Released: January 2022 Exchange Server Security Updates
Published Jan 11 2022 10:10 AM 74.9K Views

Microsoft has released security updates for vulnerabilities found in any version of:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB article).

The January 2022 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.

More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Update installation

Two update paths are available:

Jan22SUpath.png

Inventory your Exchange Servers / determine which updates are needed

Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Go to https://aka.ms/ExchangeUpdateWizard and choose your currently running CU and your target CU to get directions for your environment.

If you encounter errors during or after installation of Exchange Server updates

If you encounter errors during installation, see the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.

Known issues with this release

FAQs

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the January 2022 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Does the January 2022 security update package contain any fixes related to recent Exchange transport queue buildup issue?
January 2022 security update package does not contain any changes related to January 2022 transport queue buildup issue. Please follow that blog post for steps to resolve transport queue buildup.

Updates to this blog post:

  • 2/24: Added known issues.

The Exchange Team

62 Comments
Microsoft

We know that a few downloads currently still 404 for some; please wait a little longer, we are working on it! As usual KB articles might take a bit longer to go live.

New Contributor

With the December CUs delayed, are those expected soon and will they include this "baked in"? Trying to avoid the maintenance window (and work) for these only to wait 3 days and have to do it all over again for the CUs.

Microsoft

@m49808 No, we do not release SUs and CUs as separate releases in the some month.

New Contributor

Thanks, that is good to know they are delayed at least another month. That helps in planning a number of things. 

Occasional Visitor

While we wait on https://support.microsoft.com/help/5008631 to show other than 404, do we know if todays release address the y2k22 bug and if so, without having to undo the work around (disabling malware scanning)?

Microsoft

@nexusds Please see the FAQ above. Short answer: no; there is no Y2K22 fix in January SU package and also - please see the Y2K22 blog post, because disabling malware scanning was a temporary workaround only (permanent solution is available).

New Contributor

For those wondering. Installed the updates ahead of our normal update schedule on servers in several environments without any issues as far as I can see (Exchange 2019, 2016 and some 2013).

Occasional Visitor

FYI, the link for Exchange from here:

 

https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan

 

goes to the Windows Server 2008 SP2 page.

Microsoft

@tholyoak Thanks, reported!

Frequent Visitor

RESOLVED:  After a power off and restart, this resolved the OWA issue

 

Applied this update on my Exchange 2013 server and unfortunately I am still seeing the "External component has thrown an exception." error when an on prem user attempts to login to the OWA.

 

Per: Outlook Web App hybrid redirect after installation of November 2021 security updates.

 

 

Senior Member

@Reallybigcatheter 
Seems like MS didn't post any official fix except for a workaround. Did you try to apply the following?
https://support.microsoft.com/en-us/topic/owa-redirection-doesn-t-work-after-installing-november-202...

 

New Contributor

So thats a bit annoying. Fix a security issue or have a functional OWA hybrid redirect? This is what keeps people from being updated. 

New Contributor

Hello,

 

I asked this same question around the Transport queue problem earlier in January.  When will Microsoft change the Exchange Hybrid requirements so this now "routine" emergency security patching for any Exchange server will be reduced if customers can either remove the need for Hybrid or for Microsoft to make the Hybrid server a simple Exchange appliance possibly?

 

When will there be another supported way to manage Exchange attributes on-premise and a substitute to more easily allow systems/devices to relay off an internal email server?

 

It is long overdue Microsoft and hoping someone from the Exchange team can comment on the plans to simplify our IT lives so we don't have have to upgrade/patch Exchange hybrid servers every 2 to 6 months to stay in support and stay secure.

 

thank you,

Larry Heier

Senior Member

@Larry HeierI feel your pain.

I specifically for this case gave my helpdesk small winforms based app to correct mail alliases for users, cause I didn't want them to modify it by hand, since they are used to slip a hand and change sth else.

 

Also waiting for Exchange Team to come up with hybrid setup where only AAD Connect is installed and Exchange can be fully decommisioned.
It was higlighted at MS Ignite in 2018/2019 I think, but all we got is offical docs, which I'm glad are in place, but those describe only 2 common scenarios 1) full cloud = remove ex or 2) stay with ADFS = keep ex...

