Released: March 2022 Exchange Server Security Updates

@The_Exchange_Team 

Sorry, but how can anybody proceed with applying the March security update in a production environment, it sounds like a complete mess! 

The workaround is not clear either, here are my questions....

Are Microsoft looking at issuing a revised update or fix, I am not keen on the workaround mentioned in KB5013118?

A couple of clients we support use a 'MS-Organization-P2P-Access' certificate which is installed on their Exchange 2016 server.  This certificate is valid for 24 hours before renewing and is required for ADConnect, to sync computer accounts to Azure AD for hybrid join.  If I apply the March's update does this mean that the 'MSExchangeServiceHost' is at risk of crashing?

Does this only apply to certificates that have Exchange services tied to them, or is it any certificate in the personal store?

In the workaround KB5013118, Step 5 is listed as optional (Remove or renew any certificates that have expired or will expire within the next 30 days.) if the 'DisableAsyncNotification' reg key is enabled.  Obviously I won't be removing the 'MS-Organization-P2P-Access' certificate as it's required.  If I then run the 'Remove Expiry Notification script' it will then clean out any messages in   AsyncOperationNotification folder in the arbitration mailbox, I then need to disable 'DisableAsyncNotification'.   Should this workaround be applied before or after the installation of March's update?

I don't understand how it's a valid workaround, as I still have the expiring certificate installed on the system.  Surely new messages will be subsequently sent to the 'AsyncOperationNotification folder' as soon as DisableAsyncNotification is disabled (step2).   Is this workaround just to get the service running again, will the crashing symptoms continue following a reboot if expiring certs are still installed? 

A thorough explanation is required!

Very poor Microsoft.