Installing Cumulative Updates and Service Packs for Exchange Server 2013

In this article I will demonstrate the step by step process for installing cumulative updates and service packs for Exchange Server 2013.

Preparation Tasks

Before installing any cumulative updates you should:

  • Download the CU or Service Pack setup file from the Microsoft Download Center (do not download from third party sites) and extract it to a folder on each server
  • Take a confirmed backup of Active Directory
  • Take a confirmed backup of your existing Exchange 2013 servers and databases
  • Have documented any customizations such as OWA, config files on servers, registry changes, Lync integration, or third party add-ons

Installing Cumulative Updates and Service Packs

Cumulative updates and Service Packs should be installed in the internet-facing site first, before installing in other sites in the organization.

The first servers to be updated in a site are the Mailbox servers. The Client Access servers are updated second. If you have multi-role servers installed then both roles are updated at the same time anyway, and you should simply start with the internet-facing servers.

During the deployment of a cumulative update within a site that contains load-balanced Client Access server or Database Availability Group members there will be a period where servers are not at exactly the same version. Although this is expected and supported, it is not supported to stay in that state for a long period of time.

In other words, you should plan to update all DAG members within a short period of time, and not allow them to run at different versions for days, weeks or months.

Updating Mailbox Servers

Mailbox servers in a multi-server environment, whether installed as standalone or as a multi-role server, should be placed into maintenance mode before installing the cumulative update.

Note that the redirect target server must be provided as a fully qualified domain name.

[PS] C:\>Set-ServerComponentState E15MB1 –Component HubTransport –State Draining –Requester Maintenance

[PS] C:\>Redirect-Message -Server E15MB1 -Target

Are you sure you want to perform this action?
Redirecting messages to "".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

If the server is a DAG member proceed to the next section which contains additional steps for DAG members, otherwise put the server into maintenance mode with the following command.

[PS] C:\>Set-ServerComponentState E15MB1 –Component ServerWideOffline –State InActive –Requester Maintenance

Exchange MVP Michael Van Horenbeeck has published a script for automating the process of starting and stopping maintenance mode.

Updating Mailbox Servers that are Database Availability Group Members

In addition to placing Mailbox servers in maintenance mode any DAG members also need to have active mailbox databases moved to another DAG member, and be blocked from activation while the cumulative update is being installed.

Suspend the DAG member from the cluster.

[PS] C:\>Suspend-ClusterNode –Name E15MB1

Name                 ID    State
----                 --    -----
E15MB1               1     Paused

Disable database copy activation.

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyActivationDisabledAndMoveNow $true

Review the existing database copy auto activation policy, so that you can return it to the same configuration after you’ve completed the upgrade.

[PS] C:\>Get-MailboxServer E15MB1 | Select DatabaseCopyAutoActivationPolicy

DatabaseCopyAutoActivationPolicy : Unrestricted

Set the auto activation policy to “Blocked”. If the policy is already set to “Blocked” then there is no action required.

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyAutoActivationPolicy Blocked

Put the server into maintenance mode.

[PS] C:\>Set-ServerComponentState E15MB1 –Component ServerWideOffline –State InActive –Requester Maintenance

Taking Servers Out of Maintenance Mode

To take the server out of maintenance mode after the upgrade the process is reversed. Make sure that you return the database auto activation policy to the original setting if it was not “Unrestricted”.

[PS] C:\>Set-ServerComponentState E15MB1 –Component ServerWideOffline –State Active –Requester Maintenance

[PS] C:\>Resume-ClusterNode –Name E15MB1

Name                 ID    State
----                 --    -----
E15MB1               1     Up

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyAutoActivationPolicy Unrestricted

[PS] C:\>Set-MailboxServer E15MB1 –DatabaseCopyActivationDisabledAndMoveNow $false

[PS] C:\>Set-ServerComponentState E15MB1 –Component HubTransport –State Active –Requester Maintenance

Exchange MVP Michael Van Horenbeeck has published a script for automating the process of starting and stopping maintenance mode.

Updating Load-Balanced Client Access Servers

If you are running load-balanced Client Access servers in a site then you should configure the load balancer to remove the server from the pool of hosts, and allow any existing connections to close, before you install the cumulative update.

The exact steps for this will depend on the load balancing solution that you use, and you should refer to your vendor documentation for those.

