Why You Need This Script

Upgrading a production Exchange environment to Exchange Server SE (Subscription Edition) is one of the most consequential infrastructure operations a messaging team can perform. Unlike routine cumulative updates, this is a platform-level migration — and the blast radius of a failed upgrade can include mailbox downtime, broken hybrid connectivity, certificate mismatches, and DAG failover cascades.

Microsoft’s official documentation lists the prerequisites, but checking each item manually across multiple servers is error-prone and time-consuming. This script automates that entire checklist, runs it in minutes, and produces a colour-coded console report plus a timestamped text file you can attach to your change record.

What the Script Checks — All 13 Sections

The script is structured into clearly named sections. Each check emits one of four statuses:

PASS  Requirement met — safe to proceed
WARN  Non-blocking issue — review before upgrade
FAIL  Blocking issue — must be resolved first
INFO  Informational — recorded for your change record

Requirements Before Running

How to Use the Script

1. Download and save the script

   Save as ExchangeSE-PreCheck.ps1 on the local disk of the Exchange server you want to check (e.g. C:\Scripts\).

2. Open Exchange Management Shell as Administrator

   Right-click the EMS shortcut → Run as Administrator. A regular PowerShell window will not have the Exchange cmdlets available.

3. Set execution policy if needed

   If you hit a policy error: Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

4. Run the script

   Navigate to the folder and execute using one of the syntax examples below.

5. Review and remediate

   Address every FAIL item before starting the upgrade. Review WARN items and make a documented decision for each.

6. Repeat on all DAG members

   Each Exchange server in the DAG must be checked independently. Infrastructure differences between nodes are common.

Script Syntax Examples

# Standard run — checks everything including Hybrid and AD
.\ExchangeSE-PreCheck.ps1

# Skip the Hybrid section (non-hybrid environments)
.\ExchangeSE-PreCheck.ps1 -SkipHybridCheck

# Skip the AD section (run from a server without RSAT-ADDS)
.\ExchangeSE-PreCheck.ps1 -SkipADCheck

# Save the report to a custom folder
.\ExchangeSE-PreCheck.ps1 -OutputPath "D:\Upgrade-Reports"

# Combine switches
.\ExchangeSE-PreCheck.ps1 -SkipHybridCheck -OutputPath "D:\Reports"

Sample Console Output

Deep Dive — The Checks That Matter Most

OS Compatibility: Windows Server 2019 is a Hard Block

Exchange Server SE does not support Windows Server 2019. The script uses the OS build number — not the marketing name — to detect this. Build 17763 triggers a FAIL and instructs you to upgrade the OS first. Builds 20348 (WS2022) and 26100 (WS2025) pass.

Exchange Build: CU15 Is the Mandatory Baseline

Exchange Server SE’s installer requires Exchange 2019 CU15 (build 15.2.1748.x) as the minimum version. The script parses ExSetup.exe‘s file version directly, so it’s reliable even when Get-ExchangeServer shows a display version that doesn’t map cleanly. CU14 or earlier triggers a hard FAIL.

DAG Copy Queue — The Upgrade Timing Indicator

High copy or replay queue lengths at upgrade time are a leading cause of data-loss incidents. The script flags queues above 10 as WARN. Best practice is to wait for zero queues on all passive copies before starting any upgrade activity on a DAG member.

Certificate Expiry — The Silent Killer

The upgrade process itself takes time, and if a certificate expires mid-upgrade, client connectivity and hybrid mail flow will break instantly. The script checks every certificate for expiry and pays special attention to the OAuth certificate used by hybrid configurations — which is easy to overlook because it doesn’t appear in normal certificate management workflows.

Backup Check — Non-Negotiable

The script reads LastFullBackup from each mailbox database object. Any database that has never been backed up is an immediate FAIL. Databases backed up more than 7 days ago are a WARN. The recommended posture is a successful full backup within 24 hours of upgrade start.

Script Parameters

The Full Script

Copy the script below in its entirety, save it as ExchangeSE-PreCheck.ps1, and run it from Exchange Management Shell as described above.

