Released: August 2023 Exchange Server Security Updates

This Exchange SU cannot be installed in our environments (OS and Exchange in de-de). Installer throws Error 1603.

Tested on Exchange Server 2016 CU23 SU8 on Windows Server 2016 as well as Exchange Server 2019 CU13 SU1 on Windows Server 2022.

Property(C): msgINTERIMUPDATEDETECTED = Unable to install because a previous Interim Update for Microsoft Exchange Server 2016 Cumulative Update 23 has been installed. Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.
Property(C): msgRequiresProc = The version of this file is not compatible with the version of Microsoft Exchange Server 2016 Cumulative Update 23 that you're running. Check your computer to see whether you need an x64 (64-bit) or x86 (32-bit) version of this file.

MSI (c) (54:10) [22:15:58:033]: Product: Microsoft Exchange Server - Update 'Security Update for Exchange Server 2016 Cumulative Update 23 (KB5029388) 15.1.2507.31' could not be installed. Error code 1603. Additional information is available in the log file C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update\msi\ExchangeUpdate_2023-08-08-195915.log.

MSI (c) (54:10) [22:15:58:034]: Windows Installer installed an update. Product Name: Microsoft Exchange Server. Product Version: 15.1.2507.6. Product Language: 1033. Manufacturer: Microsoft Corporation. Update Name: Security Update for Exchange Server 2016 Cumulative Update 23 (KB5029388) 15.1.2507.31. Installation success or error status: 1603.

Do I really have to uninstall the previous SU first?

The Patch even leaves the server in a non-working state with all Exchange services deactivated which have to be reset to automactic startup!

We have a similar problem like @Lothar_Lindinger . The Exchange SU cannot complete in our environments (Exchange 2019 and 2016), also on an very clean test environment. The OS and the Exchange are in de-de.

Property(C): msgINTERIMUPDATEDETECTED = Unable to install because a previous Interim Update for Microsoft Exchange Server 2019 Cumulative Update 13 has been installed. Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.
Property(C): msgRequiresProc = The version of this file is not compatible with the version of Microsoft Exchange Server 2019 Cumulative Update 13 that you're running. Check your computer to see whether you need an x64 (64-bit) or x86 (32-bit) version of this file.

MSI (c) (BC:74) [21:17:48:953]: Product: Microsoft Exchange Server - Update 'Security Update for Exchange Server 2019 Cumulative Update 13 (KB5029388) 15.2.1258.23' could not be installed. Error code 1603. Additional information is available in the log file D:\Exchange Server\Logging\Update\msi\ExchangeUpdate_2023-08-08-190917.log.

After the patch the servers are in a non-working state. We have services which do not start because of dependencies and even crashing transport services ("1067, Prozess wurde unerwartet beendet").

@The_Exchange_Team Please remove this update from WSUS Distribution at the earliest!

Manual service depedencies which might not be 100% obvious:

IISADMIN

W3SVC

Winmgmt

FMS

RemoteRegistry

SearchExchangeTracing

All these services should be set to automatic startup beside all obvious "Microsoft Exchange ..." services!

We have shutdown our last Exchange server and have an "Exchange Management Tools only" machine to manage mail-enabled recipient properties. The management tools are from CU12. How can we upgrade to CU13 without installing other Exchange roles during the upgrade process? I have tried the following command:

D:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /Role:ManagementTools

...but receive the following error:

Please select at least one server role to install. Make sure that the specified roles aren't already installed.

Workaround

# Automatic services
$auto = "MSExchangeADTopology",
"MSExchangeAntispamUpdate",
"MSExchangeDagMgmt",
"MSExchangeDiagnostics",
"MSExchangeEdgeSync",
"MSExchangeFrontEndTransport",
"MSExchangeHM",
"MSExchangeImap4",
"MSExchangeIMAP4BE",
"MSExchangeIS",
"MSExchangeMailboxAssistants",
"MSExchangeMailboxReplication",
"MSExchangeDelivery",
"MSExchangeSubmission",
"MSExchangeRepl",
"MSExchangeRPC",
"MSExchangeFastSearch",
"HostControllerService",
"MSExchangeServiceHost",
"MSExchangeThrottling",
"MSExchangeTransport",
"MSExchangeTransportLogSearch",
"MSExchangeUM",
"MSExchangeUMCR",
"FMS",
"IISADMIN",
"RemoteRegistry",
"SearchExchangeTracing",
"Winmgmt",
"W3SVC"

