EXpress

EXpress.ps1

The fastest way to get Exchange Server production-ready — nobody gets from bare Windows Server to a fully installed, hardened, and optimised Exchange in less time. Prerequisites, AD prep, installation, 40+ security and performance measures: one script, one command, done.

v1.1.5 ⚡ Express deployment 🛡 Exchange SE / 2019 / 2016 🔄 AutoPilot — auto-reboot
📦 View on GitHub
Exchange 2016 CU23 on Windows Server 2016 Exchange 2019 CU15+ on Windows Server 2019 / 2022 / 2025 Exchange SE RTM+ on Windows Server 2019 / 2022 / 2025
Seven ways to use EXpress

One script — every scenario

Full server farm, single admin workstation, hardening an existing deployment, or generating post-install documentation — EXpress has a dedicated mode for each use case.

AutoPilot

Unattended Farm Deployment

Point multiple machines at the same -ConfigFile and start them simultaneously. AutoPilot stores credentials DPAPI-encrypted, survives every reboot via RunOnce, and resumes at the correct phase — deploy an entire Exchange farm in parallel without a single interactive step.

CoPilot

Guided Interactive Install

Launch without parameters for the interactive menu. Every option is a live toggle switch, credentials are validated on entry, existing .psd1 config files are auto-detected. All the automation of EXpress — with you making every decision.

Mailbox Server

Full Exchange Installation

The default mode. Install Exchange 2016, 2019, or SE from scratch — all prerequisites auto-downloaded, Windows and Exchange Security Updates applied, AD prepared, Exchange installed, and 40+ hardening and performance tasks completed. Hand over a fully production-ready, documented server.

Recipient Management

Hybrid AD Object Management

In hybrid environments, Microsoft requires Exchange to be present for modifying AD attributes of mail-enabled objects. -InstallRecipientManagement installs only what is needed to manage Exchange recipients in AD — no mailbox role, no transport services. Runs on Windows 11 or any member server.

Management Tools

Admin Workstation

-InstallManagementTools installs the Exchange Management Shell and admin toolset on a dedicated workstation (Windows Server or Windows 11). Manage mailboxes, distribution groups, and connectors from a central admin machine without logging on to an Exchange server directly.

StandaloneOptimize

Harden an Existing Server

Already running Exchange but installed without EXpress? -StandaloneOptimize applies the full hardening and performance stack to an existing server in one run — TLS, SMB, LSA, Extended Protection, AMSI, RSS, virtual directory URLs, certificate, log cleanup, HealthChecker, and a complete installation report. No reinstall required.

StandaloneDocument

Word Installation Document

-StandaloneDocument (menu mode 7) generates a Word (.docx) installation report for an already-running Exchange server — no install flow required. 15 chapters covering configuration, hardening, certificates, connectors, runbooks, and open items. -CustomerDocument redacts IPs and sensitive values for external sharing. -Language DE|EN selects the document language.

Why EXpress

Installation, hardening, optimisation — in one run

What used to take days of manual work — researching best practices, applying hardening guides, tuning performance settings — EXpress completes automatically, while you do something else.

🔁

AutoPilot — Zero-Touch Install

Automatically reboots and resumes at the correct phase via RunOnce. State is persisted to XML — safe against crashes and power failures.

🛡

Security Hardening

TLS 1.2/1.3, SMBv1/WDigest/NetBIOS disabled, LSA Protection, Extended Protection, IPv4 over IPv6 preference, MRS Proxy and MAPI encryption hardened, Serialized Data Signing, LM level 5, SMTP banner, unnecessary Windows services disabled (Print Spooler, Fax, Secondary Logon, Smart Card, Windows Search), Shutdown Event Tracker disabled — all applied automatically with reference links in the report.

Automatic Prerequisites & Security Updates

.NET 4.8/4.8.1, VC++ 2012 & 2013, UCMA 4.0, URL Rewrite — downloaded and installed automatically, skipped if already present. Windows security updates applied via Windows Update in Phase 1. The current Exchange Security Update is detected dynamically via HealthChecker's build dictionary and installed in Phase 5 without manual KB hunting.

Performance Tuning

High Performance power plan, pagefile sizing, TCP settings, RSS + NIC queues, Netlogon MaxConcurrentAPI, Exchange Search affinity — per Microsoft & CSS-Exchange recommendations.

