We know that a few downloads currently still 404 for some; please wait a little longer, we are working on it! As usual KB articles might take a bit longer to go live.

With the December CUs delayed, are those expected soon and will they include this "baked in"? Trying to avoid the maintenance window (and work) for these only to wait 3 days and have to do it all over again for the CUs.

@m49808 No, we do not release SUs and CUs as separate releases in the some month.

Thanks, that is good to know they are delayed at least another month. That helps in planning a number of things. 

While we wait on https://support.microsoft.com/help/5008631 to show other than 404, do we know if todays release address the y2k22 bug and if so, without having to undo the work around (disabling malware scanning)?

@nexusds Please see the FAQ above. Short answer: no; there is no Y2K22 fix in January SU package and also - please see the Y2K22 blog post, because disabling malware scanning was a temporary workaround only (permanent solution is available).

For those wondering. Installed the updates ahead of our normal update schedule on servers in several environments without any issues as far as I can see (Exchange 2019, 2016 and some 2013).

FYI, the link for Exchange from here:

https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan

goes to the Windows Server 2008 SP2 page.

@tholyoak Thanks, reported!

RESOLVED:  After a power off and restart, this resolved the OWA issue

Applied this update on my Exchange 2013 server and unfortunately I am still seeing the "External component has thrown an exception." error when an on prem user attempts to login to the OWA.

Per: Outlook Web App hybrid redirect after installation of November 2021 security updates.

@Reallybigcatheter 
Seems like MS didn't post any official fix except for a workaround. Did you try to apply the following?
https://support.microsoft.com/en-us/topic/owa-redirection-doesn-t-work-after-installing-november-202...

So thats a bit annoying. Fix a security issue or have a functional OWA hybrid redirect? This is what keeps people from being updated. 

Hello,

I asked this same question around the Transport queue problem earlier in January.  When will Microsoft change the Exchange Hybrid requirements so this now "routine" emergency security patching for any Exchange server will be reduced if customers can either remove the need for Hybrid or for Microsoft to make the Hybrid server a simple Exchange appliance possibly?

When will there be another supported way to manage Exchange attributes on-premise and a substitute to more easily allow systems/devices to relay off an internal email server?

It is long overdue Microsoft and hoping someone from the Exchange team can comment on the plans to simplify our IT lives so we don't have have to upgrade/patch Exchange hybrid servers every 2 to 6 months to stay in support and stay secure.

thank you,

Larry Heier

@Larry HeierI feel your pain.

I specifically for this case gave my helpdesk small winforms based app to correct mail alliases for users, cause I didn't want them to modify it by hand, since they are used to slip a hand and change sth else.

Also waiting for Exchange Team to come up with hybrid setup where only AAD Connect is installed and Exchange can be fully decommisioned.
It was higlighted at MS Ignite in 2018/2019 I think, but all we got is offical docs, which I'm glad are in place, but those describe only 2 common scenarios 1) full cloud = remove ex or 2) stay with ADFS = keep ex...

@hubertmroz From the article above, it seems to indicate this issue was resolved in this release.

" This release addresses an earlier known issue with Outlook Web App hybrid redirect after installation of November 2021 security updates. "

I did not attempt the "workaround".  I would rather hit my hand with a hammer repeatedly.  Seriously though, those steps for my server are convoluted and almost certainly will break after each subsequent update, so I would prefer to wait for an official fix.

Hello

For those running Exchange various versions on Windows 2012 or Windows 2012R2 there seems to be an issue with the recently released Windows 2012 / Windows 2012R2 January 2022 security patch as per following link

Multiple posts on r/exchangeserver talk about the Windows 2012 R2 update making ReFS disks go RAW and become unreadable.

https://www.reddit.com/r/sysadmin/comments/s21ae1/january_updates_causing_unexpected_reboots_on/

correction

my bad, i included the wrong link in my previous post

https://www.reddit.com/r/exchangeserver/

After installing CU22 and Jan22SU, the script from https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transp... is not needed.

UpdateVersion : 2112330090

Script output: This server is not impacted.

@eledimare you sure? The 3rd FAQ question is quite specific that the SU does not resolve this issue.

@hubertmroz in my case the script output was that the servers are not impacted. 

In any case, the below commands may be ran to get the Engine version.

The stuck transport queue problem occurred when the antivirus engine is at versions starting at "22" (signifying the year 2022).

Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
Get-EngineUpdateInformation

@eledimThe only reason for this SU to resolve the Y2K22 bug is when you had malware engine disabled prior new year and applied CU22 after new year. The malware engine service was at version '21' after new year, but since disabled = not affected. After applying CU22 the services got reinstalled and set back to enabled by default, which allowed the malware to update without being affected. Later SU update didn't change a matter of fact.