As each Client Access server is updated join it to the pool again and then repeat the process for the next server.

Active Directory Preparation Tasks

Some cumulative updates will include Active Directory schema changes. In those cases the following steps will be required.

Note: The AD preparation tasks are not required to be run separately to the upgrade of Exchange, unless in circumstances where you need to separate the tasks to different teams with different permissions, or if you have a multi-domain forest and want to control the AD changes.

Before applying the schema update follow the steps provided by Michael B Smith to retrieve the existing Exchange schema version, so that you can compare it before and after the AD preparation steps have been completed to verify that the schema update was applied.

  1. Run setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms (requires Enterprise Admins and Schema Admins permissions, and must be performed in the same AD Site as the Schema Master on a server with the RSAT-ADDS-Tools feature installed – the Schema Master itself would meet these requirements)
  2. Run setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
  3. Run setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms in each domain in your forest that contains Exchange servers or mailboxes

When the Active Directory changes have been applied, on each server run the upgrade.

Upgrading the Servers

Cumulative updates can be applied using either the command line or graphical setup, whichever you prefer. Both options are demonstrated below.

  • Follow the pre-installation processes outlined earlier in this article depending on the server roles installed.
  • Do not run the upgrade from the Exchange Management Shell as this will cause it to fail due to locked files. Run the upgrade from an elevated cmd prompt.
  • If you receive a warning that the Office Filter Pack is not installed this can be ignored, as it is not a required component for Exchange Server 2013.
  • Set the PowerShell execution policy on each server being upgraded to Unrestricted, as this may sometimes cause issues with update. Refer to KB981474.

Caution: a cumulative update is a full reinstall of Exchange Server 2013. If it is interrupted, or fails part way through the installation, you may need to perform a server recovery. There is also no way to uninstall a cumulative update.

Note: Exchange 2013 cumulative updates stop the “Microsoft Exchange FrontEnd Transport” and “Microsoft Exchange Transport” services during the pre-requisites check. If you do not proceed with the installation you will need to manually restart the Microsoft Exchange Transport service.

Upgrading Using the Command Line

In an elevated command prompt run the following command from the location where you extracted the cumulative update files.

Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

The command prompt window will display the progress as the upgrade proceeds. The upgrade itself is a lengthy process so you should allow plenty of time for each server.

After the cumulative update has been install restart the server if prompted to do so.

If you had placed the server into maintenance mode then you can run the commands or the script for stopping maintenance mode after the installation is finished (refer to the notes above).

Upgrading Using the Graphical Setup

From the location that you extracted the cumulative update files run Setup.exe. It is recommend to allow setup to connect to the internet and check for updates.


When the update check has completed click Next to continue.


Setup will begin copying files. This can take several minutes depending on your server’s performance capacity.


Setup will detect that this is an upgrade installation.


You will need to accept the license agreement each time you upgrade a server.


Setup will perform a pre-requisites check. If any pre-requisites are not met setup will stop and warn you about them, otherwise you will be able to proceed with the upgrade.


The upgrade itself is a lengthy process and you may find that some steps appear to have hung with no progress. This may be a bug with the graphical setup, whereas the command line setup will typically show the percentage progress as it goes.


When setup is complete you will be prompted to restart the server if required.


After the cumulative update has been install restart the server if prompted to do so.

If you had placed the server into maintenance mode then you can run the commands or the script for stopping maintenance mode after the installation is finished (refer to the notes above).

Post-Installation Tasks

After deploying an Exchange 2013 cumulative update there are a number of post-installation tasks that may be required.

Rebalance the Database Availability Group

After you’ve updated all of your DAG members there is a good chance that the active databases will not be evenly distributed across the DAG, or won’t be on their first activation preference. This process is the same for Exchange 2013 as it is for Exchange 2010.

[PS] C:\>cd $exscripts

[PS] C:\Program Files\Microsoft\Exchange Server\V15\scripts>.\RedistributeActiveDatabases.ps1 -DagName E15DAG -BalanceDbsByActivationPreference

Restoring Customizations

After you have completed updating your servers you will need to re-apply any customizations that you had documented during the preparation steps above.

Verifying Server Health

Here are some suggestions for health checking your Exchange 2013 servers after applying updates.