📋

HTML + PDF Installation Report

Comprehensive post-install report: Exchange config, virtual directory URLs, certificates, security settings with best-practice comparison, HealthChecker results embedded.

📄

Word Installation Document

Pure-PowerShell OpenXML engine — no Office required. 15-chapter .docx covering configuration, hardening, runbooks, and open items. DE/EN language selection. -CustomerDocument redacts sensitive values for external sharing.

🖥

Interactive Menu

Start without parameters for a guided installation menu. Instant toggle switches, credential validation, auto-detected config.psd1, and PS2Exe-compiled .exe support.

🔄

Swing Migration Ready

Export config from source server, import virtual directory URLs and connectors, import PFX certificate, join a Database Availability Group — all in one run.

🔒

Certificate Management

Import PFX certificate, enable for IIS + SMTP (+ IMAP/POP for non-wildcard), configure HSTS on OWA/ECP. Wildcard vs. named cert detection.

🧰

CSS-Exchange Integration

HealthChecker auto-downloaded and run in Phase 6. SetupAssist triggered on Phase 4 failure. EOMT for CVE mitigation. Auth Certificate monitoring setup.

📦

.exe Compilation

Build.ps1 wraps the script into a self-contained Windows executable via PS2Exe — runs elevated, preserves all parameters, includes version metadata.

Pre-staged Downloads

tools/Get-EXpressDownloads.ps1 pre-fetches all prerequisite packages (.NET 4.8/4.8.1, VC++ 2012 & 2013, UCMA, URL Rewrite) and CSS-Exchange scripts (HealthChecker, EOMT, SetupAssist, ExchangeExtendedProtectionManagement, MEAC) into a local sources/ folder. Idempotent — skips files already present. Run once before carrying the folder into an air-gapped or proxy-restricted network.

🌐

Remote Server Documentation

The Word installation document queries every Exchange server in the organisation via CIM over WinRM (TCP 5985/5986, Kerberos) — hardware, pagefile, volumes, NICs — without DCOM or dynamic RPC ports. tools/Enable-EXpressRemoteQuery.ps1 enables WinRM on a target server in one command; optional -EnableHttps and -RestrictToGroup switches harden the endpoint. Unreachable servers get an interactive Retry / Skip prompt; Autopilot skips silently.

🎨

Branded Document Templates

Supply a -TemplatePath .docx to inject your company branding — cover page, header, and footer come from the template; all 18 chapters are generated by EXpress and injected into a {{document_body}} placeholder. tools/Build-InstallationTemplate.ps1 generates the starter DE/EN templates. Tokens like {{Organization}}, {{Author}}, {{Classification}} are filled at runtime. Automatic fallback to the built-in cover page when no template is provided.

Access Namespace Mail Config

Automatically registers the access namespace root domain (e.g. contoso.com derived from mail.contoso.com) as an Authoritative Accepted Domain and updates the default Email Address Policy to use it as the primary SMTP address — removing internal suffixes like .local or .lan. Configured via -MailDomain or derived automatically from -Namespace.

See it in action

Interactive Copilot — guided deployment

EXpress runs as an interactive wizard (Copilot) or fully automated (Autopilot). The menu adapts to the selected mode, exposing only relevant options. ~55 hardening, tuning and policy knobs are accessible via the Advanced Configuration menu.

Main Menu — Mode Selection
EXpress menu screenshot 1

Seven installation modes: full Mailbox server, Edge Transport, management tools, preflight only, recovery, standalone optimize, or generate documentation. Mode-specific switches appear dynamically.

Main Menu — Mode Selected & Switches
EXpress menu screenshot 2

Mode [1] Exchange Server (Mailbox) selected. Toggle switches for SU install, Windows Updates, Installation Document, and more before pressing Enter to start.

Advanced Configuration (1/3) — Security / TLS & Hardening
EXpress menu screenshot 3

Page 1 of 3: Security/TLS settings (SSL 3.0, RC4, CBC, TLS 1.2/1.3, AMSI, Extended Protection) and Security/Hardening knobs (SMBv1, LLMNR, mDNS, LSA Protection, WDigest, HTTP/2, and more).

