Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 10, 2020

Applies to: Exchange Server 2019Exchange Server 2016Exchange Server 2013

The security update addresses two remote code execution vulnerabilities and an elevation of privilege vulnerability for Microsoft Exchange Server. To learn more about these vulnerabilities, see the following security advisories:

Known issues in this update

  • When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.

    When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working.

    This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

    To avoid this issue, follow these steps to manually install this security update:

    1. Select Start, and type cmd.
    2. In the results, right-click Command Prompt, and then select Run as administrator.
    3. If the User Account Control dialog box appears, confirm that the default action is the action that you want, and then select Continue.
    4. Type the full path of the .msp file, and then press Enter.

    This issue does not occur if you install the update through Microsoft Update.

  • Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to their usual state.

    To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

  • When you block third-party cookies in a web browser, you may be continually prompted to trust a particular add-in even though you keep selecting the option to trust it. This issue occurs also in privacy window modes (such as InPrivate mode in Microsoft Edge). This issue occurs because browser restrictions prevent the response from being recorded. To record the response and enable the add-in, you must enable third-party cookies for the domain that's hosting OWA or Office Online Server in the browser settings. To enable this setting, refer to the specific support documentation for the browser.

How to get and install the update

Method 1: Microsoft Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Method 3: Microsoft Download Center

You can get the standalone update package through the Microsoft Download Center.

More information

Security update deployment information

For deployment information about this update, see security update deployment information: November 10, 2020

Security update replacement information

This security update replaces the following previously released updates:

File information

File hash information

Update name File name SHA1 hash SHA256 hash
Exchange Server 2019 Cumulative Update 7 Exchange2019-KB4588741-x64-en.msp E5C990E43F27762DCA00663C1E0AB3EB4C0F35DF D2B922EEAF9DB0E05B6D81657790DFB2786848B89DE4678384AC10A86CB17D5E
Exchange Server 2019 Cumulative Update 6 Exchange2019-KB4588741-x64-en.msp 2237941DBC37CFFDBF42F4356922E126DDAF46C7 853BFC0ECF26BC71AF8E21C0A1FD6002FA4DEAE4E03954FBA3D914231FB842B1
Exchange Server 2016 Cumulative Update 18 Exchange2016-KB4588741-x64-en.msp 18BBEE0268357B0DA23369D6974D1D5FC49442D8 D8F34B3E648263D76AEE0957FD5317EE3538381279BCF1964453B6E1A1255FED
Exchange Server 2016 Cumulative Update 17 Exchange2016-KB4588741-x64-en.msp 996644F766E3BFC58079E7B542880CD1A83A852B 49BF9D445BD290132259A6DE966BBF8FE0541C8E1395FC4203E5F11D49360E2B
Exchange Server 2013 Cumulative Update 23 Exchange2013-KB4588741-x64-en.msp ADEDAE769CE270C8AB5F2C77464E8A4833F12828 6C09C09810F605EE3B59626087D6C750A59CABBE6F30EB2520776A3BD698DE39

Exchange server file information

The English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Information about protection and security

Protect yourself online: Windows Security support

Learn how we guard against cyber threats: Microsoft Security