  1. Check the cluster nodes are all up – verify that you have not left any DAG members suspended in the cluster by running the Get-ClusterNode cmdlet on one of the DAG members.
  2. Test service health – use the Test-ServiceHealth cmdlet to verify that all required services are running on each server.
  3. Test MAPI connectivity to every database – use the Test-MAPIConnectivity cmdlet to verify that all databases are mounted and accessible.
  4. Check the database copy status for DAGs – use the Get-MailboxDatabaseCopyStatus cmdlet to verify that all database copies, copy/replay queues, and content indexes are healthy.
  5. Test replication health for DAGs – use the Test-ReplicationHealth cmdlet on each DAG member to verify replication health is good.
  6. Check the database activation policy for each Mailbox server – verify that each Mailbox server that is in a DAG has the correct database activation policy for your environment.
  7. Check server component status – use Get-ServerComponent to verify that you have not left any servers in maintenance mode.


Thanks to Exchange MVPs Tony Redmond, Jeff Guillet, Michael B Smith, and Michael Van Horenbeeck for sharing their notes and experiences with the cumulative update process.


  1. Rajkumar says

    Hi Paul,

    In my case, Exchange installed on a different directory other than the default one C:

    Do I need to specify the directory name while running the below command?

    Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

    or the upgrade switch will automatically get the directory in which exchange is installed.

    Please advice…

  2. Stephane says


    I have something very strange with my CU3.
    I download the “Exchange2013-x64-cu3.exe” and when I launch the setup in GUI I see correctly “Welcome … Exchange Server 2013 CU3 …”

    When I launch in powershell for update the schema I have :
    Welcome to the unattended Setup of Microsoft Exchange Server 2013 with Cumulative Update 2

    After the update of schema the version of schema is always the same : “15281 (CU2)” and not 15283 (CU3)

    Is it normal ?


  3. Brandon Nolan says

    As a value add:

    I followed this guide and installed CU3 onto a CU2 DAG environment and the only thing I wanted to note is I noticed only the External URL of the ActiveSync virtual directory was set to $null post install. This happened on each of the nodes of the cluster. I changed the setting back to what I needed it to be before bringing the node out of maintenance mode and had great success with all Exchange functions. Thanks again for your insight Paul!

    If I could add anything the settings we typically see change with SP’s and CU’s are Virtual directory settings and the Authentication and SSL settings in IIS. I have created scripts to grab the CAS virtual directory settings before running updates so I can verify the settings after updates easier. I would like to get a similar script for gathering the IIS Authentication and SSL settings if anyone is interested in helping. I can upload the CAS script if anyone is interested.

  4. Brandon Nolan says

    below is the script I put together to help me with migrations and update procedures. I use this all the time to gather CAS information.

    start-transcript -path c:\temp\CASConfig.txt -append

    get-clientaccessserver | fl Name,fqdn,Out*,*uri,*site*,*version,orig*

    get-autodiscovervirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*version,orig*

    get-webservicesvirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*mrs,*version,orig*

    get-oabvirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*version,orig*

    get-owavirtualdirectory -adpropertiesonly | fl server,identity,name,*url,logon*,*version,orig*

    get-ecpvirtualdirectory -adpropertiesonly | fl server,identity,name,*url,*version,orig*

    get-ActiveSyncvirtualdirectory -adpropertiesonly | fl server,identity,name,activesyncserver,*url,*version,orig*

    Get-OutlookAnywhere -ADPropertiesOnly | fl server,name,External*,*auth*


  5. suren says


    Great Article …. Thanks.

    I have 4 Servers for exchange 2 Mailbox and 2 CAS Servers …. just installed exchange on all the servers and not yet created DAG or configured the mail-flow ( i mean post installation tasks) . Can i update to CU3 now ?

    What steps do i need to follow ?

    Thanks .

  6. Rob Derbyshire says

    Hi Paul
    No mention of the steps for

    Get-ExecutionPolicy cmdlet from PowerShell

    Can you clarify which execution policies need to be set to unrestricted?

    We believe it should only be MP and LM.


  7. Michael says

    Hi Paul,

    Can we update to CU3 directly from RTM (build 516.32)? Is the procedure same to this posting?



  8. Ajith says

    I’m sure you don’t find a better article for installing CU!