Advanced Configuration (2/3) — Performance & Org Policy
EXpress menu screenshot 4

Page 2 of 3: Performance/Tuning (MaxConcurrentAPI, disk allocation, content conversion, NodeRunner GC, NIC power, RSS, TCP offload, IPv6 preference) and Exchange Org Policy (OAuth2, OWA timeout, CEIP, MAPI over HTTP, message size, expiry, NDR).

Advanced Configuration (3/3) — Post-Config & Install-Flow
EXpress menu screenshot 5

Page 3 of 3: Post-Config/Integration (MECA cert renewal, antispam agents, offloading, MRS Proxy, IANA timezone, HealthChecker, RBAC Report, Emit EOMT) and Install-Flow/Debug (Auto-approve Windows Updates, diagnostics, lock screen, AD roles check, .NET 4.8.1, System Restore, AD replication wait).

EXpress vs. manual installation

What a manual Exchange deployment actually involves

Every step you'd have to perform by hand — and what EXpress does instead.

❌ Manual installation
  • Identify the correct .NET version for your OS, find the download, install, reboot
  • Hunt down VC++ 2012 and 2013 Redistributable links — both required, neither obvious
  • Download and install URL Rewrite Module 2.1 from IIS.net
  • Copy UCMA 4.0 Setup from Exchange media, install manually
  • Run Windows Update, wait, reboot, repeat until clean
  • Look up the current Exchange Security Update KB, find the download, install it
  • Read Microsoft's TLS hardening guide across multiple documentation pages
  • Disable SMBv1, WDigest, NetBIOS, HTTP/2 — each a separate registry edit
  • Enable LSA Protection, Extended Protection, Serialized Data Signing
  • Set LM compatibility level, disable Print Spooler, Fax, Secondary Logon
  • Configure High Performance power plan, pagefile, TCP offload, RSS, NIC queues
  • Set virtual directory URLs, bind certificate to IIS and SMTP
  • Download and run HealthChecker separately, interpret results manually
  • Set up log cleanup task, configure SMTP banner, HSTS, AMSI body scanning
  • Write your own documentation for everything you did
✅ With EXpress
One command.

All prerequisites downloaded and installed automatically — .NET 4.8/4.8.1, VC++ 2012 & 2013, UCMA 4.0, URL Rewrite — each only if not already present.

Windows security updates installed via Windows Update before Exchange setup. Current Exchange Security Update detected dynamically and applied automatically.

40+ hardening and performance settings applied in a single Phase 5 run — TLS, SMB, LSA, Extended Protection, AMSI, power plan, pagefile, RSS, NIC queues and more.

HealthChecker runs automatically. Results are embedded in the installation report alongside every security setting and its best-practice recommendation.

Complete HTML installation report generated at the end — proof of everything that was configured, no manual documentation required.

Word installation document (.docx) generated automatically alongside the HTML report — pure PowerShell, no Office required. DE/EN, customer-ready redaction mode included.

.\EXpress.ps1 -ConfigFile .\deploy-mbx01.psd1
How it works

Preflight + 6 phases, fully automated

State persists across reboots — EXpress picks up exactly where it left off, every time.

A zero-phase preflight runs first (checks admin rights, domain membership, OS version, AD Forest/Domain level, static IP, free disk space; generates an HTML pre-flight report), then the six install phases below execute automatically.

1

Windows Features & Security Updates

All required Windows Server roles and features installed in a single batch. Windows security updates applied automatically via Windows Update — no manual patch hunting. Source server config exported for swing migrations.

2

Prerequisites

.NET Framework 4.8 / 4.8.1 (OS-aware), OS-specific hotfixes, VC++ 2012 / 2013 Redistributables (12.0.40664+), URL Rewrite 2.1 — all downloaded automatically, skipped if already installed. Reboot before Phase 3 is conditional: skipped when Windows reports no pending reboot.

3

UCMA & Active Directory Preparation

Unified Communications Managed API 4.0. PrepareAD / PrepareSchema / PrepareAllDomains with optional AD replication wait.

4

Exchange Setup

Runs setup.exe with the correct role switches. Autodiscover SCP pre-configured. Transport services set to Manual for safe startup. SetupAssist on failure.