# Manual services
$man = "MSExchangePop3",
"MSExchangePOP3BE",
"wsbexchange",
"AppIDSvc",
"pla"

# Enable Services
foreach ($service in $auto) {
   Set-Service -Name $service -StartupType Automatic
   Write-Host "Enabling "$service
}
foreach ($service2 in $man) {
   Set-Service -Name $service2 -StartupType Manual
   Write-Host "Enabling "$service2
}

# Start Services
foreach ($service in $auto) {
   Start-Service -Name $service
   Write-Host "Starting "$service 
}

• Save this Script into a .ps1 file and run it as Adminstrator in the Powershell
• When Errors appears, check the Name of the Service and start him manually
• After this my Exchange 2016 and 2019 worked

Source for the Script : https://www.alitajran.com/restart-exchange-services-powershell-script/ 

Same on my end, tried on two different Exchange 2019 CU13 de-de servers. After failing, I fixed all services and it seems to run fine without the SU.

Please provide a working patch soon, as POCs for the RCEs will be coming up in the next few hours...

Also here: The update crashes on de-de OS and Exchange servers. Rollout has now been stopped for all our customers.

Can one of you who has issues with setup please open a ticket on this? We are not aware of this issue. Also, if you can DM me with a msi SU log; it will be something like:

C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update\msi\ExchangeUpdate_2023-08-08-195915.log

@dsantesson @nmildner @Lothar_Lindinger 

DM'd you @Nino Bilic 

@nmildner Got it - thanks, it's being looked at...

EDIT: got two logs; thank you! It is still unclear what is going on (we only see some sort of Access Denied in both logs but unclear why). We are trying to get a repro. If someone can open a ticket that would probably help.

Hi Team:

After installing the latest SU, some of the servers roll back up the update and get stick on "Shutting down service: Windows Modules Installer"  if we do a hard shutdown, it goes right back to the installing of the updates and fails, and on reboot goes back to this window.

Has this been reported and is there a workaround?

Regards

What bugged me out the most:
On german windows server, this update set´s "Winmgmt" to "Disabled" and after a reboot you are unable to manage your server, neither remote nor local, unless you manually start the service by hand.. This will probably lead to chaos tommorow..

Microsoft, please fix :)

I can also confirm that automatic installation of this update via Windows Update on Windows Server 2016 w/ Exchange Server CU23 Jun23SU (all de-de locale) fails and leaves the whole installation in an inoperational state.

MSI (c) (90:F4) [23:30:34:135]: Product: Microsoft Exchange Server - Update 'Security Update for Exchange Server 2016 Cumulative Update 23 (KB5029388) 15.1.2507.31' could not be installed. Error code 1603. Additional information is available in the log file E:\Exchange\V15\Logging\Update\msi\ExchangeUpdate_2023-08-08-205622.log.

MSI (c) (90:F4) [23:30:34:136]: Windows Installer installed an update. Product Name: Microsoft Exchange Server. Product Version: 15.1.2507.6. Product Language: 1033. Manufacturer: Microsoft Corporation. Update Name: Security Update for Exchange Server 2016 Cumulative Update 23 (KB5029388) 15.1.2507.31. Installation success or error status: 1603.

@Nino Bilic it seems to be missing {30A4ABD2-C02E-4205-B04B-94CD59C7F827}.