 

Frequent Visitor

@hubertmroz From the article above, it seems to indicate this issue was resolved in this release.

 

This release addresses an earlier known issue with Outlook Web App hybrid redirect after installation of November 2021 security updates. "

 

I did not attempt the "workaround".  I would rather hit my hand with a hammer repeatedly.  Seriously though, those steps for my server are convoluted and almost certainly will break after each subsequent update, so I would prefer to wait for an official fix.

Senior Member

Hello

 

For those running Exchange various versions on Windows 2012 or Windows 2012R2 there seems to be an issue with the recently released Windows 2012 / Windows 2012R2 January 2022 security patch as per following link

 

Multiple posts on r/exchangeserver talk about the Windows 2012 R2 update making ReFS disks go RAW and become unreadable.

https://www.reddit.com/r/sysadmin/comments/s21ae1/january_updates_causing_unexpected_reboots_on/

 

 

 

Senior Member

correction

my bad, i included the wrong link in my previous post

https://www.reddit.com/r/exchangeserver/

 

Senior Member

After installing CU22 and Jan22SU, the script from https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transp... is not needed.

 

UpdateVersion : 2112330090

Script output: This server is not impacted.

Senior Member

@eledimare you sure? The 3rd FAQ question is quite specific that the SU does not resolve this issue.

Senior Member

@hubertmroz in my case the script output was that the servers are not impacted. 


In any case, the below commands may be ran to get the Engine version.

The stuck transport queue problem occurred when the antivirus engine is at versions starting at "22" (signifying the year 2022).

 

Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
Get-EngineUpdateInformation

 

Senior Member

@eledimThe only reason for this SU to resolve the Y2K22 bug is when you had malware engine disabled prior new year and applied CU22 after new year. The malware engine service was at version '21' after new year, but since disabled = not affected. After applying CU22 the services got reinstalled and set back to enabled by default, which allowed the malware to update without being affected. Later SU update didn't change a matter of fact.

 

But still, I'm glad your Ex'es are doing fine, will be updating mine today.

Occasional Visitor

I have checked on several exchange 2019 and 2016 (latest cu) servers. None of them are prompting for the install of this update via windows update. Has it been rolled out fully?

New Contributor

@galbitzhou Have you enabled Windows Update agent on your operating system to include updated for other Microsoft software as well? Default its turned off, or maybe it's been reset to default. Otherwise I recommend installing it manually, always use Elevated Command prompt. In anyway, I update servers I manage always manually. If that option states its not applicable for you, there might be something missing. Also check the exact build of your Exchange versions.

Regular Visitor

Hi,

are there any plans for Windows Server 2022 support?

Or for a new Exchange Server Version für Windows Server 2022?

Greetings

Jens

 

 

Microsoft

@SnejPro We will talk about this when time comes; that time is not now, sorry!

Senior Member

Is it necessary to put exchange in maintenance mode when installing SUs for Exchange CUs like KB5008631?

New Contributor

@Gregg Buchanan 

It depends on your Exchange configuration. If you have a DAG with multiple Exchange servers, then yes, I advise Maintenance mode for SUs and CUs. We have a single on-premises Exchange Server as part of a Hybrid configuration. So we don’t use (and have never used) Maintenance mode when updating our single server.

New Contributor

@Gregg Buchanan as @sjhudson states. In addition to that. If you have a load balancer setup, I usually just put the server out of service in the load balancer, check the server for any pending actions, move over the databases, wait for the logs are cleared out and apply the patch from elevated cmd and go. When its back wait a few minutes and then check owa, ecp and db status followed by re-enabling it in the load balancer.

Senior Member

@sjhudson Thank you. We have even a simpler setup and never used the maintenance mode either but I have seen it mentioned a lot.

@christiaan-nl Thank you. We are changing our exchange environment and will make this information a procedure to follow then.

New Contributor

@Gregg Buchanan In addition, If you set exchange itself into maintenance mode as well, check the component state of the server first, sometime I have seen that when getting the server out of maintenance, not all the services got out of it. You can find info here: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/requestor-changed-server-compo...