5

Post-Configuration & Exchange Security Update

40+ security and performance tasks: TLS 1.2/1.3 enforcement, SMBv1/WDigest/NetBIOS/HTTP2 disabled, unnecessary Windows services disabled (Print Spooler, Fax, Secondary Logon, Smart Card, Windows Search), Shutdown Event Tracker disabled, LSA Protection, Extended Protection, IPv4 preference, MRS Proxy/MAPI encryption, RSS/MaxConcurrentAPI, pagefile, NodeRunner, HSTS, latest Exchange Security Update (dynamic detection), virtual directory URLs, Exchange-level optimizations. Reboot before Phase 6 is conditional: skipped when the SU didn't request one and no pending reboot is signalled.

6

Finalization

Start services, IIS health check, DAG join, RBAC report, anti-spam agents, send connector integration, log cleanup task, HealthChecker, HTML + PDF installation report, Word installation document.

Quick Start

Production-ready. One command.

Start the script, walk away. EXpress handles every reboot, every prerequisite, every hardening step — and hands you a complete installation report when it's done.

# CoPilot — interactive guided menu (recommended for first run) .\EXpress.ps1 # AutoPilot — fully unattended, handles every reboot automatically .\EXpress.ps1 -SourcePath D:\Exchange -AutoPilot # AutoPilot farm deployment — predefined config, run on N machines in parallel .\EXpress.ps1 -ConfigFile .\deploy-mbx01.psd1 # Swing migration — copy config from source, import certificate, join DAG .\EXpress.ps1 -SourcePath D:\Exchange -AutoPilot ` -CopyServerConfig EX01 -CertificatePath D:\certs\mail.pfx -DAGName DAG01 # Recipient Management Tools on an admin workstation .\EXpress.ps1 -InstallRecipientManagement -SourcePath D:\Exchange # Management Tools only — hybrid AD object management (Windows 11 / member server) .\EXpress.ps1 -InstallManagementTools -SourcePath D:\Exchange # StandaloneOptimize — harden & tune an already-installed Exchange server .\EXpress.ps1 -StandaloneOptimize -Namespace mail.contoso.com ` -CertificatePath C:\certs\mail.pfx -LogRetentionDays 30 # Generate Word installation document on an existing server (DE or EN) .\EXpress.ps1 -StandaloneDocument -Language EN # Customer-ready document — IPs and sensitive values redacted .\EXpress.ps1 -StandaloneDocument -Language DE -CustomerDocument # Compile to self-contained .exe (PS2Exe) .\Build.ps1
Proof of work · Audit-ready

Every setting documented, automatically

EXpress doesn't just deploy — it proves it. 9-section HTML installation report plus a full Word handover document (18 chapters) with CIS / BSI IT-Grundschutz compliance mapping, GDPR checklist, RBAC role-group members, retention-tag inventory, SIEM/forensics guidance, change-management and acceptance-test sections — generated on every run. ISO 27001, BSI IT-Grundschutz and GDPR audits without manual post-processing.

SERVER_ExchangeServer-Dokumentation_EN_20260419-104451.docx
Exchange Server Installation & Audit Documentation
Word handover document · 18 chapters · generated by EXpress.ps1 v1.1.5
SERVER Exchange Server SE RTM 2026-04-19 10:44:51
§8.8 Compliance Mapping — CIS Benchmark / BSI IT-Grundschutz
TLS 1.2 enforced CIS WS2022 18.4.x · BSI SYS.1.2 A5 Implemented ✓
SMBv1 disabled CIS WS2022 18.3.4 · BSI NET.3.4 A2 Implemented ✓
LSA Protection CIS WS2022 18.4.5 · BSI SYS.1.6 A5 Implemented ✓
Extended Protection (EPA) CIS WS2022 18.4.x · BSI APP.5.2 A10 Implemented ✓
Admin Audit Log CIS EX2019 1.1 · BSI APP.5.2 A13 Implemented ✓
Local log cleanup MS Best Practice · BSI APP.5.2 A4 Implemented ✓
SIEM integration CIS Control 8 · BSI OPS.1.1.5 Out of scope
§4.7 Retention Policy Tags · live from Get-RetentionPolicyTag
Default 2y move All / 730 days / MoveToArchive Enabled
Deleted Items 30d DeletedItems / 30 days / DeleteAndAllowRecovery Enabled
Junk 7d JunkEmail / 7 days / PermanentlyDelete Enabled