But still, I'm glad your Ex'es are doing fine, will be updating mine today.

I have checked on several exchange 2019 and 2016 (latest cu) servers. None of them are prompting for the install of this update via windows update. Has it been rolled out fully?

@galbitzhou Have you enabled Windows Update agent on your operating system to include updated for other Microsoft software as well? Default its turned off, or maybe it's been reset to default. Otherwise I recommend installing it manually, always use Elevated Command prompt. In anyway, I update servers I manage always manually. If that option states its not applicable for you, there might be something missing. Also check the exact build of your Exchange versions.

Hi,

are there any plans for Windows Server 2022 support?

Or for a new Exchange Server Version für Windows Server 2022?

Greetings

Jens

@SnejPro We will talk about this when time comes; that time is not now, sorry!

Is it necessary to put exchange in maintenance mode when installing SUs for Exchange CUs like KB5008631?

@Gregg Buchanan 

It depends on your Exchange configuration. If you have a DAG with multiple Exchange servers, then yes, I advise Maintenance mode for SUs and CUs. We have a single on-premises Exchange Server as part of a Hybrid configuration. So we don’t use (and have never used) Maintenance mode when updating our single server.

@Gregg Buchanan as @sjhudson states. In addition to that. If you have a load balancer setup, I usually just put the server out of service in the load balancer, check the server for any pending actions, move over the databases, wait for the logs are cleared out and apply the patch from elevated cmd and go. When its back wait a few minutes and then check owa, ecp and db status followed by re-enabling it in the load balancer.

@sjhudson Thank you. We have even a simpler setup and never used the maintenance mode either but I have seen it mentioned a lot.

@christiaan-nl Thank you. We are changing our exchange environment and will make this information a procedure to follow then.

@Gregg Buchanan In addition, If you set exchange itself into maintenance mode as well, check the component state of the server first, sometime I have seen that when getting the server out of maintenance, not all the services got out of it. You can find info here: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/requestor-changed-server-compo...

Btw, always check the before and after state, they should be identical. There is always one entry inactive.

Why is Microsoft not implementing the Exchange Server Health Checker script into the install routines of SU/CU Updates?

Hello,

We encounter an error when installing this KB5008631 on one of our Exchange 2019 servers. It was correctly installed with success on the other 3 Exchange servers. But it refuses to install on one of the servers.

We tried to install it manually from the command line but we still get an error message at the end of the installation process:

We have activated the debug logs of windows installer, they show us the following errors:

Property(S): msgErrorExchangeAdmin = The user who's currently logged on doesn't have sufficient permissions to install this package. You need at least Exchange Server Administrator permissions on the current computer to complete this task.

We have checked the rights of my account it is well member :

• Domain Admins
• Enterprise Admins
• Schema Admins

Have you ever had this with this SU?

Thanks in advance,

Best regards,

Philippe

@Philippe_CSTI_SA 
Please check that the current session has correctly recalculated group membership

cmd > net user <yourlogin> /domain
in output check if Global Group Membership contains those groups. If not it's worth to relog your session.

Worth to mention (since I see a gui installer) if you are running it after downloading from Microsoft Catalog make sure you run it not from explorer directly but rather:

run cmd as administrator and from there cd to catalog with .msi and go from there.

If above does not resolve run a setupassist script to perform health check prior to installation. It could be some PS session running or Reboot Pending registry.
https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/

Regards,
HM

After installation of KB5008631 on Exchange Server 2013, in-place eDiscovery & Hold in ECP stopped working.  When attempting to load it, an error is received "Deserialization of type Microsoft.Exchange.Data.PropertyBag+ValuePair blocked due to NotInAllow at location MailboxDataStore", and the list of searches is left empty.  If I uninstall KB5008631 in-place eDiscovery & Hold starts working again.

Hello,
A fresh installation of a server on 2016 with this CU22 produces an error at step 6 (Mailbox role: Transport service):

Error:
The following error was generated when "$error.Clear();
Write-ExchangeSetupLog -Info "Setting up FIPS configuration based on Exchange Install Path";

$FipsDataPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Data");
$FipsEnginesPath = [System.IO.Path]::Combine($FipsDataPath, "Engines");
Write-ExchangeSetupLog -Info "Loading FipFs snapin";
Add-PsSnapin Microsoft.Forefront.Filtering.Management.PowerShell -ErrorAction SilentlyContinue;
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile" -Value $FipsDataPath -Confirm:$false
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:Engines" -Value $FipsEnginesPath -Confirm:$false