Environment:
Windows Server 2016
Locale / Language: German
Currently installed Exchange: Exchange 2016 CU23 (15.1.2507.27)

MSI (c) (1C:2C) [14:13:17:112]: Unknown\Absent: {30A4ABD2-C02E-4205-B04B-94CD59C7F827} - C:\Users\Administrator\AppData\Local\Temp\2\ExchangeServer.msp

MSI (c) (1C:2C) [14:13:17:112]: Patch: {9F5C21B6-4276-4BB4-8D47-E4C5B3A06F29}	Order: 0	(Family: E15_DAT)
MSI (c) (1C:2C) [14:13:17:112]: Patch: {6A1E3D0A-436C-4B39-B174-F71A557FEAA9}	Order: 1	(Family: E15_DAT)
MSI (c) (1C:2C) [14:13:17:112]: Patch: {E442EE6F-208C-4B16-84F0-FB249A78477A}	Order: 2	(Family: E15_DAT)
MSI (c) (1C:2C) [14:13:17:112]: Patch: {A35C23B3-58DE-4527-8809-D89521AE966D}	Order: 3	(Family: E15_DAT)
MSI (c) (1C:2C) [14:13:17:112]: Patch: {43403F9A-86C4-403E-8E28-767AAEA71928}	Order: 4	(Family: E15_DAT)
MSI (c) (1C:2C) [14:13:17:112]: The ordered #_QFESequence table: - has the final sequence of QFEs.  It lists each PatchGUID only once.
MSI (c) (1C:2C) [14:13:17:112]: PatchGUID: {9F5C21B6-4276-4BB4-8D47-E4C5B3A06F29}	ResultantVersion: 15.1.2375.7	PatchFamily: E15_DAT	Sequence: 15.1.2375.12	Order: 0
MSI (c) (1C:2C) [14:13:17:112]: PatchGUID: {6A1E3D0A-436C-4B39-B174-F71A557FEAA9}	ResultantVersion: 15.1.2375.7	PatchFamily: E15_DAT	Sequence: 15.1.2375.17	Order: 1
MSI (c) (1C:2C) [14:13:17:112]: PatchGUID: {E442EE6F-208C-4B16-84F0-FB249A78477A}	ResultantVersion: 15.1.2375.7	PatchFamily: E15_DAT	Sequence: 15.1.2375.18	Order: 2
MSI (c) (1C:2C) [14:13:17:112]: PatchGUID: {A35C23B3-58DE-4527-8809-D89521AE966D}	ResultantVersion: 15.1.2375.7	PatchFamily: E15_DAT	Sequence: 15.1.2375.24	Order: 3
MSI (c) (1C:2C) [14:13:17:112]: PatchGUID: {43403F9A-86C4-403E-8E28-767AAEA71928}	ResultantVersion: 15.1.2375.7	PatchFamily: E15_DAT	Sequence: 15.1.2375.28	Order: 4
MSI (c) (1C:2C) [14:13:17:112]: PATCH SEQUENCER: there's no supersedence information available, so no patches will be superseded.
MSI (c) (1C:2C) [14:13:17:112]: SequencePatches returns success.
MSI (c) (1C:2C) [14:13:17:112]: Final Patch Application Order:
MSI (c) (1C:2C) [14:13:17:112]: {9F5C21B6-4276-4BB4-8D47-E4C5B3A06F29} - 
MSI (c) (1C:2C) [14:13:17:112]: {6A1E3D0A-436C-4B39-B174-F71A557FEAA9} - 
MSI (c) (1C:2C) [14:13:17:112]: {E442EE6F-208C-4B16-84F0-FB249A78477A} - 
MSI (c) (1C:2C) [14:13:17:112]: {A35C23B3-58DE-4527-8809-D89521AE966D} - 
MSI (c) (1C:2C) [14:13:17:112]: {43403F9A-86C4-403E-8E28-767AAEA71928} - 
MSI (c) (1C:2C) [14:13:17:112]: Other Patches:
MSI (c) (1C:2C) [14:13:17:112]: Unknown\Absent: {30A4ABD2-C02E-4205-B04B-94CD59C7F827} - C:\Users\Administrator\AppData\Local\Temp\2\ExchangeServer.msp
Das Upgrade kann nicht vom Windows-Installationsdienst installiert werden, da das zu aktualisierende Programm nicht vorhanden ist oder eine andere Version des Programms mit dem Upgrade aktualisiert wird. Überprüfen Sie, ob das zu aktualisierende Programm vorhanden ist und das richtige Upgrade verwendet wird.
C:\Windows\Installer\c7770.msi
MSI (c) (1C:2C) [14:13:17:112]: Product: Microsoft Exchange Server - Update '{30A4ABD2-C02E-4205-B04B-94CD59C7F827}' could not be installed. Error code 1642. Additional information is available in the log file C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update\msi\ExchangeUpdate_2022-07-02-121315.log.

