Share via

upgrade to latest CU

Glenn Maxwell 13,491 Reputation points
2026-04-10T05:39:43.2966667+00:00

Hi All

I’m currently working in an Exchange Server Subscription Edition (SE) hybrid environment.

As per my understanding, Extended Protection for Exchange Server is not enabled in our environment, and we do not plan to enable it at this time. Could you please confirm the recommended method to verify whether Extended Protection is enabled on Exchange Server?

Additionally, I am planning to upgrade Exchange Server SE to the latest Security Update (SU). If I download and install ExchangeSubscriptionEdition-KB5074992-x64-en.exe, will that be sufficient? Also, is it mandatory to enable Extended Protection before applying this update?

My plan is to place the servers into maintenance mode and then run the update. Please let me know if there are any additional prerequisites or post-installation steps I should consider.

[PS] C:\Windows\system32>Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion


Name                : EXCH01
Edition             : Enterprise
AdminDisplayVersion : Version 15.2 (Build 2562.17)

Name                : EXCH02
Edition             : Enterprise
AdminDisplayVersion : Version 15.2 (Build 2562.17)

Name                : EXCH03
Edition             : Enterprise
AdminDisplayVersion : Version 15.2 (Build 2562.17)


[PS] C:\Windows\system32>Get-Command Exsetup.exe | ForEach-Object {$_.FileVersionInfo}

ProductVersion   FileVersion      FileName
--------------   -----------      --------
15.02.2562.027   15.02.2562.027   C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exe

exch1

exch2

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments
Answer accepted by question author
  1. Steven-N 23,960 Reputation points Microsoft External Staff Moderator
    2026-04-10T06:58:11.5066667+00:00

    Hi Glenn Maxwell

    To directly answer your concerns:

    1. The recommended method to verify whether Extended Protection is enabled on Exchange Server?

    You can use Exchange Extended Protection Management Script (ExchangeExtendedProtectionManagement.ps1). By running the script with the -ShowExtendedProtection switch, it will safely audit and enumerate the current configuration across all virtual directories, letting them know exactly where it is natively enabled or disabled without making changes.

    2. Is Installing ExchangeSubscriptionEdition-KB5074992-x64-en.exe sufficient?

    My answer is YES, because the original poster's servers (EXCH01, EXCH02, EXCH03) are running Exchange SE (Build 2562.17), simply downloading the executable for KB5074992 and running it from an administrative command prompt is the correct and sufficient way to apply this Security Update.

    3. Is Extended Protection mandatory before updating?

    Based on my research, Extended Protection is not a prerequisite for installing the February 10, 2026 Security Update for Exchange Server Subscription Edition. Additionally, based on the Microsoft documentation, Exchange Server Subscription Edition (SE) is not currently included in this supported configuration matrix for Extended Protection enablement.

    User's image

    You may proceed with installing the update on your servers even if Extended Protection is not currently enabled in your environment.

    As I checked, Installing the standalone package ExchangeSubscriptionEdition‑KB5074992‑x64‑en.exe is sufficient to bring your Exchange Server SE deployment to the latest Security Update level, as Exchange Security Updates are cumulative in nature.

    Once the update is applied and rebooting the server, I recommend running the Exchange Health Checker script to verify successful installation and to review whether any additional actions are required.

    4. Prerequisites and Post-Installation Steps

    You can consider placing the servers into maintenance mode prior to updating is the correct strategy for a multi-server/hybrid environment. Here is a summary of additional best practices you should consider:

    Pre-Installation:

    Ensure the .exe installer is executed from an Elevated Command Prompt (Run as Administrator), not just by double-clicking it in Windows Explorer, to prevent any UAC-related execution issues.

    Post-Installation:

    • After updating and taking the server out of maintenance mode, they should download and run the latest release of the Exchange Server Health Checker script (HealthChecker.ps1).
    • The Health Checker will validate if the SU was applied correctly and immediately flag any lingering vulnerabilities or additional manual actions needed to ensure the server is healthy.

    Hope my answer will help you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-10T05:40:09.9033333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To verify whether Extended Protection is enabled and to plan the update, use the supported Exchange guidance and tools.

    1. Verification of Extended Protection
      • Use the official Extended Protection script and guidance referenced in the Extended Protection article. The script enumerates the current Extended Protection configuration on all Exchange virtual directories and reports whether it is enabled or disabled per site and protocol.
      • Extended Protection can be enabled or disabled per virtual directory, so relying only on a single UI check is not sufficient; use the script-based check from the Extended Protection documentation.
    2. Requirement to enable Extended Protection before installing KB5074992
      • The security update KB5074992 for Exchange Server SE does not state that Extended Protection must be enabled as a prerequisite.
      • The article explicitly points to Extended Protection as additional hardening: “To enable Extended Protection on Exchange-based servers, see Extended Protection enabled in Exchange Server (KB5017260).” This is guidance to enable it for better protection, not a mandatory step before installing the SU.
      • Therefore, installing ExchangeSubscriptionEdition-KB5074992-x64-<language>.exe on supported Exchange Server SE builds is sufficient to apply this SU; Extended Protection can be enabled later according to the Extended Protection documentation if desired.
    3. Recommended update process and post‑installation checks
      • Follow the general Exchange update best practices:
        1. Ensure the servers are on a supported build (which they are, as SE RTM is supported and KB5074992 is SE RTM SU5).
        2. Place each server into maintenance mode according to the organization’s standard procedure.
        3. Install the SU package ExchangeSubscriptionEdition-KB5074992-x64-<language>.exe on each Exchange Server SE node.
        4. After installation, run the Exchange Server Health Checker script (https://aka.ms/exchangehealthchecker) to verify that the SU is correctly installed and to identify any additional manual actions required by the SU or by Extended Protection guidance.
      • The KB5074992 article explicitly recommends running Health Checker after installation to confirm success and detect any follow‑up actions.
    4. Extended Protection and hybrid considerations
      • Extended Protection is supported with Hybrid Modern Auth and does not negatively affect it; however, the Extended Protection article includes specific guidance for modern hybrid scenarios (for example, not enabling Extended Protection on the EWS front‑end in certain modern hybrid configurations). If Extended Protection is enabled later, follow those scenario‑specific instructions.

    In summary, use the Extended Protection script to confirm the current state, install KB5074992 on each Exchange Server SE as planned while in maintenance mode, and then run Exchange Server Health Checker to validate the installation and see if any additional configuration (including Extended Protection) is recommended.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.