# Copy Microsoft Engine to Engines folder during the install
$FipsBinPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Bin");
$MicrosoftEngineSourcePath = [System.IO.Path]::Combine($FipsBinPath, "Engine\Microsoft");
$MicrosoftEngineDestinationPath = [System.IO.Path]::Combine($FipsEnginesPath, "amd64\Microsoft");
$MicrosoftEngineExists = Test-Path $MicrosoftEngineDestinationPath
if(! $MicrosoftEngineExists)
{
Robocopy $MicrosoftEngineSourcePath $MicrosoftEngineDestinationPath /S
}

" was run: "System.OutOfMemoryException: Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032} from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).
at Microsoft.Forefront.Filtering.Management.PowerShell.ConfigurationBaseTask..ctor(Boolean allowChanges, Boolean autoReportProgress)
at lambda_method(Closure )
at System.Management.Automation.CommandProcessor.Init(CmdletInfo cmdletInformation)".

Error:
The following error was generated when "$error.Clear();
Write-ExchangeSetupLog -Info "Setting up FIPS configuration based on Exchange Install Path";

$FipsDataPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Data");
$FipsEnginesPath = [System.IO.Path]::Combine($FipsDataPath, "Engines");
Write-ExchangeSetupLog -Info "Loading FipFs snapin";
Add-PsSnapin Microsoft.Forefront.Filtering.Management.PowerShell -ErrorAction SilentlyContinue;
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile" -Value $FipsDataPath -Confirm:$false
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:Engines" -Value $FipsEnginesPath -Confirm:$false

# Copy Microsoft Engine to Engines folder during the install
$FipsBinPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Bin");
$MicrosoftEngineSourcePath = [System.IO.Path]::Combine($FipsBinPath, "Engine\Microsoft");
$MicrosoftEngineDestinationPath = [System.IO.Path]::Combine($FipsEnginesPath, "amd64\Microsoft");
$MicrosoftEngineExists = Test-Path $MicrosoftEngineDestinationPath
if(! $MicrosoftEngineExists)
{
Robocopy $MicrosoftEngineSourcePath $MicrosoftEngineDestinationPath /S
}

" was run: "System.OutOfMemoryException: Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032} from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).
at Microsoft.Forefront.Filtering.Management.PowerShell.ConfigurationBaseTask..ctor(Boolean allowChanges, Boolean autoReportProgress)
at lambda_method(Closure )
at System.Management.Automation.CommandProcessor.Init(CmdletInfo cmdletInformation)".

Any solutions from somebody?

Regards
CK

@ckessing Your logfile shows 'Out of Memory' (see below). Check system RAM against Exchange 2016 recommendations. Also check Task Manager for memory usage...

{Robocopy $MicrosoftEngineSourcePath $MicrosoftEngineDestinationPath /S} " was run: "System.OutOfMemoryException: Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032} from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).

I am still having issues w/ the SU KB5008631. When Windows Updates does the install I am getting 404 errors (unlike what this blog says) and when I manually install it from an elevated prompt I am having issues w/ ECP. This is frustrating and if someone can help me out with how to select updates individually with Server 2016/2019 instead of an all or nothing approach I would appreciate it. That is my biggest gripe moving from Server 2012R2. I am now manually installing updates to move around this SU.

Sure. I think memory is not the issue. If I run manually

$FipsDataPath = [System.IO.Path]::Combine($RoleInstallPath, "FIP-FS\Data");
$FipsEnginesPath = [System.IO.Path]::Combine($FipsDataPath, "Engines");
Write-ExchangeSetupLog -Info "Loading FipFs snapin";
Add-PsSnapin Microsoft.Forefront.Filtering.Management.PowerShell -ErrorAction SilentlyContinue;
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile" -Value $FipsDataPath -Confirm:$false

there's the same error message. Maybe something with the COM+ class ?

Even a get query produces the same error message:

get-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/fs-sys:Paths/fs-sys:TraceFile"
get-ConfigurationValue : Creating an instance of the COM component with CLSID {2DC947D7-A2DC-4276-A554-891346CE2032}
from the IClassFactory failed due to the following error: 8007000e Not enough storage is available to complete this
operation. (Exception from HRESULT: 0x8007000E (E_OUTOFMEMORY)).
At line:1 char:1
+ get-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:Machine/ ...
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], OutOfMemoryException
+ FullyQualifiedErrorId : System.OutOfMemoryException

@hubertmroz 

Please check that the current session has correctly recalculated group membership

cmd > net user <yourlogin> /domain
in output check if Global Group Membership contains those groups. If not it's worth to relog your session.

>> Yes member :

- Schema Admins

- Enterprise Admins

- Domain Admins

Worth to mention (since I see a gui installer) if you are running it after downloading from Microsoft Catalog make sure you run it not from explorer directly but rather:

run cmd as administrator and from there cd to catalog with .msi and go from there.