 

Btw, always check the before and after state, they should be identical. There is always one entry inactive.

Senior Member

Why is Microsoft not implementing the Exchange Server Health Checker script into the install routines of SU/CU Updates?

Senior Member

Hello,

 

We encounter an error when installing this KB5008631 on one of our Exchange 2019 servers. It was correctly installed with success on the other 3 Exchange servers. But it refuses to install on one of the servers.


We tried to install it manually from the command line but we still get an error message at the end of the installation process:

Philippe_CSTI_SA_0-1643031494139.png

 

 

We have activated the debug logs of windows installer, they show us the following errors:

Property(S): msgErrorExchangeAdmin = The user who's currently logged on doesn't have sufficient permissions to install this package. You need at least Exchange Server Administrator permissions on the current computer to complete this task.

 

We have checked the rights of my account it is well member :

  • Domain Admins
  • Enterprise Admins
  • Schema Admins

 

Have you ever had this with this SU?

 

Thanks in advance,

 

Best regards,

Philippe

Senior Member

@Philippe_CSTI_SA 
Please check that the current session has correctly recalculated group membership

cmd > net user <yourlogin> /domain
in output check if Global Group Membership contains those groups. If not it's worth to relog your session.


Worth to mention (since I see a gui installer) if you are running it after downloading from Microsoft Catalog make sure you run it not from explorer directly but rather:

run cmd as administrator and from there cd to catalog with .msi and go from there.

If above does not resolve run a setupassist script to perform health check prior to installation. It could be some PS session running or Reboot Pending registry.
https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/

Regards,
HM

Regular Visitor

After installation of KB5008631 on Exchange Server 2013, in-place eDiscovery & Hold in ECP stopped working.  When attempting to load it, an error is received "Deserialization of type Microsoft.Exchange.Data.PropertyBag+ValuePair blocked due to NotInAllow at location MailboxDataStore", and the list of searches is left empty.  If I uninstall KB5008631 in-place eDiscovery & Hold starts working again.

Senior Member

Hello,
A fresh installation of a server on 2016 with this CU22 produces an error at step 6 (Mailbox role: Transport service):

 

Error:
The following error was generated when "$error.Clear();
Write-ExchangeSetupLog -Info "Setting up FIPS configuration based on Exchange Install Path";

$FipsDataPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Data");
$FipsEnginesPath = [System.IO.Path]::Combine($FipsDataPath, "Engines");
Write-ExchangeSetupLog -Info "Loading FipFs snapin";
Add-PsSnapin Microsoft.Forefront.Filtering.Management.PowerShell -ErrorAction SilentlyContinue;
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile" -Value $FipsDataPath -Confirm:$false
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:Engines" -Value $FipsEnginesPath -Confirm:$false

# Copy Microsoft Engine to Engines folder during the install
$FipsBinPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Bin");
$MicrosoftEngineSourcePath = [System.IO.Path]::Combine($FipsBinPath, "Engine\Microsoft");
$MicrosoftEngineDestinationPath = [System.IO.Path]::Combine($FipsEnginesPath, "amd64\Microsoft");
$MicrosoftEngineExists = Test-Path $MicrosoftEngineDestinationPath
if(! $MicrosoftEngineExists)
{
Robocopy $MicrosoftEngineSourcePath $MicrosoftEngineDestinationPath /S
}

" was run: "System.OutOfMemoryException: Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032} from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).
at Microsoft.Forefront.Filtering.Management.PowerShell.ConfigurationBaseTask..ctor(Boolean allowChanges, Boolean autoReportProgress)
at lambda_method(Closure )
at System.Management.Automation.CommandProcessor.Init(CmdletInfo cmdletInformation)".

