Exchange Security Updates October 2021

On October 12, 2021 Microsoft released Security Updates for vulnerabilities found in Exchange server 2013 CU23, Exchange server 2016 (CU21/CU22) and Exchange server 2019 (CU10/CU11). Severity is marked as ‘important’.

If you are running one of these versions, it is recommended to apply these security updates. Please note that the security updates are CU specific, and these are not interchangeable. Security updates are also cumulative, so these security updates contain all previous security updates for the same cumulative update. If you are running an older version of Exchange, it is strongly recommended to upgrade to the latest Cumulative Update and apply the security updates. You can use the healthchecker script to inventory your environment.

Please use the Microsoft Security Update Guide for more specific information about the vulnerabilities.

As always, after downloading the security updates, start the installation from an elevated command prompt (‘run as administrator’). This does not apply when installing from Windows Update or WSUS. And of course, please the security updates in a test environment first before installing in production.

You can download the security updates for the following products here:

This computer is a member of a database availability group (DAG)

When uninstalling an Exchange server that is part of a Database Availability Group, you perform several steps to remove the server from the DAG and maybe even delete the DAG itself.

So, after decommissioning the DAG I wanted to uninstall Exchange, but the readiness check failed with the following error message:

This computer is a member of a database availability group (DAG). It must be removed from the DAG before you can uninstall Exchange. For more information, visit:

Unfortunately this link has not been updates since 2015, and does not contain any useful information.

I decommissioned the DAG earlier as you can see in the following screenshot, but it still failed the readiness check:

When using the Get-DatabaseAvailabilityGroup command nothing showed up, and also when checking Active Directory with ADSI Edit (CN=Organization, CN=Administrative Groups, CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Database Availability Groups) nothing is shown.

The DAG is using bits of Windows failover clustering, so the culprit must be there. When executing the Get-ClusterNode and Get-Cluster commands in PowerShell, some DAG leftovers (on this particular machine) showed up:

Something must have gone wrong during decommissioning of the DAG, although no error were shown on the console.

To remove the cluster node (and thus the cluster) from this machine, execute the following command in PowerShell:

PS C:\> Remove-ClusterNode EXCH12 -Force

After this step uninstalling Exchange succeeds.

Older Outlook versions will not connect to Office 365

it was already announced on the Microsoft blogpost New minimum Outlook for Windows version requirements for Microsoft 365, Microsoft will stop support for older Outlook clients on November 1, 2021 (which is 24 days from the time of writing!).

In short, all clients older than Outlook 2013 SP1 with the latest fixes are no longer able to connect to Exchange Online. And yes, this includes Outlook 2010 (I know there are still clients out there running Office 2010!).

More detailed version numbers of Outlook that will not connect anymore:

Office versionOutlook version
Office 2010All versions
Office 201315.0.4970.9999 and older
Office 201616.0.4599.9999 and older
Office 365 ProPlus1705 and older

To check the version of Outlook you are using, select File –> Office Account –> About Outlook. It will show something like Microsoft® Outlook® for Microsoft 365 MSO (16.0.14326.20384) 64-bit.

Please be aware that this is completely independent from the Basic Authentication strategy that Microsoft is following. Older versions will just stop connecting to Exchange Online.

For more information, check MC288472 in the Microsoft 365 Message Center.