A cumulative update (CU) install plus knowledge base (KB) will require 2 to 3 hours of downtime. A KB update alone should install within one hour.
Installing Microsoft Exchange server security updates
To install the updates, reboot the Exchange server then run the updates using the option to run as administrator or from a command prompt as administrator.
A full backup or virtual machine checkpoint should be taken before installing the updates.
Exchange 2019 CU10 and Exchange 2016 CU21 added a new anti-malware scan. We have found this can cause major performance issues when conflicting with third party anti-virus scanners installed on the Exchange server. If this is the case, the Exchange server must be excluded from AMSI scans in the third-party anti-virus application.
The updates may also cause an expired certificate error that prevents login to the Exchange Management Console and Exchange Control Panel. The fix is detailed here. Once the fix has been applied it can take an hour to become active.
For more detailed information on the identified vulnerabilities visit Microsoft.com
Should you require further information or assistance with these updates, please contact us.