MSI (c) (1C:2C) [14:13:17:113]: Windows Installer installed an update. Product Name: Microsoft Exchange Server. Product Version: 15.1.2375.7. Product Language: 1033. Manufacturer: Microsoft Corporation. Update Name: {30A4ABD2-C02E-4205-B04B-94CD59C7F827}. Installation success or error status: 1642.

MSI (c) (1C:2C) [14:13:17:114]: Note: 1: 1708 
MSI (c) (1C:2C) [14:13:17:114]: Product: Microsoft Exchange Server -- Installation failed.​

@Spacefish I'm not sure that this is the right log; seems like it is from last year? The name of the log seems to be "ExchangeUpdate_2022-07-02-121315.log"?

So is this installation error only affecting German language installations?  

@jmacikanycz  What is the solution for installing this update on management tools only workstations with an Exchange server?

Could someone confirm if this issue is only with German locale? 

Hello, we are using a German version of Exchange 2016 CU23. Same problem here. Maybe this part from the SetupLog helps:

KB5014261 ist the SU from May 2023.

Regards,

Jörg

@Goldi2005 This was my first impression as well as it does not recognize the previously installed SU correctly according to the logs. Did you try to uninstall KB5025903? I did not so far, I don't want to interrupt services and I don't have a dogfood Exchange environment running anywhere at the moment.

First customer called with broken Exchange. I currently give the KB5029503 uninstall theory a shot there.

EDIT: No, uninstalling June 2023 Exchange SU KB5029503 does not resolve the install issue.

Property(S): INTERIM_UPDATE_INSTALLED = 5024296
Property(S): MsiRunningElevated = 1
Property(S): OriginalDatabase = C:\Windows\Installer\7d6c1.msi
Property(S): Preselected = 1
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): KB5019077 = KB5019077
Property(S): RecentFolder = C:\Users\Merlin\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): msgInterimIncorrectRollup = Installation cannot continue. The Setup Wizard has determined that this Interim Update is incompatible with the current Microsoft Exchange Server 2016 Cumulative Update 23 configuration.
Property(S): VirtualMemory = 22323
Property(S): TextHeight = 16
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): QFEUpgrade = 2
Property(S): SECONDSEQUENCE = 1
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): _BF926C0711244181ACD223071C51BDD3 = C:\Windows\Installer\4da70bc.msp

What's even more **bleep**: I cannot even install KB5025903 again on this server - is now also incompatible!

Hello, Jörg,

we also have this entry in the log. The entire log was already made available to Nino Bilic yesterday.
It might be helpful if more admins sent their logs to Nino Bilic via DM.

Regards,

Dieter

Same thing here! Updating on German version fails and leaves the node in an nonoperational state. 

Configuring all services with the script mentioned by @bloodking and restarting the node helps.

Hello team,

time is ticking and we have unpatched servers. Could you check if uninstalling KB5014261 and then installing KB5029388 would be a possible workaround? If so, detailed instructions would be useful.
In German forums there are numerous reports about failed installations.
Regards,
Dieter

Q: time is ticking and we have unpatched servers. Could you check if uninstalling KB5014261 and then installing KB5029388 would be a possible workaround? If so, detailed instructions would be useful.

No, this breaks the server even more rendering it unable to install any SU, just tested!

Attention: Just rebooted that server, now Windows Update installs SU8 again without manual interaction. Weird.

So updates are obviously NOT broken after uninstalling previous SU.

Best Regards,
Lothar

Same issue on french servers... it's not only related to german...

@Nino Bilic: Please get KB5029388 off WSUS and Windows Update ASAP!

Had the delete SoftwareDistribution Folder on the Exchange Server (2016 on Windows Server 2016) to prevent local WindowsUpdate Agent from installing again and again - only disabling the KB5029388 on WSUS was NOT enough.

