012 (July 2021 security update installed)
  • CU 21: 15.01.2308.014 (July 2021 security update installed)

Exchange 2019

  • CU 9: vulnerable, latest security update only available with CU 10
  • CU 10: 15.02.0858.015 (July 2021 security update installed)
  • CU 11: 02/15/0922.013 (July 2021 security update installed)

Microsoft Exchange Server: The latest security updates

A short summary of which security updates should definitely be installed for the respective Exchange version. The security updates for Pwn2Own (from May 2021) also patch the hafnium holes from March. Attention: Otherwise, a newer security update from July 2021 does not fill an older gap from previous updates (April, May)!

So far no updates (especially the very critical ones from March, April and May) have been installed? Congratulations, the server is most likely already a spam sling and the loopholes are already being actively exploited. Crypto trojans, backdoors and other viruses are preprogrammed. In order to save the job as IT admin, the server should be immediately taken from the network, checked for traces of possible break-ins, a clean old backup imported and urgently started to catch up on all updates from April.

The following applies to all updates: All setups should be carried out in an open CMD or PowerShell with administrator rights. This is the only way to ensure a smooth update. An update via Windows Update can also lead to problems, as some instructions have to be observed (on this further below).

Exchange 2013

Exchange 2016

Exchange 2019

Case studies based on Exchange 2016

  • Example 1: An Exchange 2016 is used in CU 20. If no security patches have been installed by August 2021, all updates from April, May and July must be installed step by step.
  • Example 2: An Exchange 2016 is used in CU 20, which will be updated to CU 21 in June. Only the security update from July 2021 needs to be installed, as a CU update contains all security updates prior to their release date. Since CU 21 was released in June, it already contains the security patches from April, May and before.
  • Example 3: An Exchange 2016 is used in CU 19. Warning, the server is vulnerable as there is no longer an update available for the latest security vulnerability. An update to CU 21 is strongly recommended (with a detour via CU 20). The July 2021 security update for CU 21 must then be installed.
See also  WhatsApp Plus | How to change the total color of the application | Applications | Apps | Wasap | Wsp Web | Smartphone | Cell phones | Tutorial | Trick | Viral | United States | Spain | Mexico | NNDA | NNNI | DATA

The same examples are of course equally valid when operating an Exchange 2019. After installing the above updates, a PrepareSchema update must be carried out, see the next section.

Perform PrepareSchema: Necessary for updates from July 2021 (marked with *)

For updates marked with an asterisk above, further steps are required to close the gap completely. This is a schema update that must be carried out.

What to do with the currently used version …

Exchange 2013 CU 23

First install the security update as usual with administrator rights in PowerShell / CMD. Then carry out the schema update from the updated setup files in the CMD / PowerShell with administrator rights:

"C:Program FilesMicrosoftExchange ServerV15BinSetup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms

Exchange 2016 CU 20

Carry out a schema update with the files from the CU 21 setup files. So first install the security patch as usual with administrator rights in PowerShell / CMD. Then download the ISO file from CU 21, double-click (in the following attached under F :), then carry out a schema update in the CMD / PowerShell with administrator rights. The setup itself does not have to be started, so no update to CU 21 is required:

"F:Setup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms

Exchange 2016 CU 21

If a schema update has already taken place with the update to CU 21, no further action is required. Otherwise restart the setup from CU 21 with a schema update:

"C:Program FilesMicrosoftExchange ServerV15BinSetup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms

Exchange 2019 CU 9

Carry out a schema update with the files from the CU 10 setup files. So first install the security patch as usual with administrator rights in PowerShell / CMD. Then download the ISO file from CU 10, double-click (in the following attached under F :), then carry out a schema update in the CMD / PowerShell with administrator rights. The setup itself does not have to be started, so no update to CU 10 is required:

"F:Setup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms

Exchange 2019 CU 10

If a schema update has already taken place with the update to CU 21, no further action is required. Otherwise restart the setup from CU 21 with a schema update:

"C:Program FilesMicrosoftExchange ServerV15BinSetup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms

Exchange Server: Check whether all updates have been installed (“Vulnerability Check”)

Microsoft now offers a HealthChecker, which knows all known security gaps and checks for installed security updates. The current version can be downloaded here and is not “latest v2 release” (for Exchange Server 2010) as assumed – if you quickly skim it – but the first link directly: Download HealthChecker.ps1.

See also  Renowned cardiologist dies from COVID-19 in Lara :: La Prensa de Lara

The source code of the health checker can be viewed in this GitHub repository. After the download you run the script in the Exchange Management Shell. The parameter for specifying the server is optional, otherwise the script simply checks the local server:

.HealthChecker.ps1

or

.HealthChecker.ps1 -Server "EXSRV01"

After the run, some warnings can be issued that can be useful for further performance optimization. Even more important are the warnings about security patches not installed, should any be found. There is another command to output a practical HTML report:

.HealthChecker.ps1 -BuildHtmlServersReport -HtmlReportFile "EXSRV01check.html"

This can be opened through the generated file (EXSRV01check.html) simply with a double click in the browser and thus viewed even more legibly. Otherwise there is only a .txt log file that lists all the checks.

Have all checks been carried out successfully? Congratulations, the server should be safe from all known security holes. Then until the next gap … oh yes, don’t forget: Have all available updates for Windows Server been installed via Windows Update?

Addition: PrintNightmare gap

The security holes with the Windows Spooler are one more thing. However, if you do not need printer services on your Exchange server, you should also deactivate the printer service at the same time. To do this, search for “Print Spooler” in the Windows services, double-click on it and set the service to “Deactivated”. Then there shouldn’t be any reason to worry here.

However, if you need the printer service, you should import all current security updates via Windows Update. But that may not mean everything has been done, not all gaps have been completely resolved as of August 2021. There is more information on this subject in a detailed article by MSXFAQ.

Recommendations for you

.

Leave a Comment