Released: March 2021 Exchange Server Security Updates

I came across another failed patch scenario last night and thought I'd post the issue and fix just in case it can help somebody else out.

This particular environment is a standalone Exchange 2013 CU23 server on Windows Server 2012. Windows is up-to-date, UAC disabled, PS execution policy set to unrestricted for LocalMachine and CurrentUser scopes, snapshot of VM taken. After an initial reboot, attempted to install the security update from the Windows Update client, but it failed. Reverted snapshot, tried installing the update manually from an elevated command prompt…fail. After trying all sorts of combinations and they all failed, I looked at the file "C:\ExchangeSetupLogs\ServiceControl.log" and noticed that the servicecontrol.ps1 file was failing to stop the “WinMgmt” service because it couldn’t stop its dependancies. Manually stopped the service and tried again and this time it failed on stopping “MSExchangeADTopology” because of its dependancies. Fixed that and then after the patch was just about to finish, it would fail again with an error in the log stating that “IgnoreTimeout” was an unknown parameter. I reverted the snapshot again, manually stopped WinMgmt and all Exchange services, modified line 477 from the file "C:\Program Files\Microsoft\Exchange Server\V15\Bin\ServiceControl.ps1"

OLD line: start-setupservice -serviceName $serviceName -ev script:serviceControlError -IgnoreTimeout:$IgnoreTimeout

NEW line: start-setupservice -serviceName $serviceName -ev script:serviceControlError

After that, ran Windows Update and the security update applied successfully. Rebooted and all is well.

So, in summary: Reboot your server, take a snapshot of it if you can, manually stop WinMgmt and all Exchange Services, edit the ServiceControl.ps1 file, install update via Windows Update (or manually from an Elevated command prompt if you wish), reboot, enjoy.