So far, no problem with Exchange 2019 CU13 US.
Except it lost its Exchange certificate on the Back End side

Good morning,

Please can somebody from the Exchange team provide an informative update regarding the security update.  Which language versions are affected (or is it all)?

We are in the UK.  And I am sure many companies are now starting to patch.  As this relates to an RCE we want to patch the vulnerabilities ASAP.  We are deploying updates via WSUS, so any information relating to updated packages too please.

Many Thanks for your time.

Paul

@Deleted the update is broken. this is NOT a work-around! it only fixes the services to get them starting again, after the update aborted and did a rollback.

@Deleted,

the script restores the startup type of important services after the failed installation. The script does not install the patch. The servers remain vulnerable. Please run the HealthChecker.

@Deleted: On which language is your Exchange Server system runnning?

Also broke one of mine - and its a french one...

Had to restore the whole system partition and to shutdown windows update...

Can Microsoft please make a statement on whether CVE-2023-21709.ps1 (or the manual command execution) might increase the chances of mitigating CVE-2023-21709 WITHOUT INSTALLING SU2/9 BEFORE on supported versions of Exchange Servers with the highest possible pre-SU2/9 patch level?

@Nino Bilic 

Have installed the update on our development \ test server and on running the Exchange Health Checker, it is saying 

However the build number is 

and the Security Hotfix is detected as installed.

Security Update for Exchange Server 2019 Cumulative Update 13 (KB5029388)

edit, the script wasn`t updating to the latest version, have manually updated and now showing correctly.

Greetings,

are there any news regarding the issue with DE-DE installations?

same issue here with German Windows Server 2016, Exchange 2016. Thanx to the forum (thx @bloodking ) I was able to work around the failing update KB5029388 (or better to bring Exchange back to a working state) and prevent it from re-installing (thx @Lothar_Lindinger ). Now I'm also waiting for the final patch release from Microsoft since the CVE security risks are still unsolved.

Greetings, 

Ron

Hi,

same problem in Italy, Exchange 2016 full patched ...

@kdcddeplease let us know .. how did you fix your Win2016/MSEx2016 environment? thanks in advance.

@kdcdde Thanks for the update. What did the trick for successfully installing the August security update?

hey y'all, a working example from me: Win Server 2019 Standard EN and Exchange 2019 (1033 EN) / latest CU+SU (am located in germany, but, I guess it's the original language version that works)

no issue till now, not done the CVE script yet.

Robert

I have the same problem. Server crashed after installing SU. Services are down and nothing starts.

Logs

"Property(C): msgINTERIMUPDATEDETECTED = Unable to install because a previous Interim Update for Microsoft Exchange Server 2016 Cumulative Update 23 has been installed. Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.
Property(C): msgRequiresProc = The version of this file is not compatible with the version of Microsoft Exchange Server 2016 Cumulative Update 23 that you're running. Check your computer to see whether you need an x64 (64-bit) or x86 (32-bit) version of this file."

Windows Server 2016 Standard 1607 14393.6167
Poland

@Dome1160 @Gattaca I never mentioned that. fixing CVE risks is still unsolved. But at least the EXCH server is now back online... still have to wait for the solution from MS

@kdcdde  ah okay .. i just read "I was able to work around the failing update" and thought you fixed your env to a working node. okidoki .. let´s wait for M$ ^^

Let's summarize: There seems to be an issue when installing the August 2023 SU for Exchange 2016/2019 on any other language then EN which results in not installing the SU but leaving the Exchange servers in an unusable state where you manually have to start the necessary servcies and also need to set them to "automatic starting" to get Exchange back working. 

Could finally anyone from MS give a time span for a solution? It would much be appreciated. 

Win Server 2019 Standard EN and Exchange 2019 (1033 EN) / latest CU+SU

No problems whatsoever. Except on two servers that lost their certificate on the Back End side. But we've seen that before. I have also run the CVE script without problems.
When I read the thread, it seems that it applies to Exchange 2016 CU23 in non-original language. Possibly a few in the original language. So, my conclusion is that it is ok to install on a Exch 2019 server with original language and latest CU