#Requires -RunAsAdministrator
<#
.SYNOPSIS
    Exchange Server SE - Pre-Upgrade Prerequisites Check Script v1.1

.DESCRIPTION
    Performs comprehensive pre-upgrade checks for Exchange 2019 to Exchange Server SE migration.
    Covers OS, Exchange build, .NET, DAG health, DB copies, certificates, hybrid, AD schema,
    disk space, services, hardware, and Windows features.

.NOTES
    - Run from Exchange Management Shell (EMS) as Administrator
    - Run on EACH Exchange server individually
    - Designed for Exchange 2019 DAG + Hybrid environments
    - Results exported to C:\ExchangeSE-PreCheck\ folder

.EXAMPLE
    .\ExchangeSE-PreCheck.ps1
    .\ExchangeSE-PreCheck.ps1 -SkipHybridCheck
    .\ExchangeSE-PreCheck.ps1 -OutputPath "D:\Reports"
#>

param(
    [switch]$SkipHybridCheck,
    [switch]$SkipADCheck,
    [string]$OutputPath = "C:\ExchangeSE-PreCheck"
)

#region INITIALIZATION
$ScriptVersion  = "1.1"
$ServerName     = $env:COMPUTERNAME
$RunTime        = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$ReportFileName = "ExchangeSE-PreCheck_${ServerName}_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt"
$ReportFile     = Join-Path $OutputPath $ReportFileName

if (-not (Test-Path $OutputPath)) {
    New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null
}

$Global:PassCount = 0
$Global:WarnCount = 0
$Global:FailCount = 0
$Global:Results   = @()
#endregion

# ... (full script content — see download below)
# Paste the complete script here when deploying to your website.

Recommended Pre-Upgrade Workflow

1. Ensure Exchange 2019 CU15 is installed on all servers

   This is a hard prerequisite. Exchange SE’s setup will refuse to continue if any server is below CU15.

2. Upgrade OS to Windows Server 2022 or 2025

   Build new servers with WS2022/WS2025, join them to the DAG, and migrate databases — or perform an in-place OS upgrade after removing the Exchange server from the DAG.

3. Run this script on every Exchange server

   Resolve all FAIL items. Document your response to each WARN item in your change record.

4. Take a full backup of every mailbox database

   Confirm backup completion and verify restore point validity before starting any upgrade activity.

5. Run Exchange SE setup with /PrepareSchema then /PrepareAD

   Do this from a server with Schema Admin rights before upgrading any Exchange server.

6. Upgrade Exchange servers one DAG member at a time

   Move all active databases off the target server, verify DAG health, then run Exchange SE setup. Never upgrade multiple DAG members simultaneously.

7. Re-run the Hybrid Configuration Wizard (HCW)

   After all servers are upgraded, run HCW to refresh hybrid settings. Do not skip this step — configuration drift during the upgrade will cause hybrid mail flow issues if not corrected.

Frequently Asked Questions

Can I run this script on Exchange 2016?

The script is designed and tested for Exchange 2019. Some cmdlets and build number logic are Exchange-2019 specific. The CU level detection in Section 5 will give inaccurate results on Exchange 2016 build numbers. For Exchange 2016 environments, the script would need adaptation.

The VC++ check via WMI takes a long time. Is this normal?

Yes. Get-WmiObject Win32_Product is notoriously slow because it triggers a Windows Installer consistency check on every installed product. On servers with many installed applications this can take 2–5 minutes. This is a WMI limitation, not a script bug. You can safely wait for it to complete.

The OAuth test failed but hybrid seems to be working. Should I be worried?

Yes. Test-OAuthConnectivity tests the current token acquisition path. If it fails, hybrid features that rely on OAuth (such as free/busy lookups in certain configurations, mailbox migrations via MRS, and modern hybrid auth) may fail intermittently or break after the upgrade forces a reconfiguration. Investigate and fix OAuth before proceeding.

Can I schedule this script to run automatically?

The script is designed for interactive runs, but nothing prevents scheduling it via Task Scheduler with a service account that has Exchange Organization Admin and Schema Admin rights. Redirect output to a file and review the report. Useful for running weekly health checks in the weeks leading up to your upgrade window.

The report file — where is it saved?

By default in C:\ExchangeSE-PreCheck\. The filename includes the server name and a timestamp in the format ExchangeSE-PreCheck_SERVERNAME_YYYYMMDD_HHmmss.txt, so running the script multiple times does not overwrite previous reports.