>> I download the MSP  with this post, run cmd as administrator  and execute ./Exchange2019-KB5008631-x64-en.msp, it start a GUI

If above does not resolve run a setupassist script to perform health check prior to installation. It could be some PS session running or Reboot Pending registry.
https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/

>> I run setupassist, I can see error for "Pending Reboot Failed HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations" .

I also have this registry key error on my other Ex2019 servers but this server able to install this KB without any problem.
I will try tomorrow to reinstall this KB and to clear the registry key before (https://knowledge.broadcom.com/external/article/178159/error-pending-system-changes-that-requir.html) . But I would be surprised if the registry key generated a rights error message.

I also have for this server only an error for "Services Cache Files"

Can this error generate errors during the installation?

Best regards,

Philippe

Now I get it uninstalled. So I installed CU20 and then raised to CU21 and at last to CU22. This procedure works well.

@ckessing Glad to hear it is working. However, there was no need to install CU20 then CU21 then CU22. You could just install CU22 (and this January 2022 Security Update). From Microsoft...

"To get the latest version of Exchange 2016, download and install Cumulative Update 22 for Exchange Server 2016. Because each CU is a full installation of Exchange that includes updates and changes from all previous CUs, you don't need to install any previous CUs"

This update has broken Public Folder use on Office 365. You can no longer synchronize public folders after a user edits a record. The sync errors folder just keeps filling up. If a user edits a record then another user cannot edit eh record. The header shows the update, but the item does not come over. The user gets a item edited by another user error. Even if you update the item in All Public Folders.

This breaks OWA on a perfectly running Exchange 2019 running CU11 - after the update the OWA wont start and says files are missing

Resolved:

For my second attempt, I opened an administrator command line and ran the patch, got the same error again at the end - but this time shutdown (instead of a restart) and then started again and OWA started up fine - Weird

@r0bbienzhave you tried re-running the CU11 setup?
https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-...

Hi,

after installing KB5008631 on Exchange 2016 Unified Messaging role does not allow users to define new call answering rules (OWA shows invalid reply message 0xe0434352). I can see event IDs 1408 and 1083 in the logs and can reproduce the error on different environments. Anyone has a solution to this?

Regards

Norbert

@The_Exchange_Team Since installing KB5008631 on our Exchange 2013 On-Prem servers at the beginning of the week, we've had an ongoing issue with emails in the "Journaling" message queues getting stuck in a "Retry" status (queuing up), all with the last error being "432 4.3.2 STOREDRV.Deliver; recipient thread limit exceeded". This is occurring on all the Exchange servers since installing the update. 

Is anybody experiencing this issue? Any thoughts on a resolution?

@Philippe_CSTI_SA 
in this case windows could be holding onto some dll libraries changed per updated, but to know exact you'd have to seek for registry hive as in error message.

i wouldn't be shocked if the permission issue wasn't a randomly chosen error generated, but the real issue would be installer stopping, cause of reboot pending registry ( which is also the case of most windows update issues, which fail if you do not reboot prior to applying them ).

Regards, Hubert

@Wess33

the messages you see in a stuck in a "Retry" is the reason you see logs of STOREDRV. those messages pop-up due to insufficient resources to process a large volume of mails stuck in a queue.
output of code below should give you a view of what messages are being stuck ( being legit or not  - change hostname server from 1st line )

$exchange = "EX01","EX02" #change your hostname to desired
foreach ($exch in $exchange)
	{
	$failedmessages = get-queue -server $exch -filter {Status -eq "Retry"}
	foreach ($msg in $failedmessages) 
		{
			Get-message -queue $msg.identity #| Remove-Message -Confirm:$false -WithNDR $false
		}
	}

 
if the messages are being untrusty/spam, you can remove them by removing # from 7th line.

also note - not long ago there was an issue with filtering module in exchange not getting an update
you should probably check this thread and see if you apply to it: https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transp...

Regards, Hubert

@hubertmroz thanks. The messages queuing up are defenitely not SPAM. They are defenitely legit. In terms of server resources, no issues there. Also It's not the filtering issue.

The queue errors appear to be specific to the journal hop of the delivery i.e. copy the message to the Journal mailbox. The issue began after installing the January SU and is the same on all hub transport servers.

I updated my Exchange 2016 with CU22 on december 2021 and all worked fine.

I had vulnerability issues. Replies were being sent to existing emails with strange links. This stopped happening after the update, until this week, now they respond to existing emails but although it has the user name of my company, the email is a completely unknown email outside our domain. I try to track this email and there are no logs. I'm not finding a solution for this vulnerability, if anyone has had this problem, please share your experience.