Error:
The following error was generated when "$error.Clear();
Write-ExchangeSetupLog -Info "Setting up FIPS configuration based on Exchange Install Path";

$FipsDataPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Data");
$FipsEnginesPath = [System.IO.Path]::Combine($FipsDataPath, "Engines");
Write-ExchangeSetupLog -Info "Loading FipFs snapin";
Add-PsSnapin Microsoft.Forefront.Filtering.Management.PowerShell -ErrorAction SilentlyContinue;
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile" -Value $FipsDataPath -Confirm:$false
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:Engines" -Value $FipsEnginesPath -Confirm:$false

# Copy Microsoft Engine to Engines folder during the install
$FipsBinPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Bin");
$MicrosoftEngineSourcePath = [System.IO.Path]::Combine($FipsBinPath, "Engine\Microsoft");
$MicrosoftEngineDestinationPath = [System.IO.Path]::Combine($FipsEnginesPath, "amd64\Microsoft");
$MicrosoftEngineExists = Test-Path $MicrosoftEngineDestinationPath
if(! $MicrosoftEngineExists)
{
Robocopy $MicrosoftEngineSourcePath $MicrosoftEngineDestinationPath /S
}

" was run: "System.OutOfMemoryException: Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032} from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).
at Microsoft.Forefront.Filtering.Management.PowerShell.ConfigurationBaseTask..ctor(Boolean allowChanges, Boolean autoReportProgress)
at lambda_method(Closure )
at System.Management.Automation.CommandProcessor.Init(CmdletInfo cmdletInformation)".

 

Any solutions from somebody?

Regards
CK

 

New Contributor

@ckessing Your logfile shows 'Out of Memory' (see below). Check system RAM against Exchange 2016 recommendations. Also check Task Manager for memory usage...

 

{Robocopy $MicrosoftEngineSourcePath $MicrosoftEngineDestinationPath /S" was run: "System.OutOfMemoryException: Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032} from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).

Visitor

I am still having issues w/ the SU KB5008631. When Windows Updates does the install I am getting 404 errors (unlike what this blog says) and when I manually install it from an elevated prompt I am having issues w/ ECP. This is frustrating and if someone can help me out with how to select updates individually with Server 2016/2019 instead of an all or nothing approach I would appreciate it. That is my biggest gripe moving from Server 2012R2. I am now manually installing updates to move around this SU.

Senior Member

Sure. I think memory is not the issue. If I run manually


$FipsDataPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Data");
$FipsEnginesPath = [System.IO.Path]::Combine($FipsDataPath, "Engines");
Write-ExchangeSetupLog -Info "Loading FipFs snapin";
Add-PsSnapin Microsoft.Forefront.Filtering.Management.PowerShell -ErrorAction SilentlyContinue;
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile" -Value $FipsDataPath -Confirm:$false

 

there's the same error message. Maybe something with the COM+ class ?

 

Even a get query produces the same error message:

 

get-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile"
get-ConfigurationValue : Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032}
from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this
operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).
At line:1 char:1
+ get-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], OutOfMemoryException
+ FullyQualifiedErrorId : System.OutOfMemoryException

 

Senior Member

@hubertmroz 

 

 

 

Please check that the current session has correctly recalculated group membership

cmd > net user <yourlogin> /domain
in output check if Global Group Membership contains those groups. If not it's worth to relog your session.

>> Yes member :

- Schema Admins

- Enterprise Admins

- Domain Admins

 


Worth to mention (since I see a gui installer) if you are running it after downloading from Microsoft Catalog make sure you run it not from explorer directly but rather:

run cmd as administrator and from there cd to catalog with .msi and go from there.

>> I download the MSP  with this post, run cmd as administrator  and execute ./Exchange2019-KB5008631-x64-en.msp, it start a GUI

 

 

If above does not resolve run a setupassist script to perform health check prior to installation. It could be some PS session running or Reboot Pending registry.
https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/

>> I run setupassist, I can see error for "Pending Reboot Failed HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations" .


I also have this registry key error on my other Ex2019 servers but this server able to install this KB without any problem.
I will try tomorrow to reinstall this KB and to clear the registry key before (https://knowledge.broadcom.com/external/article/178159/error-pending-system-changes-that-requir.html) . But I would be surprised if the registry key generated a rights error message.

 

I also have for this server only an error for "Services Cache Files"

Philippe_CSTI_SA_0-1643184456595.png

Can this error generate errors during the installation?

