Released: August 2023 Exchange Server Security Updates

For those who don't want to wait for the revised update from MS: I validated the workaround and wrote these instructions for updating Exchange Server 2016 CU 23 on a Windows Server 2016 with de-de locale.

Microsoft removed the original Exchange2016-KB5029388-x64-de.exe from the Download Center. I reuploaded it because it can be actually used to successfully patch a german Exchange 2016.

If the update already failed and did a rollback, fix Exchange services by following these steps:

- Open Elevated Powershell
- Change to the following directory: \Exchange Server\V15\Bin.
- Enter .\ServiceControl.ps1 AfterPatch, and then press Enter.
- Restart the computer.

To install the update follow these steps:

1) Download standalone update from https://backofficeplusgmbh-my.sharepoint.com/:u:/g/personal/julian_haupt_backoffice_plus/EWf-wAFN4BdDgFAH66GbEhkB0YH7QjeecDX2y-J_S0uW6g?e=4lTXqF
2) Add dummy AD user by running:

New-ADUser -Name "Network Service" -SurName "Network" -GivenName "Service" -DisplayName "Network Service" -Description "Dummy user to work around the Exchange August SU issue" -UserPrincipalName "Network Service@$((Get-ADForest).RootDomain)"

3) If AD is replicated wait up to 15 minutes for replication to propagate
4) Run Exchange2016-KB5029388-x64-de.exe as Administrator

5) Fix registry access to the correct "Network Service" user by running

$acl = Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0)
$acl.SetAccessRule($rule)
Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server" -AclObject $acl

6) Restart Exchange Server
7) If there a multiple Exchange Servers repeat steps 1 & 4-6 on every server
😎 Remove the dummy AD user by running

Remove-ADUser -Identity "Network Service"