    Btw, I’m just doing CU3 in my lab with the help of your article. Thank you Paul :-)

  9. phemmy says

    Hello Paul
    i am having issues with installation of Exchange 2013 SP1.
    i have 3 Exchange servers across two AD sites. Each server holds both Mailbox and CA role.
    The Exchange Servers are not fully operational yet but we already created all the mailboxes on them. I attempted to install the 2013 SP1, starting with setup /prepareschema command. The command was executed successfully but got the error below when i ram setup /preparead commands

    Welcome to Microsoft Exchange Server 2013 Service Pack 1 Unattended Setup
    Copying Files…
    File copy complete. Setup will now collect additional information needed for

    Performing Microsoft Exchange Server Prerequisite Check

    Prerequisite Analysis COMPLETED

    Configuring Microsoft Exchange Server

    Organization Preparation FAILED
    The following error was generated when “$error.Clear();
    initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

    ” was run: “Active Directory operation failed on One or more attribute entries of the object ‘CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=apl,DC=com’ already exists.”.

    The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the :\ExchangeSetupLogs folder.

    The three exchange servers were just installed and configured last week. we want to make sure we have the latest update on the exchange servers before we go live.

    Do you have any idea what i can do to resolve this issue.

  10. Matt Hall says

    Are there any set-servercompnentstate or other maintenance mode commands we should run on a CAS only server or can we just apply the updates?

  11. Wahid Iqbal says

    HI Paul;

    it was great reading this article, i want to discuss my Problem of outlook users being prompted for passwords .

    following is the configuration

    AD site 1 : 2 malbox servers & 2 CAS servers running Exchange 2013 CU3
    AD site 2 : 1 malbox server & 1 CAS server running Exchange 2013 CU3
    Edge Transport Server: Exchange 2010 SP-3
    users : Windows 7 / outlook 2010 & 13 Compliant with (

    while outlook running perfectly suddenly a password pop up ofccures, even after providing credentials for 5 / 10 times are not authenticated.i googled it around & realized that this is a common issue after CU3 deployment. i ran Get-OutlookAnywhere and found my authentication setting are set as Basic, Negotiate and NTLM as described in (i though i did not change my current setting as recommended in the page).

    modified users outlook profile by unchecking “download shared folder” and set the authentication from negotiate to kerbros as mentioned in
    although it worked for some days but again the same problem.

    now i am thinking to upgrade my CAS servers only from CU3 to CU6 released in august earlier this year.

    in my opinion any schema extention / prepareAD / PrepareDomain is not required in our case because i had CU3(please confirm).

    please also suggest if i can modify the authentication settings as mentioned in because my only pain is to stop password prompts.

  12. Chimwemwe Mtonga says

    Please help I am having this error below on step 8 of 15 mailbox role:transport service

    The following error was generated when “$error.Clear();
    $vdirName = “PowerShell”;
    $InternalPowerShellUrl=”http://” + $RoleFqdnOrName + “/powershell”;
    new-PowerShellVirtualDirectory $vdirName -Role Mailbox -InternalUrl $InternalPowerShellUrl -DomainController $RoleDomainController -BasicAuthentication:$false -WindowsAuthentication:$false -RequireSSL:$false -WebSiteName “Default Web Site” -AppPoolId “MSExchangePowerShellFrontEndAppPool”;
    new-PowerShellVirtualDirectory $vdirName -Role Mailbox -DomainController $RoleDomainController -BasicAuthentication:$false -WindowsAuthentication:$true -RequireSSL:$true -WebSiteName “Exchange Back End” -Path ($RoleInstallPath + “ClientAccess\PowerShell-Proxy”);
    ” was run: “The virtual directory ‘PowerShell’ already exists under ‘ Web Site’.
    Parameter name: VirtualDirectoryName”.

  13. Hassan says

    hi paul

    please clearly say to me updating exchange 2013 RTM to CU7 needs the AD preparation in Graphical mode? my exchange roles are in single server plaese show me all of the steps in graphical mode upgrading

  14. Jeff Brown says

    Paul, you mention upgrading the Mailbox before the CAS. This is different from earlier versions of Exchange where you start at the CAS, then Hub, etc and mailbox last. Is there any official documentation on the server role order to install Exchange 2013 CUs? I’m having trouble finding any. Thanks!

  15. Brice Cunningham says

    Just wanted to say thank you for all you do. I refer to your articles whenever I work on my E2K13 server! BC

Leave a Reply

Your email address will not be published. Required fields are marked *