Microsoft has released the latest quarterly updated for Exchange Server 2016 and 2013, as well as an update rollup for Exchange 2010.

Some notes to be aware of:

  • Exchange 2016 CU10 and Exchange 2013 CU21 require .NET Framework 4.7.1 be installed on the server before you install the CU. This requirement was called out as far back as September 2017. If you have a scenario where you can’t see a path to upgrade .NET and Exchange while staying within supported combinations of the two, refer to this article for guidance.
  • The VC++ 2013 runtime is also a pre-requisite for the updates released this month to “provide current and future security updates for a third party component shipped with Exchange Server. The component provides WebReady Document Viewing in Exchange Server 2010 and 2013 and Data Loss Prevention in Exchange Server 2013 and 2016.”
  • Also included in these updates is a critical security patch for the Oracle Outside In libraries, which provide “WebReady Document Viewing in Exchange Server 2010 and 2013 and Data Loss Prevention in Exchange Server 2013 and 2016.” The update is described in MSRC advisory ADV180010. Microsoft has not allocated a severity rating to their advisory (currently it says “None”), but Oracle refers to it as a critical update in their advisory in April. It’s unclear whether that is due to previous critical vulnerabilities patched in the code, or new ones disclosed in April.

Microsoft’s normal practice is to release security updates separately to cumulative updates. In other words, a security update for a supported version of Exchange should always be available as a standalone update, and not require you to install an entire CU to receive the security update. This quarter they have not done that. The security update included in these quarterly updates is not available separately. Microsoft’s statement on this matter is:

The Exchange team has previously stated they will not ship security fixes in a cumulative update not previously released separate from a cumulative update. That goal and official plan of record are unchanged. Shipping the updated third party components in a cumulative update was necessary to integrate a new version of the components and a new product dependency not previously required by Exchange in a manner customers are accustomed to with minimal disruption to the Windows Update process.

New Exchange 2016 and 2013 Cmdlets for Creating and Modifying Remote Shared Mailboxes

A long standing issue with managing shared mailboxes in hybrid environments has been the inability to manage shared mailboxes in Exchange Online by running on-premises Exchange cmdlets. For user mailboxes, the New-RemoteMailbox, Enable-RemoteMailbox, and Set-RemoteMailbox cmdlets can be used. But for shared mailboxes it was necessary to create the shared mailbox on-premises first, then migrate it to Exchange Online. Or alternatively, create the remote mailbox as a user mailbox in Exchange Online, and then convert it to a shared mailbox.

Quietly mentioned in the release notes for the cumulative updates released this quarter are updates to the *-RemoteMailbox cmdlets to add a -Shared parameter, enabling the management of remote shared mailboxes from the on-premises Exchange management shell.

To receive this update you must ensure that you prepare your Active Directory using the setup.exe file in Exchange 2016 CU10 or Exchange 2013 CU21.

C:\temp\exchangeCU\> setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms

If you do not manually prepare AD then setup might not do the preparation automatically for you. This depends on which previous version of Exchange you’re updating from. The safest approach is to manually prepare AD yourself to ensure that it is done.

Exchange Server 2013 Extended Support

Microsoft has included a note in this release that Exchange Server 2013 is now in the extended support phase of its lifecycle. Cumulative Update 21 is the last planned CU for Exchange Server 2013, so you must update to CU21 to continue to receive security updates, and for support in hybrid environments. Microsoft may at their discretion release future CUs if required for security or hybrid compatibility reasons.

Exchange Server 2010 Updates

Exchange 2010 SP3 UR22 adds support for Windows Server 2016 domain controllers. Prior to this update it was necessary to include pre-2016 domain controllers in AD sites where Exchange 2010 is running.

There are no restrictions to adding Windows Server 2016 domain controllers in forests where Exchange Server 2010 is deployed. Support for Active Directory Forest Functional Levels through Windows Server 2016 is included. Domain Controllers must be running Windows Server 2016 updates released through June 2018 to be supported. Customers are encouraged to remain current by applying monthly operating system quality updates.

UR22 also fixes an Exchange Web Services (EWS) impersonation issue for 2010/2016 co-existence environments.

Additional Information

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. Natalie Frith

    Comments for this blog post are now closed; please contact for any additional questions and comments, thank you.

  2. Mark

    Any reports of significant problems or known issues after installing CU10 for Exchange 2016 in the wild? I haven’t seen any.

    Will be first time doing an Exchange CU update, so proceeding with caution.

    Is there a good ‘waiting’ time period before installing a CU update? (Outside of lab testing, etc.)

    Thanks for sharing this info!

  3. Pete

    Hey mate.
    Good reading. Thanks for sharing your knowledge.

    The link in your article seems to go to “Microsoft .NET Framework 4.7” (not version 4.7.1).
    Was wondering, is this a “link-o” or a “type-o”?

  4. Stiliyan Stoychev

    Thx Paul for this article!

  5. prab

    Hi Paul,

    I am preparing to update Exchange 2013 CU10 to CU 21. I would appreciate if you could point me the exact path to follow to update to CU21.

    Before CU21 was release, my plan was to:
    1. update to CU15
    2. update to .Net 4.6.2
    3. Install CU20
    4. update 4.7.1


    1. Avatar photo
      Paul Cunningham

      Please read the links at the end of the article. They answer your question.

  6. Amit

    I have Exchange 2010 SP3 RU18. I don’t have any product on my server using Oracle. Do, i still need to update to RU22.

    1. Avatar photo
      Paul Cunningham

      Yes. The Oracle library is used by Exchange, it’s part of the Exchange product and you won’t see it listed separately as installed software on the server, but it is there. So yes, you need to update to patch that vulnerable component.

  7. Amr

    Hello, Should VC++ 2013 runtime be installed separately ? if yes should it be done before or after CU deployment? if no , is the package already included in the CU? thanks in advance.

    1. Avatar photo
      Paul Cunningham

      It is a pre-requisite, which means it must be installed before the CU. It is not included in the CU.

      1. Amr

        Awesome , thanks a lot for your prompt response.

Comments are closed.