 

 

 

 

Best regards,

Philippe

Senior Member

Now I get it uninstalled. So I installed CU20 and then raised to CU21 and at last to CU22. This procedure works well.

New Contributor

@ckessing Glad to hear it is working. However, there was no need to install CU20 then CU21 then CU22. You could just install CU22 (and this January 2022 Security Update). From Microsoft...

"To get the latest version of Exchange 2016, download and install Cumulative Update 22 for Exchange Server 2016. Because each CU is a full installation of Exchange that includes updates and changes from all previous CUs, you don't need to install any previous CUs"

Occasional Contributor

This update has broken Public Folder use on Office 365. You can no longer synchronize public folders after a user edits a record. The sync errors folder just keeps filling up. If a user edits a record then another user cannot edit eh record. The header shows the update, but the item does not come over. The user gets a item edited by another user error. Even if you update the item in All Public Folders.

Senior Member

This breaks OWA on a perfectly running Exchange 2019 running CU11 - after the update the OWA wont start and says files are missing

 

Resolved:

For my second attempt, I opened an administrator command line and ran the patch, got the same error again at the end - but this time shutdown (instead of a restart) and then started again and OWA started up fine - Weird

Senior Member
Senior Member

Hi,

 

after installing KB5008631 on Exchange 2016 Unified Messaging role does not allow users to define new call answering rules (OWA shows invalid reply message 0xe0434352). I can see event IDs 1408 and 1083 in the logs and can reproduce the error on different environments. Anyone has a solution to this?

 

Regards

Norbert

Senior Member

@The_Exchange_Team Since installing KB5008631 on our Exchange 2013 On-Prem servers at the beginning of the week, we've had an ongoing issue with emails in the "Journaling" message queues getting stuck in a "Retry" status (queuing up), all with the last error being "432 4.3.2 STOREDRV.Deliver; recipient thread limit exceeded". This is occurring on all the Exchange servers since installing the update. 

Is anybody experiencing this issue? Any thoughts on a resolution?

Senior Member

@Philippe_CSTI_SA 
in this case windows could be holding onto some dll libraries changed per updated, but to know exact you'd have to seek for registry hive as in error message.

i wouldn't be shocked if the permission issue wasn't a randomly chosen error generated, but the real issue would be installer stopping, cause of reboot pending registry ( which is also the case of most windows update issues, which fail if you do not reboot prior to applying them ).

Regards, Hubert

Senior Member

@Wess33

the messages you see in a stuck in a "Retry" is the reason you see logs of STOREDRV. those messages pop-up due to insufficient resources to process a large volume of mails stuck in a queue.
output of code below should give you a view of what messages are being stuck ( being legit or not  - change hostname server from 1st line )

 

$exchange = "EX01","EX02" #change your hostname to desired
foreach ($exch in $exchange)
	{
	$failedmessages = get-queue -server $exch -filter {Status -eq "Retry"}
	foreach ($msg in $failedmessages) 
		{
			Get-message -queue $msg.identity #| Remove-Message -Confirm:$false -WithNDR $false
		}
	}

 

 
if the messages are being untrusty/spam, you can remove them by removing # from 7th line.

also note - not long ago there was an issue with filtering module in exchange not getting an update
you should probably check this thread and see if you apply to it: https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transp...

Regards, Hubert

Senior Member

@hubertmroz thanks. The messages queuing up are defenitely not SPAM. They are defenitely legit. In terms of server resources, no issues there. Also It's not the filtering issue.

The queue errors appear to be specific to the journal hop of the delivery i.e. copy the message to the Journal mailbox. The issue began after installing the January SU and is the same on all hub transport servers.

Occasional Visitor

I updated my Exchange 2016 with CU22 on december 2021 and all worked fine.

I had vulnerability issues. Replies were being sent to existing emails with strange links. This stopped happening after the update, until this week, now they respond to existing emails but although it has the user name of my company, the email is a completely unknown email outside our domain. I try to track this email and there are no logs. I'm not finding a solution for this vulnerability, if anyone has had this problem, please share your experience.

Co-Authors
Version history
Last update:
‎Feb 24 2022 02:19 PM
Updated by: