Released: March 2021 Exchange Server Security Updates

Published Mar 02 2021 01:08 PM 798K Views

Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021

Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Security updates are available for the following specific versions of Exchange:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB articles)

Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.

The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

For more information, please see the Microsoft Security Response Center (MSRC) blog.

For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers. There is a scripted version of this check available on GitHub here.

 

Mitigations, investigation and remediation:

Are there any mitigations I can implement right now?

MSRC team has released a One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT). The MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 can help understand individual mitigation actions. A stand-alone ExchangeMitigations.ps1 script is also available.

How can I tell if my servers have already been compromised?

Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers. There is a scripted version of this available on GitHub here.

More information about investigations

To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. CSV format and JSON format are available. 

What about remediation?

MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server. Please download a new copy of MSERT often, as updates are made in the tool regularly! Please also see MSRC Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities.

 

Installing and troubleshooting updates:

Does installing the March Security Updates require my servers to be up to date?

Today we shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, we recommend to install a currently supported RU/CU before you install the security updates. If you are unable to get updated quickly, please see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.

How can I get an inventory of the update-level status of my on-premises Exchange servers?

You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

Which of my servers should I update first?

Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.

Will the installation of the Security Updates take as long as installing an RU/CU?

Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.

My organization needs to 'get current' first... we need to apply a Cumulative Update. Any tips for us?

Please see the Upgrade Exchange to the latest Cumulative Update article for best practices when installing Exchange Cumulative Updates. To ensure the easiest upgrade experience (and because in many organizations Exchange and Active Directory roles are separate) you might wish to run /PrepareAD (in the Active Directory site that Exchange is a member of) before running the actual CU Setup. You can use this document as a guide to understand what you might have to do.

Errors during or after Security Update installation! Help!

It is extremely important to read the Known Issues section in the Security Update KB article (here and here depending on the version). If installing the update manually, you must run the update from the elevated command prompt. If you are seeing unexpected behavior, check the article addressing troubleshooting failed installations of Exchange security updates (we will keep updating this article).

 

Additional Q&A:

Are there any other resources that you can recommend?

Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.

My organization is in Hybrid with Exchange Online. Do I need to do anything?

While those security updates do not apply to Exchange Online / Office 365, you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only. You do not need to re-run HCW if you are using it.

Do we need to install those updates on Management Tools only workstations or servers?

Machines with Management Tools only are not impacted (there are no Exchange services installed) and do not require installation of March SUs. Please note that a 'management server' which many of our Hybrid customers have (which is an Exchange server kept on premises to be able to run Exchange management tasks) is different. For Hybrid, please see the Hybrid question above.

The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?

EDIT: Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 are now released and those CUs contain the Security Updates mentioned here (along with other fixes). Customers who have installed SUs for older E2016/2019 CUs can simply update to new CUs and will stay protected.

Are Exchange Server 2003 and Exchange Server 2007 vulnerable to March 2021 Exchange server security vulnerabilities?

No. After performing code reviews, we can state that the code involved in the attack chain to begin (CVE-2021-26855) was not in the product before Exchange Server 2013. Exchange 2007 includes the UM service, but it doesn’t include the code that made Exchange Server 2010 vulnerable. Exchange 2003 does not include the UM service.

 

Major updates to this post:

The Exchange Team

293 Comments
Occasional Visitor

Hi,

 

I see that there is no Security patch for Server 2016 under CU18, does this mean these servers are not affected by this vulnerability?

Thanks!

 

Regards Bas

Microsoft

@baskleian That is not correct; ALL versions are affected. Only CU18 and 19 for E2016 can apply the security update.

Occasional Visitor

@Nino Bilic , Thanks for the quick response!

Senior Member

Hi, Our Exchange servers are on Exchange 2016 CU19.  The February Security Updates for CU19 were not installed.  Does this security update need to be installed before the March 2 Security Update? or are they included in the March 2 update as well? 

Occasional Visitor

Hi,

 

Please clarify this statement:

"The initial attack requires the ability to make an untrusted connection to Exchange server port 443"

The media seems interprets this as being able to make an untrusted HTTP (aka not encrypted) connection to an HTTPS port.

Many of us use SSL-offloading/SSL-bridging reverse Proxies (F5 Big-IP, Citrix Netscaler, Kemp, nginx, Apache, HAProxy.....and also some cloud services as Azure Application Proxy or be it also CDNs like Cloudflare etc.) to get Exchange hooked up to the internet and do SSL bridging.
By nature these technologies prevent HTTP connections to HTTPS ports.

 

Or, do you mean by "untrusted connections" that the user is not authenticated?

 

If yes:

Many of us also use these technologies to do pre-authentication before anyone can access anything anonymously on port 443 (there was also a question about ADFS some posts before, I might add the question what if we do pre-authentication with Azure AD?).

 

Are these users protected, or does this issue concern those web API connections to EWS/OAB/ECP/ActiveSync where we have to turn off pre-authentication since this would break those services?

 

Just asking out of curiosity, I know the vulnerability still exists of anyone can access the server directly from LAN.

Also, because everybody around me is hyping/freaking out, even though many have such technologies in place.

 

I guess nobody with will hook up an Exchange server to the Internet just by Port-forwarding the port 443 on the firewall directly to the server, or by configuring a public IP address on the server's network interface and connect it directly to the provider switch, at least not in the last 10 years. (Hell, we were doing that since ISA 2000).

 

Marc

 

 

Regular Visitor

Import-Csv -Path (Get-ChildItem..... script from https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

for CVE-2021-26855 gives results which alerts me first, but then noticed it is for port 444 which is not even accessible from outsid, this was with log entry before running the patch for Exchange 2013.

Microsoft

@Ma-Po While customers might use various products that partially mitigate the original attack vector in their environment, it is important to understand that the details of vulnerabilities are now public. In addition to the fact that we cannot speak to exact combination of 3rd party product that might or might not mitigate some of those vulnerabilities, administrators should realize that Exchange is still vulnerable if not updated, and different attack vectors could exist. Our strong recommendation is to update the servers immediately.

Microsoft

@Joester80 March security updates include February security fixes. Health Checker script should indicate all is well once March fixes are installed.

Occasional Visitor

Do these vulnerabilities affect servers with a perimeter transport role?

Microsoft

@Frachamer The original attack vector was not via the SMTP / transport. Note that all of the vulnerabilities are now public so there might be more attack vectors now. Update to remove vulnerabilities!

Senior Member

HI Guys,

 

Unfortunately I have updated our Q environment with non elevated command line and after the update the ECP is stopped working. 

I am getting the following error message:

"

Server Error in '/ecp' Application.

Runtime Error
Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated."

 

Could you please help me with a workaround. I have tried to rebuild the ECP Virtual Directories, but have the same issue. Should I install again the security patch now with elevated command line?

Thank you for your help!

Occasional Contributor

@Nino Bilic ,

Hi my current version is Exchange 2016 CU15 is running as an Hybrid server.

Can you help me with to upgrade CU15 to CU18 do I need to update the PrepareSchema, PrepareAD, PrepareDomain and post upgrade to CU18 does it retain my Hybrid configuration as it is or do I need to re-run the HCW again.

 

 

Thanks and Regards

Anand Sunka

 

Microsoft

@HYper83 Please see the "Known issues" section on the update KB (this should not be a problem if update is installed from Microsoft Update): Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021...

Microsoft

@ANAND_SUNKA There are no schema changes between CU15 and CU18 as per this. You do not need to re-run HCW, no.

Senior Member

@Nino Bilic : Thank you for your answer. I know, but unfortunately it already happened and I just asking for a fix/workaround.

Microsoft

@HYper83 Well, the KB says - there might be services that are not started, start them manually. Re-installing the update elevated is a good thing followed by server reboot. There were some other comments earlier on this blog with a few other things to check (please look)

Occasional Contributor

@Nino Bilic ,

So simply I can start upgrading the CU18 without running PrepareSchema, PrepareAD, PrepareDomain.

 

 

Regards

Anand Sunka

Occasional Visitor

the powershell script returns the following for me about port 444 as well, is that a sign of the attack?

 

2021-02-28T16:52:08.630Z ServerInfo~a]@servername:444/ecp/proxyLogon.ecp?#
2021-03-03T14:12:30.413Z ServerInfo~a]@servername:444/autodiscover/autodiscover.xml?#

Occasional Visitor

Hi,

i am going through chat and still confused is this update is apply to us or not.

we have Exchange 2010 sp3 and we did not have nay role up. as per security patch description "

Update Rollup 32 for Exchange Server 2010 Service Pack 3 (SP3) resolves issues that were found in Exchange Server 2010 SP3 RU29 since the software was released"

 

Do i still need to update our exchange even we do not have any role up installed and is it going to install this role up because we do not have role up installed.

Thanks

Senior Member

I have exchange installed on D: and the OS installed on C: do I patch this to the OS drive or the drive with exchange installed on it?

Senior Member

@ChrisAtMaf @The_Exchange_Team 

 

Thank you  for correcting powershell command. I was also getting >> earlier. After running your updated command 

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

it ran and gave nothing that means no effected correct?

Regular Visitor

I have two exchange 2013 cu 23, diferent client, update failed and now exchange do not start. Trying reinstall cu23, setup failed with error. Exchange 2013 standard on Windows Server 2012 r2 cz. please help

Visitor

does not work for me.

exchange 2019 CU8 (DE)

 

Security Update For Exchange Server 2019 CU8 (KB5000871) – Fehler 0x80070643

Occasional Contributor

Patching all my servers went mostly trouble-free last night, but I did see something that I have never seen before on one server running Exchange 2013 CU23. The update initially failed for a reason I couldn't discern, and then rolled back. But then subsequent attempts would give me an "update prematurely ended" error when it was attempting (and failing) to stop services.  Same error if I tried uninstalling the current CU23 security patch from 2020.  Only errors I found were an error 1603 from msiexec (this was not a simple elevation issue in this case, which is what every Google result on Earth seemed to suggest), and another error logs from msiexec suggesting the Exchange config was invalid.  Exchange Powershell, which was previously working, was also failing to connect locally on the server.

 

Don't ask me how I finally found it, but it turns out the initial failure seems to have deleted & did not replace 9 DLLs from [ExchangeInstallPath]\V15\bin:

 

Microsoft.Dkm.Proxy.dll
Microsoft.Exchange.Clients.Common.dll
Microsoft.Exchange.Connections.Common.dll
Microsoft.Exchange.Connections.Eas.dll
Microsoft.Exchange.Connections.Imap.dll
Microsoft.Exchange.Connections.Pop.dll
Microsoft.Exchange.Data.ImageAnalysis.dll
Microsoft.Exchange.Data.Mapi.dll
Microsoft.Exchange.Data.ThrottlingService.Client.dll

 

I copied them over from a known working pre-update Exchange 2013 CU23 server, and then the security update applied without a hitch, and all Exchange services appeared fine afterward.

Occasional Visitor

A charitable organization I volunteer with has an ancient Exchange 2003 installation.  SMTP comes in through a standalone mail gateway but is delivered to the Exchange server, which is published to the internet for OWA and ActiveSync.  Are versions as far back as 2003 affected?  If so, are there any mitigations that can be done short of removing external access and/or retiring the server?

Microsoft

@DStragand We have no information one way or the other. Please get them off Exchange 2003.

@Bhavesh Shah There is only one update package which will install it all

Occasional Visitor

When I run the command

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

I get the following error

Import-Csv : The member "40" is already present.
At line:1 char:1
+ Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Mic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Csv], ExtendedTypeSystemException
    + FullyQualifiedErrorId : AlreadyPresentPSMemberInfoInternalCollectionAdd,Microsoft.PowerShell.Commands.ImportCsvC
   ommand

Anyone have a fix for that?

Occasional Visitor

Trying to install this on a 2019 CU7 and a 2013 CU23 server and both are still sitting there after an hour "Computing space requirements". Has anyone else had this?

Frequent Visitor

When will CU20 for Exchange 2016 be released in March?

Is it on patch Tuesday, March 9th?

Regular Visitor

Does anyone know like csummers83 also asked if the script

Import-Csv -Path ...

gives results for port 444, does it mean something could have been taken or was just tried?

Port 444 on Exchange 2013 is the Exchange Back end port and is not open to internet.

 

Visitor

Hi There,

 

I was able to successfully apply the patch for Exchange 2010 on a 2008R2 server. However after the multiple reboots to apply the config/updates it then failed and proceeded to rollback the changes.

 

Has anyone else experienced this?

 

Thanks

Microsoft

@Jon Skelton That's the plan but it is not set in stone; you should NOT WAIT for next set of CUs!

I wrote an article with important things to know, best practices, and helpful tips for deployment here.

https://blog.expta.com/2021/03/urgent-patch-your-exchange-servers-now.html

Occasional Visitor

I tried to install this patch on an Exchange 2016 server running on Windows Server 2016 and it failed catastrophically. I first updated to the latest CU, restarted the server, and tested to confirm everything was working. Then I tried to manually run the KB5000871 installer. It kept giving errors about processes related to Windows services that needed to be killed. I killed them and clicked "Retry" to continue the update but the update would start over and then come up with the same error because the services were being triggered to start by something in the OS. I disabled the services so they couldn't run and installed the update. After that, the Exchange server was hosed. Luckily, it's a VM and I had taken a checkpoint right before installing KB5000871. I tried removing KB5000871, restarting, and having Windows update check for updates but it didn't find KB5000871 as an available update. Now I've got a client who is scared to death that their server is going to be compromised and I have to tell them I can't get the update installed because it seems that no matter what you do, it won't install properly if you try to manually run the patch.

Occasional Visitor

@Jeff Guillet 

should this be run on all servers or will it gather info from all in the environment?

Senior Member

I am also curious about if the "import-csv -path (get..." PowerShell command finds '444' entries. Example:  SeverInfo~a]@server FQDN:444...

 

I am getting an out of memory error before the script finishes reading all log files.

 

Insufficient memory to continue the execution of the program.
At line:1 char:1
+ Import-Csv -Path (Get-ChildItem -Recurse -Path "E:\Program Files\Microsoft\Excha ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], OutOfMemoryException
+ FullyQualifiedErrorId : System.OutOfMemoryException

@csummers93 It needs to be run directly on each Exchange Server. It already takes about 30 minutes to run. It would take days to run against remote servers.

Occasional Visitor

@Jeff Guillet thanks for this, taking some time to run but certainly easier than checking all CVs individually.

I do get this return for CVE-26855, does it mean anything?

Import-Csv : Could not find file 'C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi\HttpProxy_2021020123-1.LOG'.

Occasional Visitor

Going from 2013 CU9 to CU23 then applying the patch.  I have the .net 4.7.2 and the Microsoft Visual C++ 2013 Redistributable (x64) ready to install.

2 Node DAG

 

@Nino Bilic Any gotcha's for this? Looks like I don't need to extend Schema?

 

 

Microsoft

@RonanD560 Schema updates no but note the CU 22 change here. Also make sure that if you are not installing updates from Microsoft Update to follow the Known Issues from the update KB article and run the installer from elevated CMD prompt.

@csummers93 Safe to ignore. On a heavily used Exchange Server, some of the log files are groomed (deleted) before they are processed.

Occasional Visitor

@Jeff Guillet OK so I think we're good if we ignore the could not find file errors, of coarse there could have been something in logs that already got truncated I suppose

Occasional Visitor

@Nino Bilic Thanks for the response! Just to clarify we are going straight to CU23 so no need to prep AD at all?

As far as the 2 Node DAG goes,

1. Place the server in maintenance mode

2. Install .Net 4.7.2 

3. Install Microsoft Visual C++ 2013 Redistributable (x64) 

4. Install CU23

5. Reboot server?

6. Install KB Patch.

 

Test moving DB's over from Node 1 (not patched) to Node 2 (Patched).  Should I let it bake in and test stability? If all clear rinse repeat for the unpatched node? 

 

And thanks for all the help!  Appreciate you!

Senior Member

CU18 with latest patch... We are on it :)  @Jeff Guillet  @Nino Bilic 
Vadivelu_B_1-1614815094405.png

 

Microsoft

@RonanD560 This is the way!
(add 7. Reboot the server; the fix should tell you to but if it does not - do it anyway)

New Contributor

We're well behind on our CU's 2016 CU5, can you add an additional 2016 server CU19 and use that as the front end and migrate mailboxes to that? Can CU5 and CU19 coexist, schema issues?

New Contributor

Can specific URL's be blocked to mitigate this, such as /EWS, untrusted HTTPS connections to what?

New Contributor

We installed the RU32 for Exchange 2010 SP3 (previously RU30) running on Server 2008 R2 x64 and we are not able to open mailboxes on the the Exchange server via OWA afterwards.  We are working on getting to Exchange Online...have multiple tickets open for multiple issues with hybrid mode since we want to get off this unsupported OS and app.

  1. Open elevated command prompt.
  2. Install RU32.
  3. Reboot.
  4. Open mailbox with Outlook = no issues.  Logon OWA successfully, but unable to see any mailbox contents.  Error message "The mailbox you're trying to access isn't currently available. If the problem continues, contact your helpdesk."
  5. Uninstall RU32.
  6. Reboot.
  7. Open mailbox with Outlook = no issues.  Logon OWA successfully & no issues.

 

Regular Visitor

Just a heads-up for those doing the install on Ex2016 servers: Upgraded a single Ex2016 CU17 Standard and single Ex2016 CU17 Enterprise to CU19 last night, then installed KB5000871. Both CU19 installs borked my ECP & OWA workspaces; KB5000871 also failed to set the HostControllerService on both systems to Automatic, leaving it at Disabled.  Today I re-downloaded CU19 and KB5000871 and reinstalled on our Ex2016 Enterprise box; the re-installation fixed the non-service issues I couldn't resolve on my own, and I verified that it was the KB5000871 installation that (again) disabled the HostControllerService and didn't re-enable it.

I plan to reinstall CU19 and KB5000871 on the already updated Ex2016 Standard box, and will update the #2 Ex2016 Enterprise server tomorrow night.

 

Be sure to check out your Services for any that were left Disabled as part of either installation AFTER rebooting and before taking the Exchange Server out of maintenance mode.  Thanks.

%3CLINGO-SUB%20id%3D%22lingo-sub-2179885%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179885%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20are%20the%20updates...%3F%20I%20don't%20see%20any%20download%20links%20here%20or%20in%20any%20related%20articles%2C%20there's%20nothing%20available%20with%20an%20update%20check%20on%20servers%2C%20and%20nothing%20new%20in%20the%20Update%20Catalog%20for%20Exchange%20since%20February.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179909%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179909%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Sorry%20for%20double%20post%20since%20we%20can't%20edit%2Fdelete%20here%2C%20but%20wanted%20this%20out%20there%20for%20others)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179941%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179941%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E.%26nbsp%3B%20All%20download%20links%20are%20in%20the%20MSRC%20blog%20post%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179944%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179944%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F575%22%20target%3D%22_blank%22%3E%40Scott%20Schnoll%3C%2FA%3E%26nbsp%3BThanks!%20Those%20links%20were%20non-functioning%20a%20short%20while%20ago%20but%20now%20work.%20Seems%20to%20have%20been%20the%20shuffle%20of%20taking%20things%20live%20ASAP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180198%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180198%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3A%3C%2FP%3E%3CP%3E1-%20Does%20anybody%20installed%20this%20patch%3F%3C%2FP%3E%3CP%3E2-%20Is%20it%20necessary%20to%20put%20the%20Exchange%20in%20Maintenance%20mode%20and%26nbsp%3B%20restart%20the%20server%20after%20apply%20the%20patch%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180246%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180246%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E%26nbsp%3Bgreat%20to%20hear!%20That's%20how%20it%20should%20be.%20And%20yes%2C%20security%20updates%20should%20prompt%20for%20reboot.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180254%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180254%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20information.%20If%20you%20have%20any%20new%20updates%20about%20your%20installation%20process%2C%20please%20share%20with%20us.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180386%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180386%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20these%20vulnerabilities%20exists%20in%20Exchange%202016%20CU%2016%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180392%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180392%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984326%22%20target%3D%22_blank%22%3E%40pquan%3C%2FA%3E%26nbsp%3BYes%2C%20but%20you%20need%20to%20roll%20forward%20to%20apply%20the%20updates.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180612%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180612%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20my%20deepest%20respects%2C%20but%20Exchange%20has%20always%20needed%20patching%20like%20this%2C%20this%20isn't%20new.%26nbsp%3B%20I've%20always%20had%20to%20apply%20Exchange%20updates%20like%20this.%26nbsp%3B%20This%20isn't%20the%20first%20security%20update%20for%20Exchange%2C%20just%20the%20first%20zero%20day%20in%20the%20news%20in%20a%20long%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180674%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180674%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BSorry%20if%20I'm%20coming%20across%20a%20little%20harsh.%26nbsp%3B%20As%20I%20read%20the%20post%2C%20it%20was%20not%20clear%20to%20me%20that%20the%20cause%20of%20the%20ECP%20or%20OWA%20not%20working%20would%20be%20stopped%20services.%26nbsp%3B%20I%20took%20the%20note%20below%20the%20install%20workaround%20instructions%20to%20be%20a%20possible%20side%20effect%20as%20I've%20seen%20that%20in%20the%20past%2C%20regardless%20of%20how%20the%20update%20was%20applied.%26nbsp%3B%20As%20the%20post%20says%20the%20issue%20occurs%20because%20some%20services%20aren't%20properly%20stopped%2C%20I%20thought%20that%20would%20likely%20mean%20some%20files%20wouldn't%20be%20appropriately%20updated%2Fsettings%20applied%20and%2C%20as%20such%2C%20the%20services%20break.%26nbsp%3B%20I%20would%20THINK%20a%20re-install%20of%20the%20patch%20(the%20second%20successful%20install%20I%20did%20of%20it)%20would%20resolve%20the%20issues.%26nbsp%3B%20Unfortunately%2C%20that%20has%20not%20been%20the%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20OWA%20works%2C%20but%20ECP%20is%20broken.%26nbsp%3B%20All%20services%20appeared%20to%20start%20properly%20(except%20POP%2FIMAP%20but%20we%20don't%20use%20them%20anyway).%26nbsp%3B%20Attempting%20to%20access%20ECP%20provides%20login%2C%20then%20redirects%20to%20a%20bad%20URL%20(%3CA%20href%3D%22http%3A%2F%2Flocalhost%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Flocalhost%2F%3C%2FA%3E%3CSTRONG%3Eowa%2Fecp%3C%2FSTRONG%3E)%20which%20returns%20an%20unhelpful%20error%2C%26nbsp%3B%3CSTRONG%3EBad%20Request%3C%2FSTRONG%3E.%26nbsp%3B%20I%20expect%20it%20to%20redirect%20to%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20since%20found%20it%20I%20go%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%3C%2FA%3E%26nbsp%3Bdirectly%2C%20everything%20works.%26nbsp%3B%20Seems%20it's%20just%20the%20handoff%20from%20the%20login%20to%20the%20admin%20center%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20it's%20just%20bad%20timing%20and%20something%20else%20is%20wrong%20not%20related%20to%20the%20patch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180705%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180705%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3BNot%20a%20problem%20whatsoever%3B%20it%20sucks%20when%20things%20go%20wrong.%20It's%20great%20that%20you%20were%20able%20to%20figure%20that%20out!%20I%20have%20to%20admit%20that%20I%20do%20not%20know%20for%20sure%20what%20is%20up%20with%20this%20but%20at%20least%20it%20is%20not%20a%20real%20fire%20for%20you%20right%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180057%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180057%22%20slang%3D%22en-US%22%3E%3CP%3EDirect%20link%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181634%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181634%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F933284%22%20target%3D%22_blank%22%3E%40baskleian%3C%2FA%3E%26nbsp%3BThat%20is%20not%20correct%3B%20ALL%20versions%20are%20affected.%20Only%20CU18%20and%2019%20for%20E2016%20can%20apply%20the%20security%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181659%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181659%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20Our%20Exchange%20servers%20are%20on%20Exchange%202016%20CU19.%26nbsp%3B%20The%20February%20Security%20Updates%20for%20CU19%20were%20not%20installed.%26nbsp%3B%20Does%20this%20security%20update%20need%20to%20be%20installed%20before%20the%20March%202%20Security%20Update%3F%20or%20are%20they%20included%20in%20the%20March%202%20update%20as%20well%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181790%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181790%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985034%22%20target%3D%22_blank%22%3E%40Ma-Po%3C%2FA%3E%26nbsp%3BWhile%20customers%20might%20use%20various%20products%20that%20partially%20mitigate%20the%20original%20attack%20vector%20in%20their%20environment%2C%20it%20is%20important%20to%20understand%20that%20the%20details%20of%20vulnerabilities%20are%20now%20public.%20In%20addition%20to%20the%20fact%20that%20we%20cannot%20speak%20to%20exact%20combination%20of%203rd%20party%20product%20that%20might%20or%20might%20not%20mitigate%20some%20of%20those%20vulnerabilities%2C%20administrators%20should%20realize%20that%20%3CSTRONG%3EExchange%20is%20still%20vulnerable%20if%20not%20updated%3C%2FSTRONG%3E%2C%20and%20different%20attack%20vectors%20could%20exist.%20Our%20strong%20recommendation%20is%20to%20update%20the%20servers%20immediately.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181833%22%20slang%3D%22es-ES%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181833%22%20slang%3D%22es-ES%22%3E%3CP%3EDo%20these%20vulnerabilities%20affect%20servers%20with%20a%20perimeter%20transport%20role%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181871%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181871%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20Guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20I%20have%20updated%20our%20Q%20environment%20with%20non%26nbsp%3B%3CEM%3Eelevated%20command%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Bline%20and%20after%20the%20update%20the%20ECP%20is%20stopped%20working.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20am%20getting%20the%20following%20error%20message%3A%3C%2FP%3E%3CP%3E%22%3C%2FP%3E%3CP%3EServer%20Error%20in%20'%2Fecp'%20Application.%3C%2FP%3E%3CP%3ERuntime%20Error%3CBR%20%2F%3EDescription%3A%20An%20exception%20occurred%20while%20processing%20your%20request.%20Additionally%2C%20another%20exception%20occurred%20while%20executing%20the%20custom%20error%20page%20for%20the%20first%20exception.%20The%20request%20has%20been%20terminated.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20help%20me%20with%20a%20workaround.%20I%20have%20tried%20to%20rebuild%20the%20ECP%20Virtual%20Directories%2C%20but%20have%20the%20same%20issue.%20Should%20I%20install%20again%20the%20security%20patch%20now%20with%20elevated%20command%20line%3F%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181885%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985185%22%20target%3D%22_blank%22%3E%40HYper83%3C%2FA%3E%26nbsp%3BPlease%20see%20the%20%22Known%20issues%22%20section%20on%20the%20update%20KB%20(this%20should%20not%20be%20a%20problem%20if%20update%20is%20installed%20from%20Microsoft%20Update)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDescription%20of%20the%20security%20update%20for%20Microsoft%20Exchange%20Server%202019%2C%202016%2C%20and%202013%3A%20March%202%2C%202021%20(KB5000871)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181912%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181912%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F566588%22%20target%3D%22_blank%22%3E%40ANAND_SUNKA%3C%2FA%3E%26nbsp%3BThere%20are%20no%20schema%20changes%20between%20CU15%20and%20CU18%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fplan-and-deploy%2Factive-directory%2Fad-schema-changes%3Fview%3Dexchserver-2016%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E.%20You%20do%20not%20need%20to%20re-run%20HCW%2C%20no.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182197%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182197%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20two%20exchange%202013%20cu%2023%2C%20diferent%20client%2C%20update%20failed%20and%20now%20exchange%20do%20not%20start.%20Trying%20reinstall%20cu23%2C%20setup%20failed%20with%20error.%20Exchange%202013%20standard%20on%20Windows%20Server%202012%20r2%20cz.%20please%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182466%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985464%22%20target%3D%22_blank%22%3E%40DStragand%3C%2FA%3E%26nbsp%3BWe%20have%20no%20information%20one%20way%20or%20the%20other.%20Please%20get%20them%20off%20Exchange%202003.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F71901%22%20target%3D%22_blank%22%3E%40Bhavesh%20Shah%3C%2FA%3E%26nbsp%3BThere%20is%20only%20one%20update%20package%20which%20will%20install%20it%20all%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182711%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182711%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20will%20CU20%20for%20Exchange%202016%20be%20released%20in%20March%3F%3C%2FP%3E%3CP%3EIs%20it%20on%20patch%20Tuesday%2C%20March%209th%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182781%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182781%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20like%20csummers83%20also%20asked%20if%20the%20script%3C%2FP%3E%3CPRE%3EImport-Csv%20-Path%20...%3C%2FPRE%3E%3CP%3Egives%20results%20for%20port%20444%2C%20does%20it%20mean%20something%20could%20have%20been%20taken%20or%20was%20just%20tried%3F%3C%2FP%3E%3CP%3EPort%20444%20on%20Exchange%202013%20is%20the%20Exchange%20Back%20end%20port%20and%20is%20not%20open%20to%20internet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182927%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182927%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20There%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20able%20to%20successfully%20apply%20the%20patch%20for%20Exchange%202010%20on%20a%202008R2%20server.%20However%20after%20the%20multiple%20reboots%20to%20apply%20the%20config%2Fupdates%20it%20then%20failed%20and%20proceeded%20to%20rollback%20the%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20experienced%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183000%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183000%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193019%22%20target%3D%22_blank%22%3E%40Jon%20Skelton%3C%2FA%3E%26nbsp%3BThat's%20the%20plan%20but%20it%20is%20not%20set%20in%20stone%3B%20you%20should%20NOT%20WAIT%20for%20next%20set%20of%20CUs!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183140%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183140%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20wrote%20an%20article%20with%20important%20things%20to%20know%2C%20best%20practices%2C%20and%20helpful%20tips%20for%20deployment%20here.%3C%2FP%3E%0A%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%3CA%20class%3D%22_3t5uN8xUmg0TOwRCOGQEcU%22%20href%3D%22https%3A%2F%2Fblog.expta.com%2F2021%2F03%2Furgent-patch-your-exchange-servers-now.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20ugc%20noreferrer%22%3Ehttps%3A%2F%2Fblog.expta.com%2F2021%2F03%2Furgent-patch-your-exchange-servers-now.html%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183194%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183194%22%20slang%3D%22en-US%22%3E%3CP%3EI%20tried%20to%20install%20this%20patch%20on%20an%20Exchange%202016%20server%20running%20on%20Windows%20Server%202016%20and%20it%20failed%20catastrophically.%20I%20first%20updated%20to%20the%20latest%20CU%2C%20restarted%20the%20server%2C%20and%20tested%20to%20confirm%20everything%20was%20working.%20Then%20I%20tried%20to%20manually%20run%20the%26nbsp%3BKB5000871%20installer.%20It%20kept%20giving%20errors%20about%20processes%20related%20to%20Windows%20services%20that%20needed%20to%20be%20killed.%20I%20killed%20them%20and%20clicked%20%22Retry%22%20to%20continue%20the%20update%20but%20the%20update%20would%20start%20over%20and%20then%20come%20up%20with%20the%20same%20error%20because%20the%20services%20were%20being%20triggered%20to%20start%20by%20something%20in%20the%20OS.%20I%20disabled%20the%20services%20so%20they%20couldn't%20run%20and%20installed%20the%20update.%20After%20that%2C%20the%20Exchange%20server%20was%20hosed.%20Luckily%2C%20it's%20a%20VM%20and%20I%20had%20taken%20a%20checkpoint%20right%20before%20installing%26nbsp%3BKB5000871.%20I%20tried%20removing%26nbsp%3BKB5000871%2C%20restarting%2C%20and%20having%20Windows%20update%20check%20for%20updates%20but%20it%20didn't%20find%26nbsp%3BKB5000871%20as%20an%20available%20update.%20Now%20I've%20got%20a%20client%20who%20is%20scared%20to%20death%20that%20their%20server%20is%20going%20to%20be%20compromised%20and%20I%20have%20to%20tell%20them%20I%20can't%20get%20the%20update%20installed%20because%20it%20seems%20that%20no%20matter%20what%20you%20do%2C%20it%20won't%20install%20properly%20if%20you%20try%20to%20manually%20run%20the%20patch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183212%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183212%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20also%20curious%20about%20if%20the%20%22import-csv%20-path%20(get...%22%20PowerShell%20command%20finds%20'444'%20entries.%20Example%3A%26nbsp%3B%20SeverInfo~a%5D%40server%20FQDN%3A444...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20an%20out%20of%20memory%20error%20before%20the%20script%20finishes%20reading%20all%20log%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInsufficient%20memory%20to%20continue%20the%20execution%20of%20the%20program.%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20Import-Csv%20-Path%20(Get-ChildItem%20-Recurse%20-Path%20%22E%3A%5CProgram%20Files%5CMicrosoft%5CExcha%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20OperationStopped%3A%20(%3A)%20%5B%5D%2C%20OutOfMemoryException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20System.OutOfMemoryException%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183275%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183275%22%20slang%3D%22en-US%22%3E%3CP%3EGoing%20from%202013%20CU9%20to%20CU23%20then%20applying%20the%20patch.%26nbsp%3B%20I%20have%20the%20.net%204.7.2%20and%20the%20Microsoft%20Visual%20C%2B%2B%202013%20Redistributable%20(x64)%20ready%20to%20install.%3C%2FP%3E%3CP%3E2%20Node%20DAG%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BAny%20gotcha's%20for%20this%3F%20Looks%20like%20I%20don't%20need%20to%20extend%20Schema%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183323%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985820%22%20target%3D%22_blank%22%3E%40RonanD560%3C%2FA%3E%26nbsp%3BSchema%20updates%20no%20but%20note%20the%20CU%2022%20change%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fexchange-2013-active-directory-schema-changes-exchange-2013-help%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Also%20make%20sure%20that%20if%20you%20are%20not%20installing%20updates%20from%20Microsoft%20Update%20to%20follow%20the%20Known%20Issues%20from%20the%20update%20KB%20article%20and%20run%20the%20installer%20from%20elevated%20CMD%20prompt.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183328%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183328%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985285%22%20target%3D%22_blank%22%3E%40csummers93%3C%2FA%3E%26nbsp%3BSafe%20to%20ignore.%20On%20a%20heavily%20used%20Exchange%20Server%2C%20some%20of%20the%20log%20files%20are%20groomed%20(deleted)%20before%20they%20are%20processed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183679%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183679%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F420097%22%20target%3D%22_blank%22%3E%40MI_IS1%3C%2FA%3E%26nbsp%3B.NET%20Framework%20installs%20and%20updates%20can%20peg%20your%20CPU%20and%20make%20installation%20go%20really%20slow%20for%20up%20to%20an%20hour.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblog.expta.com%2F2021%2F03%2Furgent-patch-your-exchange-servers-now.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EURGENT%3A%20Patch%20your%20Exchange%20Servers%20NOW!%20%7C%20The%20EXPTA%20%7Bblog%7D%3C%2FA%3E%26nbsp%3Bfor%20tips.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183732%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183732%22%20slang%3D%22en-US%22%3E%3CP%3ENever%20mind%20my%20post.%20It%20was%20CarbonBlack%20causing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184489%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184489%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F933284%22%20target%3D%22_blank%22%3E%40baskleian%3C%2FA%3E%20-%20run%20%3CFONT%20color%3D%22%23000000%22%3E%3CSPAN%3ED%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5CBin%5CUpdateCas.ps1%20(Since%20your%20Exchange%20is%20installed%20on%20the%20D%3A%3C%2Fimg%3E%20drive)%20and%20then%20Change%20the%20value%20in%20BinSearchFolders%20to%20D%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5Cbin%3BD%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5Cbin%5CCmdletExtensionAgents%3BD%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5CClientAccess%5COwa%5Cbin%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%3E%3CSPAN%3EIt%20is%20a%20known%20issue%20when%20you%20double%20click%20the%20patch%20to%20launch%20instead%20of%20launching%20it%20from%20an%20elevated%20command%20prompt.%20(I%20did%20the%20same%20thing%20on%20the%20first%20exchange%20server%20I%20patched%20yesterday)%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184521%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184521%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20current%20server%20is%20Exchange%20server%202016%20CU%2015%20%2C%20is%20this%20vulnerbale%20to%20the%20zero%20day%20attack%20%3F%20what%20will%20be%20the%20best%20option%20upadte%20all%20CU%20's%20to%20the%20latest%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184527%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184527%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986441%22%20target%3D%22_blank%22%3E%40RaviVamadeva%3C%2FA%3E%3A%20Yes%2C%20its%20vulnerable%20but%20the%20patch%20is%20not%20available.%20You%20will%20need%20to%20update%20to%20CU18%20or%20CU19%20before%20you%20can%20patch.%20I%20would%20recommend%20upgrading%20to%20CU19%20and%20then%20patching.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184538%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184538%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%20a%20lot%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986053%22%20target%3D%22_blank%22%3E%40GeekSpaz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184893%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184893%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20updated%20our%20servers%2C%20without%20any%20noticeable%20issues%2C%20but%20none%20of%20them%20show%20any%20change%20in%20build%20number.%20All%20of%20them%20still%20show%20the%20build%20number%20of%20Exchange%20Server%202016%20CU19.%20Is%20this%20expected%20behavior%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184896%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184896%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986633%22%20target%3D%22_blank%22%3E%40to_vaib%3C%2FA%3E%3A%20My%20apologies%20-%20I%20do%20see%20that%20you%20said%20that.%20We%20did%20our%20CU23%20updates%20back%20in%20November%20so%20I%20don't%20remember%20it%20very%20clearly.%20However%2C%20I%20did%20find%20the%20steps%20we%20went%20by%3A%3C%2FP%3E%3CP%3EInstall%20procedure%3C%2FP%3E%3CUL%3E%3CLI%3EExtract%20the%20exchange%20media%20and%20run%20the%20following%20Prerequisites%3A%3C%2FLI%3E%3CUL%3E%3CLI%3ERun%20%3CSTRONG%3Esetup.exe%20%2FPrepareSchema%20%2FIAcceptExchangeServerLicenseTerms%3C%2FSTRONG%3E%20(requires%20Enterprise%20Admins%20and%20Schema%20Admins%20permissions%2C%20and%20must%20be%20performed%20in%20the%20same%20AD%20Site%20as%20the%20Schema%20Master%20on%20a%20server%20with%20the%20RSAT-ADDS-Tools%20feature%20installed%20%E2%80%93%20the%20Schema%20Master%20itself%20would%20meet%20these%20requirements)%3C%2FLI%3E%3CLI%3ERun%20%3CSTRONG%3Esetup.exe%20%2FPrepareAD%20%2FIAcceptExchangeServerLicenseTerms%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3ERun%20%3CSTRONG%3Esetup.exe%20%2FPrepareDomain%20%2FIAcceptExchangeServerLicenseTerms%3C%2FSTRONG%3E%20in%20each%20domain%20in%20your%20forest%20that%20contains%20Exchange%20servers%20or%20mailboxes%3C%2FLI%3E%3C%2FUL%3E%3CLI%3EInstall%20the%20following%3A%3C%2FLI%3E%3CUL%3E%3CLI%3E.net%26nbsp%3B%204.7.2%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdotnet.microsoft.com%2Fdownload%2Fdotnet-framework%2Fnet472%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdotnet.microsoft.com%2Fdownload%2Fdotnet-framework%2Fnet472%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3EVisual%20C%2B%2B%20Redistributable%20Packages%20for%20Visual%20Studio%202013%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D40784%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D40784%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3EMicrosoft%20Exchange%20Server%202013%20Cumulative%20Update%2023%3A%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D58392%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D58392%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2185036%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2185036%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3B%2C%20in%20our%20case%20on%20Exchange%202010%20the%20admin%20didn't%20elevate%20the%20command%20prompt%20on%20the%20first%20attempt%20and%20we%20had%20all%20sorts%20of%20issues%20with%20OWA.%26nbsp%3B%20After%20uninstalling%20the%20rollup%20we%20had%20to%20reinstall%20the%20prior%20rollup%20to%20get%20everything%20back%20to%20working%20the%20way%20it%20was%20before.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2185261%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2185261%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20for%20All%3C%2FP%3E%3CP%3EWe%20have%20applied%20what%20the%20Microsoft%20specialists%20recommend%20to%20install%20this%20patch%20ASAP%20and%20%22immediately%22.%20That's%20OK.%3C%2FP%3E%3CP%3EWe%20have%20applied%20the%20patch%20on%20servers%202012%20exchange%202013%20DAGs%20and%20CAS%20CU23%20successfully%20without%20issues.%20%22ofcourse%20we%20found%20the%20exchange%20services%20were%20disabled%22%20we%20enabled%20them%2C%20all%20is%20ok%20except%20OWA%20and%20ECP.%20unfortunately%2C%20untill%20writing%20this%20post%20and%20only%20500%20error%20and%20we%20cannot%20find%20the%20right%20solution%20to%20retrieve%20these%20service%20back.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20the%20specialists%20who%20strongly%26nbsp%3B%20recommend%20to%20install%20this%20patch%20immediately%2C%20Please%2C%20support%20us%20by%20clear%20steps%20how%20can%20we%20fix%20it!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186435%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186435%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F987501%22%20target%3D%22_blank%22%3E%40itsupport-bhms%3C%2FA%3E%26nbsp%3BAs%20far%20as%20Exchange%20is%20concerned%2C%20yes%20you%20can%20go%20from%20CU4%20to%20CU23.%20You%20will%20have%20to%20do%20prep%2C%20though%3A%20you%20will%20need%20to%20extend%20the%20schema%2C%20run%20%2Fadprep.%20You%20will%20likely%20need%20to%20update%20.NET%20framework%20and%20possibly%20some%20other%20dependencies.%20Please%20run%20the%20Health%20Checker%20script%2C%20it%20will%20give%20you%20an%20idea.%20PLEASE%20make%20sure%20that%20you%20are%20running%20updates%20from%20elevated%20CMD%20prompt%20(especially%20security%20updates)%20-%20as%20best%20practices%20for%20installing%20Exchange%20updates%20say%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fplan-and-deploy%2Finstall-cumulative-updates%3Fview%3Dexchserver-2019%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUpgrade%20Exchange%20to%20the%20latest%20Cumulative%20Update%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186451%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186451%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20following%20note%20on%20the%20update%20site%20is%20incorrect.%20The%20issue%20with%20the%20ECP%2FOWA%20not%20working%20when%20the%20update%20is%20installed%20with%20Microsoft%20Update%20is%20incorrect.%20It%20broke%20the%20OWA%2FECP%20for%20both%20our%20Exchange%202013%20servers%20as%20well%20as%20our%20Exchange%202019%20Servers.%20We%20had%20to%20manually%20uninstall%20the%26nbsp%3BKB5000871%20and%20reinstall%20with%20the%20elevated%20command%20prompt%20to%20get%20the%20OWA%2FECP%20working%20once%20more.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ENote%3A%26nbsp%3B%3C%2FSTRONG%3E%3CSPAN%3EThis%20issue%20does%20not%20occur%20if%20you%20install%20the%20update%20through%20Microsoft%20Update.%26nbsp%3B%20-%20Installing%20through%20microsoft%20update%20did%20indeed%20cause%20the%20issue%20in%20our%20case.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180244%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180244%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438789%22%20target%3D%22_blank%22%3E%40Elvecio_M%3C%2FA%3E%26nbsp%3BI've%20halfway%20through%20my%20servers%2C%20no%20issues%20thus%20far.%20Exchange%20security%20updates%20temporarily%20stop%20and%20disable%20all%20Exchange%20services%2C%20so%20definitely%20maintenance%20beforehand.%20All%20but%20one%20server%20I've%20updated%20wanted%20a%20reboot%2C%20and%20I%20rebooted%20that%20one%20anyway.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2191698%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2191698%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BThanks%20Nino.%20I%20saw%20that%20and%20just%20ran%20it%20this%20morning.%20Came%20back%20clean.%20So%20I%20feel%20based%20on%20the%20information%20we%20have%20up%20to%20this%20point%20we%20were%20very%20lucky.%20Do%20you%20think%20it%20can%20be%20said%20with%20reasonable%20confidence%20that%20if%20all%20you%20found%20were%20Autodiscover%20log%20entries%20and%20MSERT%20did%20not%20find%20anything%2C%20that%20there%20is%20a%20high%20likelihood%20you%20were%20just%20probed%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20a%20question%20I%20hope%20someone%20can%20answer%3A%20the%20autodiscover%20entries%20correspond%20to%20a%20POST%20in%20the%20IIS%20logs%20to%20%2Fecp%2Fy.js.%20This%20file%20doesn't%20exist%20on%20the%20server%20and%20I%20haven't%20been%20able%20to%20find%20a%20good%20explanation%20of%20what%20is%20going%20on%20here%20in%20the%20attack.%20Is%20the%20POST%20request%20sent%20to%20this%20file%20what%20contains%20the%20commands%20to%20perform%20authentication%20bypass%3F%20Or%20is%20it%20what%20is%20performing%20the%20autodiscover%20request%3F%20Is%20it%20even%20a%20real%20file%3F%20Does%20it%20matter%20if%20it%20doesn't%20actually%20exist%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20I%20don't%20understand%20how%20this%20works.%20If%20anyone%20could%20shed%20some%20light%20please!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2191763%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2191763%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20seeing%20HTTP%20status%20code%20241%20in%20IIS%20logs%20taken%20from%20compromised%20Exchange%20servers%20-%20is%20this%20something%20that%20anyone%20else%20has%20noticed%20or%20is%20there%20someone%20at%20Microsoft%20who%20can%20collaborate%20this%20unusual%20code%20appearing%20in%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190193%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F98445%22%20target%3D%22_blank%22%3E%40Brent%20Berwick%3C%2FA%3E%26nbsp%3BThose%20particular%20Autodiscover%20entries%20mean%20that%20the%20machine%20was%20'probed'%2C%20yes.%20I%20hesitate%20to%20make%20a%20statement%20of%20the%20state%20of%20the%20machine%20because%20all%20of%20the%20logs%20should%20be%20reviewed%2C%20but%20we%20have%20seen%20quite%20a%20few%20cases%20where%20this%20was%20the%20only%20thing%20on%20the%20machine%20and%20no%20other%20evidence%20of%20compromise%20was%20found.%20Please%20make%20sure%20the%20rest%20of%20results%20are%20clean%20and%20that%20the%20machine%20is%20updated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180282%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180282%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20meant%20by%20%22defense%20in%20depth%22%20for%20the%202010%20patch%20since%20it%20is%20clear%20the%20issues%20have%20not%20been%20fully%20patched%20since%20there%20are%20other%20patches%20for%202013%2C%202016%20and%202019%3F%26nbsp%3B%20Am%20I%20save%20to%20assume%20only%20one%20part%20of%20the%20attack%20chain%20has%20been%20mitigated%3F%26nbsp%3B%26nbsp%3BWe%20have%20been%20struggling%20to%20get%20hybrid%20mode%20working%20to%20move%20off%202010%20to%20Exchange%20Online%20since%20last%20year.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180283%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180283%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F361918%22%20target%3D%22_blank%22%3E%40Tim_Aylett%3C%2FA%3E%26nbsp%3BThe%20KB%20article%20for%20Exchange%202010%20is%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fprod.support.services.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%3Fpreview%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDescription%20of%20the%20security%20update%20for%20Microsoft%20Exchange%20Server%202010%20Service%20Pack%203%3A%20March%202%2C%202021%20(KB5000978)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190316%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190316%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20those%20who%20installed%26nbsp%3BKB5000871%2C%20after%20reboot%20server%2C%20the%20Exchange%20Management%20Shell%20and%20ECP%20not%20working%20anymore.%20In%20eventlog%2C%3C%2FP%3E%3CP%3EEvent%20ID%2015021%2C%20HTTPEvent%20%E2%80%9Cerror%20occurred%20while%20using%20SSL%20configuration%20for%20endpoint%200.0.0.0%3A444%E2%80%B3%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20refer%20this%20link%20to%20fix%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.stormbreaker.tech%2F%3Fp%3D173%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.stormbreaker.tech%2F%3Fp%3D173%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180287%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180287%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F931060%22%20target%3D%22_blank%22%3E%40EddieRowe%3C%2FA%3E%26nbsp%3BExchange%202010%20is%20not%20vulnerable%20to%20the%20same%20attack%20chain%20as%20Exchange%202013%2F2016%2F2019%2C%20but%20there%20is%20a%20vulnerability%20that%20we%20have%20addressed%20for%20Exchange%202010%20and%20our%20recommendation%20is%20to%20install%20the%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180361%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180361%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99m%20applying%20the%20updates%20to%20all%20my%20servers%20(2010%2F2013%2F2016%2F2019).%20The%20updates%20install%20OK%2C%20but%20it%20doesn%E2%80%99t%20ask%20for%20a%20restart.%20Is%20one%20required%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190353%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190353%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20help%20and%20update%20the%20post%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986962%22%20target%3D%22_blank%22%3E%40Atout76%3C%2FA%3E%26nbsp%3B%20OWA%20and%20ECP%20ERRORS%20after%20the%20update%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fclient-connectivity%2Fowa-stops-working-after-update%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fclient-connectivity%2Fowa-stops-working-after-update%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2192309%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192309%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20prepare%20to%20release%20an%20update%20for%20CU%2016%20in%20the%20future%3F%20because%20we%20could%20not%20update%20CU%20easily.%20Many%20jobs%20to%20be%20done...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190517%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190517%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-header%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-16%20lia-quilt-column-left%20lia-quilt-column-header-left%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-left%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-08%20lia-quilt-column-right%20lia-quilt-column-header-right%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-right%22%3E%3CDIV%20class%3D%22lia-menu-navigation-wrapper%20lia-menu-action%20lia-component-message-view-widget-action-menu%22%3E%3CDIV%20class%3D%22lia-menu-navigation%22%3E%3CDIV%20class%3D%22dropdown-default-item%22%3E%3CDIV%20class%3D%22dropdown-positioning%22%3E%3CDIV%20class%3D%22dropdown-positioning-static%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-main%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-24%20lia-quilt-column-single%20lia-quilt-column-main%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-single%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20your%20reply%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F931060%22%20target%3D%22_blank%22%3E%40EddieRowe%3C%2FA%3E%26nbsp%3B%26nbsp%3B%22Exchange%202010%20is%20not%20vulnerable%20to%20the%20same%20attack%20chain%20as%20Exchange%202013%2F2016%2F2019%2C%20but%20there%20is%20a%20vulnerability%20that%20we%20have%20addressed%20for%20Exchange%202010%20and%20our%20recommendation%20is%20to%20install%20the%20update.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20exactly%20does%20this%20mean%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20discovered%20that%2C%20like%20the%20Exchange%20Health%20script%20mentioned%20in%20the%20blog%20post%2C%20the%20scripts%20linked%20to%20below%20are%20also%20incompatible%20with%20Exchange%202010%3A%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EUpdate%20%5B03%2F04%2F2020%5D%3C%2FSTRONG%3E%3A%20The%20Exchange%20Server%20team%20released%20a%20script%20for%20checking%20HAFNIUM%20indicators%20of%20compromise%20(IOCs).%20See%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%23scan-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScan%20Exchange%20log%20files%20for%20indicators%20of%20compromise%3C%2FA%3E.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20only%20are%20those%20%3CSTRONG%3E%3CEM%3Escripts%3C%2FEM%3E%20%3C%2FSTRONG%3Eincompatible%20with%20Exchange%202010%2C%20but%20both%20the%20code%20of%20the%20scripts%20and%20the%20the%20manual%20methods%20described%20seem%20to%20be%20pointing%20to%20a%20completely%20different%20logging%20filestructure%20(and%2C%20presumably%20architecture)%20meant%20to%20scan%20exchange%202013%20through%202019.%20I%20can't%20even%20modify%20the%20code%20to%20point%20to%20different%20relative%20paths%20or%20registry%20entries%20to%20query%20for%20said%20paths.%20Nothing%20lines%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20your%20reply%20to%20Eddie%2C%20does%20that%20mean%20that%20CVE-2021-26855%2C%20CVE-2021-26857%2C%20CVE-2021-26858%2C%20CVE-2021-27065%20do%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20apply%20to%20exchange%202010%3F%3C%2FP%3E%3CUL%3E%3CLI%3EIF%20any%20of%20them%20DO%20apply%2C%20In%20order%20to%20locate%20IOCs%2C%20should%20I%20be%20trying%20to%20figure%20out%20the%20equivalent%20logs%20and%20perhaps%20even%20logging%20formats%20etc%20on%20my%20exchange%20server%20on%20my%20own%20to%20look%20for%20the%20same%20activity%3F%20With%20the%20assumption%20that%20we%20might%20have%20been%20compromised%20with%20the%20same%20end%20results%2C%20but%20with%20another%20%22attack%20chain%22%3F%26nbsp%3B%3C%2FLI%3E%3CLI%3EIF%20NONE%20of%20those%20CVEs%20apply%2C%20what%20CVEs%20DO%20apply%3F%20What%20is%20the%20vulnerability%3F%20Is%20it%20active%20and%20in%20the%20wild%20already%3F%20And%20what%20exactly%20should%20I%20be%20looking%20for%20and%20in%20what%20logs%2C%20etc%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20my%20responsibility%20to%20my%20company%20and%20co-workers%20to%20do%20whatever%20due%20diligence%20must%20be%20done%20to%20discover%20if%20we%20have%20been%20compromised%20after%20a%20zero-day%20notification%20like%20this%20applies%20to%20our%20environment.%20As%20it%20stands%20I%20have%20no%20idea%20what%20I%20am%20looking%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180367%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180367%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20these%20security%20updates%20available%20for%20Exchange%202016%20CU%2016%3F%26nbsp%3B%20Or%20are%20these%20security%20updates%20to%20address%20vulnerabilities%20only%20in%20Exchange%202016%20CU%2018%2C%2019%3B%20respectively.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2192410%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192410%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BOn%20a%20Windows%202019%20Core%20installation%2C%20outside%20of%20running%20Healthchecker%2C%20how%20do%20you%20confirm%20the%20installation%20of%26nbsp%3BKB5000871%20%3F%26nbsp%3B%20It%20does%20not%20show%20up%20in%20the%20WAC%20or%20via%20the%20get-hotfix%20command.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190541%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190541%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383794%22%20target%3D%22_blank%22%3E%40ChrisJButler%3C%2FA%3E%26nbsp%3BIf%20you%20look%20through%20all%20of%20the%20CVEs%20(reference%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20-%20the%20only%20CVE%20that%20applies%20to%20Exchange%202010%20is%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-26857%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-26857%3C%2FA%3E.%20It%20is%20a%20%22Remote%20Code%20Execution%22%20but%20it%20is%20not%20a%20'start'%20of%20the%20attach%20chain%20that%20Exchange%202013%2C%202016%2C%202019%20are%20vulnerable%20to%20(as%20they%20all%20basically%20begin%20with%26nbsp%3BCVE-2021-26855).%3C%2FP%3E%0A%3CP%3EAs%20MSTIC%20blog%20post%20says%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20the%20exploitation%20of%20CVE-2021-26857%20requires%20%22administrator%20permission%20or%20another%20vulnerability%20to%20exploit%22.%20But%20again%2C%20as%26nbsp%3BCVE-2021-26855%20does%20not%20apply%20to%20Exchange%202010%2C%20that%20can%20not%20be%20the%20%22other%20known%20vulnerability%22%20on%20Exchange%202010.%3C%2FP%3E%0A%3CP%3EIt%20is%2C%20however%2C%20still%20an%20issue%20that%20was%20discovered%20as%20a%20part%20of%20the%20big%20picture%20here%2C%20but%20because%20it%20is%20not%20exploited%20in%20the%20wild%20as%20other%20versions%20(because%26nbsp%3BCVE-2021-26855%20does%20not%20apply)%20-%20it%20is%20a%20'Defense%20in%20depth'%20update.%20We%20deemed%20it%20important%20enough%20to%20ship%20a%20fix%20for%20such%20old%20code%2C%20but%20it%20is%20not%20actively%20exploited%20because%20there%20is%20not%20an%20'entry%20point'%20as%20with%20other%20versions.%3C%2FP%3E%0A%3CP%3EHope%20that%20helps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190549%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190549%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99ve%20no%20idea%20why%20the%20patch%20would%20not%20deploy%20even%20though%20I%20was%20100%25%20on%20cu19%20exchange%202016.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ended%20up%20deploying%20via%20windows%20update%20and%20it%20worked%20with%20no%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.jpg%22%20style%3D%22width%3A%203024px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261405i86BAE042FDB79651%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22image.jpg%22%20alt%3D%22image.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180368%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180368%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20only%20supports%20the%20current%20and%20last%20CU.%20You%20will%20need%20to%20install%20one%20of%20these%20CUs%20before%20you%20can%20install%20the%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190556%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYES%2C%20my%20good%20man%2C%20it%20certainly%20does!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20just%20lowered%20my%20blood%20pressure%20by%20a%20few%20points%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20joined%20techcommunity.microsoft.com%20and%20since%20I%20am%20already%20logged%20in%20as%20my%20live.com%20account%20in%20another%20tab%20for%20Skype%2C%20I%20was%20logged%20in%20using%20those%20credentials%2C%20and%20was%20taken%20to%20a%20page%20where%20I%20needed%20to%20create%20a%20profile%2C%20choose%20a%20profile%20name%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20microsoft%20(live%2C%20what%20have%20you)%20account%20has%20my%20gmail%20account%20as%20my%20primary%20login%20name%2C%20and%20my%20profile%20in%20this%20community%20shows%20that%20gmail%20address%20correctly%20as%20my%20email%20address%20for%20the%20profile%20and%20for%20the%20microsoft%20account.%20I%20filled%20out%20the%20Personal%20information%20page%20next%20and%20put%20in%20my%20work%20information%2C%20including%20my%20non-office365%20work%20email%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEmail%20notifications%20are%20turned%20on%20but%20I%20received%20not%20a%20single%20email%20from%20the%20blog%2C%20neither%20at%20setup%20of%20my%20profile%20nor%20when%20you%20replied%20with%20a%20mention%20of%20me%20here.%20Any%20idea%20where%20I%20should%20look%20%3F%20I%20just%20happened%20to%20be%20refreshing%20this%20blog%20just%20after%20posting%20my%20comment%20or%20I%20would%20have%20missed%20your%20very%20helpful%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2192782%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192782%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20a%20few%20customers%20were%20we%20get%20an%20error%20while%20running%20the%20script.%20It%20can%20not%20access%20the%20%3CSPAN%3E%22%25exchangeinstallpath%25%5COABGeneratorLog%3C%2FSPAN%3E%3CSPAN%3E%22%20because%20the%20directory%20%22OABGeneratorLog%22%20does%20not%20exist.%20Is%20this%20suspicous%20or%20is%20it%20possible%20that%20there%20has%20been%20no%20%22OABGeneratorLog%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERunning%20the%20MSERT.EXE%20tool%20does%20not%20find%20any%20threats%20on%20those%20systems.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EJan%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190586%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190586%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383794%22%20target%3D%22_blank%22%3E%40ChrisJButler%3C%2FA%3E%26nbsp%3BUmm...%20I'd%20like%20to%20be%20able%20to%20say%20that%20I%20fully%20understand%20how%20this%20notification%20thing%20works%20but%20alas%2C%20I%20do%20not.%20%3A(%3C%2Fimg%3E%20I%20can%20tell%20you%20that%20I%20do%20get%20email%20notifications%20if%20I%20get%26nbsp%3B%40%20mentioned%20in%20posts.%20I%20know%20you%20mentioned%20notifications%20are%20on%2C%20but%20I%20wonder%20if%20you%20mean%20the%20%22Email%20me%20when%20someone%20replies%22%20thing%20that%20I%20see%20on%20individual%20comments%20(like%20this%20one)%20or%20when%20you%20click%20on%20your%20account%20avatar%2C%20then%20My%20Subscriptions%20%26gt%3B%20Notification%26nbsp%3Bsettings%20%26gt%3B%20Post's%20I'm%26nbsp%3B%40%20mentioned%20in%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180369%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180369%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20are%20currently%20applying%20it%20and%20also%20no%20issues%20so%20far.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193553%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F119208%22%20target%3D%22_blank%22%3E%40Navishkar%20Sadheo%3C%2FA%3E%22I%20am%20running%20Exchange%20Server%202016%20CU%2016......am%20I%20affected%20by%20this%3F%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes!%20You%20need%20to%20go%20current%20first%20(CU19%20(or%2018))%20and%20than%20apply%20the%20security%20fix.%20Or%26nbsp%3Bat%20least%20use%20the%20mitigation%20mentioned%20in%20this%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Exchange%20Server%20Vulnerabilities%20Mitigations%20%E2%80%93%20updated%20March%206%2C%202021%20%E2%80%93%20Microsoft%20Security%20Response%20Center%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194172%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194172%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986053%22%20target%3D%22_blank%22%3E%40GeekSpaz%3C%2FA%3E%26nbsp%3B%2C%20thanks%20for%20the%20suggestions%20to%20run%26nbsp%3B%3CSPAN%3EC%3A%5CProgram%20Files%5CMicrosoftExchange%20ServerV14%5CBin%5CUpdateCas.ps1%20and%20the%20IISReset%2C%20but%20sadly%20that%20made%20no%20difference.%26nbsp%3B%20I%20also%20see%20in%20the%20troubleshooting%20a%20suggestion%20to%20run%20UpdateConfigFiles.ps1%20after%20UpdateCas.ps1.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20remain%20unable%20to%20patch%20our%20Exchange%202010%20SP3%20servers%20with%20RU31%20or%20Ru32%20so%20it%20would%20appear%20to%20be%20me%20that%20RU31%20is%20broken%20and%20the%20defect%20is%20also%20in%20RU32.%26nbsp%3B%20After%20patching%20the%20server%20with%20the%20CAS%20role%20and%20holding%20the%20test%20mailbox%2C%20I%20see%20errors%20on%20the%20OTHER%20webmail%20server%20that%20has%20NOT%20been%20patched.%26nbsp%3B%20Not%20patched%20because%20applying%20to%20one%20server%20takes%20it%20out.%26nbsp%3B%20On%20the%20webmail%20server%20I%20found%20an%20event%20136%20and%20Source%20MSExchange%20OWA%20at%20the%20same%20time%20the%20OWA%20login%20says%20%22%20The%20mailbox%20you're%20trying%20to%20access%20isn't%20currently%20available.%20If%20the%20problem%20continues%2C%20contact%20your%20helpdesk.%22%26nbsp%3B%20%3CSTRONG%3EAre%20these%20Exchange%202010%20SP3%20servers%20looking%20to%20have%20the%20same%20RU%20level%20in%20order%20to%20have%20basic%20functionality%20working%3F%3C%2FSTRONG%3E%26nbsp%3B%20Is%20it%20possible%20that%20this%20is%20just%20an%20issue%20known%20to%20an%20experienced%20Exchange%20admin%20(which%20we%20do%20not%20have...why%20I%20am%20trying%20get%20us%20to%20O365)%3F%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%3CBR%20%2F%3E%22The%20sign-in%20to%20Outlook%20Web%20App%20failed.%20User%20%2FO%3Dxxxxx%2FOU%3Dyyyyy%2Fcn%3DRecipients%2Fcn%3Dtest2%20has%20a%20mailbox%20on%2014.3.123.0%20server%20version.%20However%2C%20no%20Client%20Access%20server%20or%20front-end%20server%20with%20a%20matching%20version%20was%20found%20to%20handle%20the%20request.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EFor%20users%20on%20Exchange%202007%20and%20above%2C%20you%20can%20configure%20the%20Outlook%20Web%20Access%20URL%20for%20redirection%20using%20the%20externalURL%20parameter%20on%20the%20Exchange%20%2Fowa%20virtual%20directory.%22%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194511%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194511%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BThis%20bring%20up%20an%20interesting%20talking%20point.%26nbsp%3B%20MS%20made%20the%20decision%20to%20fork%20the%20code%20for%20Exchange%202019%2FO365%20long%20ago%20and%20one%20of%20the%20selling%20points%20for%20Exchange%202019%20was%20more%20mature%20code%20base%20with%20less%20updates%20and%20better%20stability.%26nbsp%3B%20If%20MS%20fixed%20the%20issue%20is%20O365%20at%20some%20point%20before%20this%20patch%20was%20released%20that%20says%20a%20lot%20about%20their%20priorities%20and%20doesn't%20portend%20well%20for%20on-prem%20customers%20and%20future%20critical%20updates.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20this%20will%20be%20fleshed%20more%20so%20that%20confidence%20doesn't%20wane%20for%20on-prem%20customers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194515%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194515%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192630%22%20target%3D%22_blank%22%3E%40Netronin%3C%2FA%3E%26nbsp%3BI'm%20just%20here%20to%20say%20that%20I%20never%20said%20that%20%22MS%20fixed%20the%20issue%20is%20O365%20at%20some%20point%20before%20this%20patch%20was%20released%22.%20I%20have%20no%20idea%20where%20%3CEM%3Ethat%3C%2FEM%3E%20came%20from%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194695%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194695%22%20slang%3D%22en-US%22%3E%3CP%3EAuto%20updates%20and%20the%20remediation%20CU's%20error%20out%2C%20cant%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22the%20upgrade%20patch%20cannot%20be%20installed%20by%20the%20windows%20installer%20service.....%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190550%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190550%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20servers%20have%20started%20to%20log%20a%20new%20event%20in%20the%20Application%20log.%26nbsp%3B%20I%20wonder%20if%20this%20is%20the%20attack%20failing%20due%20to%20the%20security%20update%20being%20in%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20width%3D%22100%25%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%2285%25%22%3E%3CP%3E%5BEcp%5D%20An%20internal%20server%20error%20occurred.%20The%20unhandled%20exception%20was%3A%20System.ArgumentException%3A%20Invalid%20input%20value%3CBR%20%2F%3EParameter%20name%3A%20input%3CBR%20%2F%3Eat%20Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String%20input)%3CBR%20%2F%3Eat%20Microsoft.Exchange.HttpProxy.BEResourceRequestHandler.ResolveAnchorMailbox()%3CBR%20%2F%3Eat%20Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox%26amp%3B%20anchorMailbox)%3CBR%20%2F%3Eat%20Microsoft.Exchange.HttpProxy.ProxyRequestHandler.%3CBEGINCALCULATETARGETBACKEND%3Eb__3b()%3CBR%20%2F%3Eat%20Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate%20tryDelegate%2C%20FilterDelegate%20filterDelegate%2C%20CatchDelegate%20catchDelegate)%3C%2FBEGINCALCULATETARGETBACKEND%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180373%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180373%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F65924%22%20target%3D%22_blank%22%3E%40Jeff%20Guillet%3C%2FA%3E%26nbsp%3BOur%20suggestion%20is%20to%20restart%20the%20server%2C%20yes.%20I%20have%20seen%20the%20update%20tell%20to%20reboot%20but%20I%20guess%20depending%20on%20the%20scenario...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180394%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180394%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180456%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180456%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F931060%22%20target%3D%22_blank%22%3E%40EddieRowe%3C%2FA%3E%26nbsp%3BYeah%20that%20should%20be%20fixed%20now.%20I%20just%20had%20to%20reload%20the%20page%20and%20it%20says%2032%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2198671%22%20slang%3D%22de-DE%22%3ESubject%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2198671%22%20slang%3D%22de-DE%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3Ewe%20are%20running%20%3CSPAN%3EExchange%20Server%202016%20CU12%3C%2FSPAN%3E.%20I%20can't%20find%20anything%20about%20it%20in%20any%20docs.%20Are%20we%20not%20affected%3F%3F%3F%3C%2FP%3E%3CP%3ERg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179942%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179942%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E%26nbsp%3B-%20downloads%20will%20be%20on%20the%20Microsoft%20Update%20soon.%20You%20can%20get%20them%20right%20away%20if%20you%20go%20to%20individual%20CVEs%20mentioned%20in%20the%20MSRC%20blog%20post%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180411%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180411%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20some%20typos.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDescription%20of%20the%20security%20update%20for%20Microsoft%20Exchange%20Server%202010%20Service%20Pack%203%3A%20March%202%2C%202021%20(KB5000978)%3C%2FA%3E%26nbsp%3Bhas%20a%20link%20to%20download%20Update%20Rollup%2032%20for%20Exchange%20Server%202010%20SP3%2C%20but%20when%20you%20click%20on%20that%20link%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D102774%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDownload%20Update%20Rollup%203%20For%20Exchange%202010%20SP3%20(KB5000978)%20from%20Official%20Microsoft%20Download%20Center%3C%2FA%3E%26nbsp%3Bsays%20it%20is%20Rollup%203%20instead%20of%2032.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276630%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276630%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%3CSPAN%3E%26nbsp%3BHello%20Nino.%26nbsp%3BKB5001779%2C%20just%20like%20KB5000871%20is%20not%20visible%20by%20running%26nbsp%3Bget-hotfix%20or%20by%20looking%20for%20updates%20in%20WAC%20when%20installed%20on%20a%20Windows%202019%20Core%20server.%26nbsp%3B%20%26nbsp%3BThis%20is%20not%20a%20problem%20with%20other%20Windows%20Server%20security%20hotfixes%20-%20only%20with%20Exchange%20hotfixes.%26nbsp%3B%20%26nbsp%3BThis%20is%20an%20issue%20for%20administrators%2C%20installers%2C%20etc.%26nbsp%3B%20When%20will%20this%20be%20addressed%3F%26nbsp%3B%26nbsp%3B%20Do%20you%20see%20the%20same%20thing%20on%20your%20Windows%202019%20Core%20servers%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181650%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181650%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%2C%20Thanks%20for%20the%20quick%20response!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180549%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180549%22%20slang%3D%22en-US%22%3E%3CP%3EInstalling%20on%20our%20first%20server%20to%20gauge%20the%20impact.%20Getting%20lots%20of%20%22Files%20in%20use%22%20errors.%20We're%20killing%20processes%20and%20retrying%20multiple%20times%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2202066%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Nino%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20ran%20the%20CompareExchangeHashes%20script%20and%20it%20returned%20the%20IIS%20Default%20Website's%20web.config%20as%20suspicious.%3C%2FP%3E%3CP%3EWhen%20I%20check%20the%20file%2C%20it%20was%20created%20when%20I%20was%20updating%20our%20Exchange%20server%20(2019)%20to%20the%20latest%20CU.%20It%20hasn't%20been%20modified%20since.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20really%20find%20anything%20suspicious%20in%20the%20file%20itself%20either..%20Is%20this%20a%20false%20positive%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181667%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181667%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20clarify%20this%20statement%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3E%22The%20initial%20attack%20requires%20the%20ability%20to%20make%20an%20untrusted%20connection%20to%20Exchange%20server%20port%20443%22%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20media%20seems%20interprets%20this%20as%20being%20able%20to%20make%20an%20untrusted%20HTTP%20(aka%20not%20encrypted)%20connection%20to%20an%20HTTPS%20port.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMany%20of%20us%20use%20SSL-offloading%2FSSL-bridging%20reverse%20Proxies%20(F5%20Big-IP%2C%20Citrix%20Netscaler%2C%20Kemp%2C%20nginx%2C%20Apache%2C%20HAProxy.....and%20also%20some%20cloud%20services%20as%20Azure%20Application%20Proxy%20or%20be%20it%20also%20CDNs%20like%20Cloudflare%20etc.)%20to%20get%20Exchange%20hooked%20up%20to%20the%20internet%20and%20do%20SSL%20bridging.%3CBR%20%2F%3EBy%20nature%20these%20technologies%26nbsp%3Bprevent%20HTTP%20connections%20to%20HTTPS%20ports.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOr%2C%20do%20you%20mean%20by%20%22untrusted%20connections%22%20that%20the%20user%20is%20not%20authenticated%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20yes%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMany%20of%20us%20also%20use%20these%20technologies%20to%20do%20pre-authentication%20before%20anyone%20can%20access%20anything%20anonymously%20on%20port%20443%20(there%20was%20also%20a%20question%20about%20ADFS%20some%20posts%20before%2C%20I%20might%20add%20the%20question%20what%20if%20we%20do%20pre-authentication%20with%20Azure%20AD%3F).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAre%20these%20users%20protected%2C%20or%20does%20this%20issue%20concern%20those%20web%20API%20connections%20to%20EWS%2FOAB%2FECP%2FActiveSync%20where%20we%20have%20to%20turn%20off%20pre-authentication%20since%20this%20would%20break%20those%20services%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EJust%20asking%20out%20of%20curiosity%2C%20I%20know%20the%20vulnerability%20still%20exists%20of%20anyone%20can%20access%20the%20server%20directly%20from%20LAN.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAlso%2C%20because%20everybody%20around%20me%20is%20hyping%2Ffreaking%20out%2C%20even%20though%20many%20have%20such%20technologies%20in%20place.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20guess%20nobody%20with%20will%20hook%20up%20an%20Exchange%20server%20to%20the%20Internet%20just%20by%20Port-forwarding%20the%20port%20443%20on%20the%20firewall%20directly%20to%20the%20server%2C%20or%20by%20configuring%20a%20public%20IP%20address%20on%20the%20server's%20network%20interface%20and%20connect%20it%20directly%20to%20the%20provider%20switch%2C%20at%20least%20not%20in%20the%20last%2010%20years.%20(Hell%2C%20we%20were%20doing%20that%20since%20ISA%202000).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMarc%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180567%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180567%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20the%20Known%20Issue%20of%20applying%20it%20by%20double%20click%20breaking%20ECP%2FOWA...%20It's%20great%20the%20article%20warns%20you%20of%20that...%20would%20be%20better%20if%20it%20told%20you%20HOW%20TO%20FIX%20IT%20too!%26nbsp%3B%20Or%20where%20to%20find%20how%20to%20fix%20it.%26nbsp%3B%26nbsp%3BSo...%20anyone%20know%20how%20to%20fix%20it%3F!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Cancelled%20mid-way.%26nbsp%3B%20Rolled%20back.%26nbsp%3B%20Re-installed%20correctly%2C%20ECP%20is%20broken%3B%20OWA%20works).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180595%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BThanks%2C%20but%20that's%20not%20really%20helpful.%26nbsp%3B%20As%20I%20said%2C%20it's%20great%20that%20it's%20a%20known%20issue.%26nbsp%3B%20That%20it's%20known%20that%20the%20update%20doesn't%20properly%20prompt%20for%20elevation%20and%20that%20it%20must%20be%20run%20from%20an%20elevated%20command%20prompt.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20done%20is%20done.%26nbsp%3B%20ECP%20is%20broken.%26nbsp%3B%20HOW%20DO%20WE%20FIX%20IT%3F%26nbsp%3B%20There's%20no%20mention%20of%20restoring%20ECP%20%2F%20OWA%20if%20you%20failed%20to%20run%20it%20initially%20from%20an%20elevated%20command%20prompt.%26nbsp%3B%20Why%20not%3F%20It%20would%20be%20helpful%20to%20folks%20who%20may%20not%20have%20read%20the%20blog%20but%20were%2C%20instead%2C%20told%20to%20install%20this%20update%20and%20ASSUMED%20it%20would%20properly%20elevate%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20wait%20for%20the%20next%20CU%20and%20install%20that%2C%20will%20that%20fix%20it%3F%26nbsp%3B%20I'd%20rather%20not%20wait%2C%20but%20I%20assume%20the%20next%20CU%20is%20due%20soon...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2175901%22%20slang%3D%22en-US%22%3EReleased%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2175901%22%20slang%3D%22en-US%22%3E%3CP%3ENote%3A%20this%20post%20is%20getting%20frequent%20updates%3B%20please%20keep%20checking%20back.%20Last%20update%3A%203%2F19%2F2021%3C%2FP%3E%3CP%3EMicrosoft%20has%20released%20a%20set%20of%20out%20of%20band%20security%20updates%20for%20vulnerabilities%20for%20the%20following%20versions%20of%20Exchange%20Server%3A%3C%2FP%3EExchange%20Server%202013%20Exchange%20Server%202016%20Exchange%20Server%202019%3CP%3ESecurity%20updates%20are%20available%20for%20the%20following%20specific%20versions%20of%20Exchange%3A%3C%2FP%3E%3CP%3EIMPORTANT%3A%20If%20manually%20installing%20security%20updates%2C%20you%20must%20install%20.msp%20from%20elevated%20command%20prompt%20(see%20Known%20Issues%20in%20update%20KB%20articles)%3C%2FP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202010%20(update%20requires%20SP%203%20or%20any%20SP%203%20RU%20%E2%80%93%20this%20is%20a%20Defense%20in%20Depth%20update)%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202013%20(update%20requires%20CU%2023)%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202016%20(update%20requires%20CU%2019%20or%20CU%2018)%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202019%20(update%20requires%20CU%208%20or%20CU%207)%3C%2FA%3E%20NEW!%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2021-exchange-server-security-updates-for-older-cumulative%2Fba-p%2F2192020%22%20target%3D%22_blank%22%3ESecurity%20Updates%20for%20older%20Cumulative%20Updates%20of%20Exchange%20Server%20(the%20list%20is%20now%20finalized)%3C%2FA%3E%3CP%3EBecause%20we%20are%20aware%20of%20active%20exploits%20of%20related%20vulnerabilities%20in%20the%20wild%20(limited%20targeted%20attacks)%2C%20our%20recommendation%20is%20to%20install%20these%20updates%20immediately%20to%20protect%20against%20these%20attacks.%3C%2FP%3E%3CP%3EThe%20vulnerabilities%20affect%20Microsoft%20Exchange%20Server.%20Exchange%20Online%20is%20not%20affected.%3C%2FP%3E%3CP%3EFor%20more%20information%2C%20please%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Security%20Response%20Center%20(MSRC)%20blog%3C%2FA%3E.%3C%2FP%3E%3CP%3EFor%20technical%20details%20of%20these%20exploits%20and%20how%20to%20help%20with%20detection%2C%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EHAFNIUM%20Targeting%20Exchange%20Servers%3C%2FA%3E.%26nbsp%3BThere%20is%20a%20scripted%20version%20of%20this%20check%20available%20on%20GitHub%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMitigations%2C%20investigation%20and%20remediation%3A%3C%2FP%3EAre%20there%20any%20mitigations%20I%20can%20implement%20right%20now%3F%3CP%3EMSRC%20team%20has%20released%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F15%2Fone-click-microsoft-exchange-on-premises-mitigation-tool-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EOne-Click%20Microsoft%20Exchange%20On-Premises%20Mitigation%20Tool%20(EOMT)%3C%2FA%3E.%20The%20MSTIC%20blog%20post%20called%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Exchange%20Server%20Vulnerabilities%20Mitigations%20%E2%80%93%20March%202021%3C%2FA%3E%26nbsp%3Bcan%20help%20understand%20individual%20mitigation%20actions.%20A%20stand-alone%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchangeMitigations.ps1%3C%2FA%3E%26nbsp%3Bscript%20is%20also%20available.%3C%2FP%3EHow%20can%20I%20tell%20if%20my%20servers%20have%20already%20been%20compromised%3F%3CP%3EInformation%20on%20Indicators%20of%20Compromise%20(IOCs)%20%E2%80%93%20such%20as%20what%20to%20search%20for%2C%20and%20how%20to%20find%20evidence%20of%20successful%20exploitation%20(if%20it%20happened)%2C%20can%20be%20found%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EHAFNIUM%20Targeting%20Exchange%20Servers%3C%2FA%3E.%20There%20is%20a%20scripted%20version%20of%20this%20available%20on%20GitHub%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3EMore%20information%20about%20investigations%3CP%3ETo%20aid%20defenders%20in%20investigating%20these%20attacks%20where%20Microsoft%20security%20products%20and%20tooling%20may%20not%20be%20deployed%2C%20we%20are%20releasing%20a%20feed%20of%20observed%20indicators%20of%20compromise%20(IOCs).%20The%20feed%20of%20malware%20hashes%20and%20known%20malicious%20file%20paths%20observed%20in%20related%20attacks%20is%20available%20in%20both%20JSON%20and%20CSV%20formats%20at%20the%20below%20GitHub%20links.%20This%20information%20is%20being%20shared%20as%20TLP%3AWHITE.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSample%2520Data%2FFeeds%2FMSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ECSV%20format%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSample%2520Data%2FFeeds%2FMSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EJSON%20format%3C%2FA%3E%20are%20available.%26nbsp%3B%3C%2FP%3EWhat%20about%20remediation%3F%3CP%3EMSTIC%20team%20has%20(on%20March%206th)%20updated%20their%20blog%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Exchange%20Server%20Vulnerabilities%20Mitigations%20%E2%80%93%20March%202021%3C%2FA%3E%26nbsp%3Bto%20include%20information%20about%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fintelligence%2Fsafety-scanner-download%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Support%20Emergency%20Response%20Tool%20(MSERT)%3C%2FA%3E%26nbsp%3Bhaving%20been%20updated%20to%20scan%20Microsoft%20Exchange%20Server.%20Please%20download%20a%20new%20copy%20of%20MSERT%20often%2C%20as%20updates%20are%20made%20in%20the%20tool%20regularly!%20Please%20also%20see%20MSRC%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F16%2Fguidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EGuidance%20for%20responders%3A%20Investigating%20and%20remediating%20on-premises%20Exchange%20Server%20vulnerabilities%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstalling%20and%20troubleshooting%20updates%3A%3C%2FP%3EDoes%20installing%20the%20March%20Security%20Updates%20require%20my%20servers%20to%20be%20up%20to%20date%3F%3CP%3EToday%20we%20shipped%20Security%20Update%20(SU)%20fixes.%20These%20fixes%20can%20be%20installed%20only%20on%20servers%20that%20are%20running%20the%20specific%20versions%20listed%20previously%2C%20which%20are%20considered%20up%20to%20date.%20If%20your%20servers%20are%20running%20older%20Exchange%20Server%20cumulative%20or%20rollup%20update%2C%20we%20recommend%20to%20install%20a%20currently%20supported%20RU%2FCU%20before%20you%20install%20the%20security%20updates.%20If%20you%20are%20unable%20to%20get%20updated%20quickly%2C%20please%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2021-exchange-server-security-updates-for-older-cumulative%2Fba-p%2F2192020%22%20target%3D%22_blank%22%3EMarch%202021%20Exchange%20Server%20Security%20Updates%20for%20older%20Cumulative%20Updates%20of%20Exchange%20Server%3C%2FA%3E.%3C%2FP%3EHow%20can%20I%20get%20an%20inventory%20of%20the%20update-level%20status%20of%20my%20on-premises%20Exchange%20servers%3F%3CP%3EYou%20can%20use%20the%20Exchange%20Server%20Health%20Checker%20script%2C%20which%20can%20be%20downloaded%20from%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExchangeHealthChecker%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EGitHub%3C%2FA%3E%20(use%20the%20latest%20release).%20Running%20this%20script%20will%20tell%20you%20if%20you%20are%20behind%20on%20your%20on-premises%20Exchange%20Server%20updates%20(note%20that%20the%20script%20does%20not%20support%20Exchange%20Server%202010).%3C%2FP%3EWhich%20of%20my%20servers%20should%20I%20update%20first%3F%3CP%3EExploitation%20of%20the%20security%20vulnerabilities%20addressed%20in%20these%20fixes%20requires%20HTTPS%20access%20over%20the%20Internet.%20Therefore%2C%20our%20recommendation%20is%20to%20install%20the%20security%20updates%20first%20on%20Exchange%20servers%20exposed%2Fpublished%20to%20the%20Internet%20(e.g.%2C%20servers%20publishing%20Outlook%20on%20the%20web%2FOWA%20and%20ECP)%20and%20then%20update%20the%20rest%20of%20your%20environment.%3C%2FP%3EWill%20the%20installation%20of%20the%20Security%20Updates%20take%20as%20long%20as%20installing%20an%20RU%2FCU%3F%3CP%3EInstallation%20of%20Security%20Updates%20does%20not%20take%20as%20long%20as%20installing%20a%20CU%20or%20RU%2C%20but%20you%20will%20need%20to%20plan%20for%20some%20downtime.%3C%2FP%3EMy%20organization%20needs%20to%20'get%20current'%20first...%20we%20need%20to%20apply%20a%20Cumulative%20Update.%20Any%20tips%20for%20us%3F%3CP%3EPlease%20see%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fplan-and-deploy%2Finstall-cumulative-updates%3Fview%3Dexchserver-2019%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EUpgrade%20Exchange%20to%20the%20latest%20Cumulative%20Update%3C%2FA%3E%26nbsp%3Barticle%20for%20best%20practices%20when%20installing%20Exchange%20Cumulative%20Updates.%20To%20ensure%20the%20easiest%20upgrade%20experience%20(and%20because%20in%20many%20organizations%20Exchange%20and%20Active%20Directory%20roles%20are%20separate)%20you%20might%20wish%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fplan-and-deploy%2Fprepare-ad-and-domains%3Fview%3Dexchserver-2019%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Erun%20%2FPrepareAD%3C%2FA%3E%26nbsp%3B(in%20the%20Active%20Directory%20site%20that%20Exchange%20is%20a%20member%20of)%20before%20running%20the%20actual%20CU%20Setup.%20You%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fwebcastdiag864.blob.core.windows.net%2F2021presentationdecks%2FMarch%25202021%2520Exchange%2520Server%2520Security%2520Update%2520-%2520EN.pdf%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ethis%20document%3C%2FA%3E%20as%20a%20guide%20to%20understand%20what%20you%20might%20have%20to%20do.%3C%2FP%3EErrors%20during%20or%20after%20Security%20Update%20installation!%20Help!%3CP%3EIt%20is%26nbsp%3Bextremely%20important%26nbsp%3Bto%20read%20the%20Known%20Issues%20section%20in%20the%20Security%20Update%20KB%20article%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E%26nbsp%3Bdepending%20on%20the%20version).%20If%20installing%20the%20update%20manually%2C%26nbsp%3Byou%20must%20run%20the%20update%20from%20the%20elevated%20command%20prompt.%20If%20you%20are%20seeing%20unexpected%20behavior%2C%20check%20the%26nbsp%3Barticle%26nbsp%3Baddressing%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fexupdatefaq%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Etroubleshooting%20failed%20installations%20of%20Exchange%20security%20updates%3C%2FA%3E%26nbsp%3B(we%20will%20keep%20updating%20this%20article).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditional%20Q%26amp%3BA%3A%3C%2FP%3EAre%20there%20any%20other%20resources%20that%20you%20can%20recommend%3F%3CP%3EMicrosoft%20Defender%20Security%20Research%20Team%20has%20published%20a%20related%20blog%20post%20called%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F06%2F24%2Fdefending-exchange-servers-under-attack%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EDefending%20Exchange%20servers%20under%20attack%3C%2FA%3E%20which%20can%20help%20you%20understand%20some%20general%20practices%20around%20detection%20of%20malicious%20activity%20on%20your%20Exchange%20servers%20and%20help%20improve%20your%20security%20posture.%3C%2FP%3EMy%20organization%20is%20in%20Hybrid%20with%20Exchange%20Online.%20Do%20I%20need%20to%20do%20anything%3F%3CP%3EWhile%20those%20security%20updates%20do%20not%20apply%20to%20Exchange%20Online%20%2F%20Office%20365%2C%20you%20need%20to%20apply%20those%20Security%20Updates%20to%20your%20on-premises%20Exchange%20Server%2C%20even%20if%20it%20is%20used%20for%20management%20purposes%20only.%20You%20do%20not%20need%20to%20re-run%20HCW%20if%20you%20are%20using%20it.%3C%2FP%3EDo%20we%20need%20to%20install%20those%20updates%20on%20Management%20Tools%20only%20workstations%20or%20servers%3F%3CP%3EMachines%20with%20Management%20Tools%20only%20are%20not%20impacted%20(there%20are%20no%20Exchange%20services%20installed)%20and%20do%20not%20require%20installation%20of%20March%20SUs.%20Please%20note%20that%20a%20'management%20server'%20which%20many%20of%20our%20Hybrid%20customers%20have%20(which%20is%20an%20Exchange%20server%20kept%20on%20premises%20to%20be%20able%20to%20run%20Exchange%20management%20tasks)%20is%20different.%20For%20Hybrid%2C%20please%20see%20the%20Hybrid%20question%20above.%3C%2FP%3EThe%20last%20Exchange%202016%20and%20Exchange%202019%20CU%E2%80%99s%20were%20released%20in%20December%20of%202020.%20Are%20new%20CU%E2%80%99s%20releasing%20in%20March%202021%3F%3CP%3EEDIT%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-march-2021-quarterly-exchange-updates%2Fba-p%2F2205283%22%20target%3D%22_blank%22%3EExchange%20Server%202016%20CU%2020%20and%20Exchange%20Server%202019%20CU%209%20are%20now%20released%3C%2FA%3E%20and%20those%20CUs%26nbsp%3Bcontain%20the%20Security%20Updates%20mentioned%20here%20(along%20with%20other%20fixes).%20Customers%20who%20have%20installed%20SUs%20for%20older%20E2016%2F2019%20CUs%20can%20simply%20update%20to%20new%20CUs%20and%20will%20stay%20protected.%3C%2FP%3EAre%20Exchange%20Server%202003%20and%20Exchange%20Server%202007%20vulnerable%20to%20March%202021%20Exchange%20server%20security%20vulnerabilities%3F%3CP%3ENo.%20After%20performing%20code%20reviews%2C%20we%20can%20state%20that%20the%20code%20involved%20in%20the%20attack%20chain%20to%20begin%20(CVE-2021-26855)%20was%20not%20in%20the%20product%20before%20Exchange%20Server%202013.%20Exchange%202007%20includes%20the%20UM%20service%2C%20but%20it%20doesn%E2%80%99t%20include%20the%20code%20that%20made%20Exchange%20Server%202010%20vulnerable.%20Exchange%202003%20does%20not%20include%20the%20UM%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMajor%20updates%20to%20this%20post%3A%3C%2FP%3E3%2F19%2F2021%3A%20Added%20a%20link%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F16%2Fguidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EGuidance%20for%20responders%3A%20Investigating%20and%20remediating%20on-premises%20Exchange%20Server%20vulnerabilities%3C%2FA%3E%203%2F17%2F2021%3A%20Removed%20the%20mention%20of%26nbsp%3BCompareExchangeHashes.ps1%20script%20(deprecated).%20Added%20a%20Q%26amp%3BA%20pair%20for%20Management%20Tools%20only%20machines.%203%2F16%2F2021%3A%20Added%20a%20note%20about%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-march-2021-quarterly-exchange-updates%2Fba-p%2F2205283%22%20target%3D%22_blank%22%3EExchange%202016%20CU%2020%20and%20Exchange%202019%20CU%209%3C%2FA%3E%203%2F15%2F2021%3A%20Added%20a%20link%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F15%2Fone-click-microsoft-exchange-on-premises-mitigation-tool-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EOne-Click%20Microsoft%20Exchange%20On-Premises%20Mitigation%20Tool%20(EOMT)%3C%2FA%3E%203%2F12%2F2021%3A%20Added%20a%20Q%26amp%3BA%20pair%20for%20Exchange%202003%2F2007%203%2F11%2F2021%3A%20Added%20a%20note%20about%20final%20list%20of%20SU%20releases%20for%20out%20of%20support%20CUs%203%2F10%2F2021%3A%20Added%20a%20note%20that%20the%20MSERT%20tool%20should%20be%20downloaded%20often%20as%20it%20gets%20updated%20regularly%203%2F9%2F2021%3A%20Added%20a%20link%20to%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchangeMitigations.ps1%20mitigation%20script%3C%2FA%3E%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ECompareExchangeHashes.ps1%20file%20hashes%20check%3C%2FA%3E%20script.%203%2F8%2F2021%3A%20Added%20a%20link%20about%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2021-exchange-server-security-updates-for-older-cumulative%2Fba-p%2F2192020%22%20target%3D%22_blank%22%3EUpdates%20for%20older%20Cumulative%20Updates%20of%20Exchange%20Server%3C%2FA%3E%20and%20information%20about%20a%20feed%20of%20observed%20indicators%20of%20compromise%20(IOCs).%203%2F8%2F2021%3A%20Added%20a%20link%20to%20%3CA%20href%3D%22https%3A%2F%2Fwebcastdiag864.blob.core.windows.net%2F2021presentationdecks%2FMarch%25202021%2520Exchange%2520Server%2520Security%2520Update%2520-%2520EN.pdf%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ethe%20guide%3C%2FA%3E%20that%20can%20help%20with%20steps%20that%20need%20to%20be%20taken%20to%20get%20current%20and%20update%203%2F8%2F2021%3A%20Added%20a%20note%20about%20elevated%20CMD%20prompt%20installation%20of%20.msp%20files%203%2F7%2F2021%3A%20Reorganized%20information%20to%20make%20it%20easier%20to%20navigate%203%2F6%2F2021%3A%20Added%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Einformation%3C%2FA%3E%20about%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fintelligence%2Fsafety-scanner-download%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMSERT%3C%2FA%3E%20tool%20to%20help%20with%20remediation%203%2F6%2F2021%3A%20linked%20to%20an%20article%20about%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fexupdatefaq%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Etroubleshooting%20failed%20installations%20of%20Exchange%20security%20updates%3C%2FA%3E%203%2F5%2F2021%3A%20linked%20to%20the%20new%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMSTIC%20blog%20post%20on%20Vulnerability%20Mitigations%3C%2FA%3E%3CP%3EThe%20Exchange%20Team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2175901%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20releasing%20a%20set%20of%20out%20of%20band%20security%20updates%20for%20Exchange%20Server.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2175901%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202010%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202019%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20premises%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180573%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F265098%22%20target%3D%22_blank%22%3E%40Keith-Work-711%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3B-%20please%20make%20sure%20to%20check%20%22KNOWN%20ISSUES%22%20in%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%20KB%20article%20talking%20about%20updates%3C%2FA%3E.%20This%20is%20not%20an%20issue%20with%20this%20particular%20update%2C%20rather%20-%20all%20security%20updates%20need%20to%20be%20run%20elevated%20if%20installed%20manually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180606%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180606%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%20If%20ECP%20is%20broken%2C%20you%20might%20try%20resetting%20the%20ECP%20virtual%20directory.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180611%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180611%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%20we%20are%20running%20them%20from%20an%20elevated%20command%20prompt.%20Other%20servers%20have%20not%20had%20this%20issue%20of%20the%20%22Files%20in%20use%22%20and%20seem%20to%20have%20installed%20clean.%20Hopefully%20just%20a%20single%20server%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180620%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3B-%20Well%2C%20the%20article%20%3CEM%3Edoes%3C%2FEM%3E%20give%20you%20some%20guidance%20around%20what%20to%20do%20if%20services%20are%20not%20starting%20(I%20might%20be%20assuming%20that%20ECP%20is%20not%20running%20because%20of%20this%20but%20I%20did%20not%20ask%20this%20before)%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3ETo%20fix%20this%20issue%2C%20use%20Services%20Manager%20to%20restore%20the%20startup%20type%20to%20Automatic%2C%20and%20then%20start%20the%20affected%20Exchange%20services%20manually.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EOr%20are%20you%20saying%20that%20all%20services%20are%20running%20and%20still%20ECP%20does%20not%20work%3F%20Did%20the%20update%20actually%20successfully%20install%20(after%20elevated%20installation)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186423%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186423%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20running%20exchange%202013%20CU4.%26nbsp%3B%20Can%20we%20do%20direct%20upgrade%20to%20CU%2023%3F%26nbsp%3B%20thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183642%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183642%22%20slang%3D%22en-US%22%3E%3CP%3EAll%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%26nbsp%3B%20getting%20while%20running%20the%20update%20for%20Exchange%20server%202016%20CU18%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Windows%20Installer%20looking%20for%20Insert%20the%20'Microsoft%20Exchange%20Server'%20disk%20and%20click%20OK%22.%20It's%20looking%20for%20MSEXCHANGSERVER.MSI%20file%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180622%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180622%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F265098%22%20target%3D%22_blank%22%3E%40Keith-Work-711%3C%2FA%3E%20My%20best%20practice%20is%20to%20always%20restart%20the%20server%20before%20I%20apply%20updates.%20That%20way%20all%20file%20locks%20are%20removed%20and%20you%20know%20the%20server%20is%20coming%20up%20healthy%20(or%20not)%20before%20the%20updates%20are%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180628%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180628%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11042%22%20target%3D%22_blank%22%3E%40Susan%20Bradley%3C%2FA%3E%26nbsp%3Bwhile%20it's%20disappointing%20that%20updates%20for%20Exchange%20and%20potentially%20other%20products%20have%20this%20quirk%2C%20that's%20not%20what%20I'm%20really%20bothered%20by.%26nbsp%3B%20It's%20a%20known%20issue%2C%20so%20why%20isn't%20there%20a%20reference%20to%20how%20to%20resolve%20it%20if%20the%20problem%20is%20experienced%3F%26nbsp%3B%20I'm%20not%20trying%20to%20suggest%20the%20post%20should%20include%20in-depth%20resolutions%20to%20the%20potential%20issue(s)%2C%20but%20rather%2C%20a%20brief%20note%20such%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F65924%22%20target%3D%22_blank%22%3E%40Jeff%20Guillet%3C%2FA%3E%26nbsp%3Bsuggests%2C%20resetting%20the%20virtual%20directory%20(assuming%20that%20works)%20or%20a%20link%20to%20another%20post%20concerning%20recovering%20from%20that%20issue%20should%20it%20have%20occurred.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20looking%20to%20troubleshoot%20this%20here%2C%20so%20if%20Jeff's%20solution%20doesn't%20work%2C%20I'll%20be%20posting%20to%20other%20forums%20tomorrow.%26nbsp%3B%20Just%20frustrated%20that%20a%20known%20issue%20exists%20and%20Microsoft%2C%20while%20acknowledging%20it's%20a%20known%20issue%2C%20posts%20absolutely%20no%20information%20about%20recovering%20from%20it%20if%20it%20occurs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180752%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180752%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efor%20OWA%3C%2FP%3E%3CP%3EPlease%20execute%20UpdateCas.ps1%20in%20Exchange%20Install%20Patch%3C%2FP%3E%3CP%3E%5CExchange%20Server%5CV15%5CBin%5CUpdateCas.ps1%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20ECP%3C%2FP%3E%3CP%3Ethe%20below%20link%20solve%20my%20problem%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fie%2Fen-US%2F44289975-878d-4f51-a73d-f38176ec714d%2Fowa-suddenly-displays-blank-page-after-logon-ecp-displays-stack-trace-could-not-load-file-or%3Fforum%3Dexchangesvrgeneral%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fie%2Fen-US%2F44289975-878d-4f51-a73d-f38176ec714d%2Fowa-suddenly-displays-blank-page-after-logon-ecp-displays-stack-trace-could-not-load-file-or%3Fforum%3Dexchangesvrgeneral%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180768%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180768%22%20slang%3D%22en-US%22%3E%3CP%3EPatched%20our%20test%20Exchange%202013%20CU%2023%20servers%2C%20no%20issues%20identified.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180266%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180266%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Article%20mentions%20updates%20are%20available%20for%20%22Exchange%20Server%202010%20(RU%2031%20for%20Service%20Pack%203%20%E2%80%93%20this%20is%20a%20Defense%20in%20Depth%20update)%22%20but%20I%20don't%20see%20a%20link%20to%20this%20update%20in%20the%20other%20attached%20articles%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%25C2%25A0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%25C2%25A0%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180857%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180857%22%20slang%3D%22en-US%22%3E%3CP%3EWindows%202016%20DC%2C%20Exchange%20Svr%202016%20CU17%26nbsp%3B%20and%20both%20servers%20are%20failing%20to%20install%20the%20KB5000871%20with%20%22The%20upgrade%20patch%20cannot%20be%20installed%20by%20the%20Windows%20Installer%20service%20because%20the%20program%20to%20be%20upgraded%20may%20be%20missing%2C%20or%20the%20upgrade%20patch%20may%20update%20a%20different%20version%20of%20the%20program.%26nbsp%3B%20Verify%20that%20the%20program%20to%20be%20upgraded%20exists%20on%20you%20computer%20and%20that%20you%20have%20the%20correct%20upgrade%20patch.%26nbsp%3B%20%26nbsp%3BI%20have%20done%20both.%26nbsp%3B%20I%20have%20downloaded%20it%20from%20the%20Catalog%20and%20the%20Download%20Center%20and%20no%20difference.%26nbsp%3B%20%26nbsp%3BAny%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180881%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180881%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sraine%2C%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20will%20need%26nbsp%3BExchange%20Server%202016%20(CU%2019%2C%20CU%2018).%20It%26nbsp%3B%20looks%20you%20have%20Exchange%202016%20CU17.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181292%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181292%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20following%20article%20contains%20instructions%20for%20detecting%20whether%26nbsp%3B%3CSPAN%3ECVE-2021-26855%20exploitation%20has%20taken%20place%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EImport-Csv%20-Path%20(Get-ChildItem%20-Recurse%20-Path%20%22%24env%3APROGRAMFILES%5CMicrosoft%5CExchange%20Server%5CV15%5CLogging%5CHttpProxy%22%20-Filter%20'*.log').FullName%20%7C%20Where-Object%20%7B%20%20%24_.AuthenticatedUser%20-eq%20%22%20-and%20%24_.AnchorMailbox%20-like%20'ServerInfo~*%2F*'%20%7D%20%7C%20select%20DateTime%2C%20AnchorMailbox%3C%2FPRE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20command%20is%20broken%20(it%20will%20never%20execute%20and%20generates%20a%20PowerShell%20continuation%20prompt%20(%26gt%3B%26gt%3B).%20This%20can%20be%20fixed%20by%20changing%20the%20double%20quote%20after%20%24_.AuthenticatedUser%20-eq%20%3CSTRONG%3E%22%3C%2FSTRONG%3E%20to%20two%20single%20quotes%20%3CSTRONG%3E''%3C%2FSTRONG%3E%20-%20please%20update%20the%20article%20ASAP!%3C%2FP%3E%3CPRE%3EImport-Csv%20-Path%20(Get-ChildItem%20-Recurse%20-Path%20%22%24env%3APROGRAMFILES%5CMicrosoft%5CExchange%20Server%5CV15%5CLogging%5CHttpProxy%22%20-Filter%20'*.log').FullName%20%7C%20Where-Object%20%7B%20%20%24_.AuthenticatedUser%20-eq%20''%20-and%20%24_.AnchorMailbox%20-like%20'ServerInfo~*%2F*'%20%7D%20%7C%20select%20DateTime%2C%20AnchorMailbox%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2202085%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202085%22%20slang%3D%22en-US%22%3E%3CP%3EI%20run%20CompareExchangeHashes%20on%20three%20servers%20(2x2013%2C1x2019)%2C%20but%20script%20result%20have%20thousands%20rows%20with%20NoHashMatch.%20I%20do%20not%20understand%20why.%20One%20server%20not%20probed%2C%20one%20probed%20(only%20autodiscover%20test)%2C%20one%20probed%20and%20compromited%20with%20backdoor.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186428%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11565%22%20target%3D%22_blank%22%3E%40Ar%C5%ABnas%20Mal%C5%ABkas%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F987450%22%20target%3D%22_blank%22%3E%40Jan_Gross%3C%2FA%3E%26nbsp%3B-%20this%20is%20a%20cause%20for%20concern%3B%20this%20indicates%20that%20someone%20has%20tried%20to%20use%20the%20exploit.%20Not%20that%20they%20succeeded%2C%20but%20they%20tried.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181306%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181306%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F392293%22%20target%3D%22_blank%22%3E%40ChrisAtMaf%3C%2FA%3E%26nbsp%3BThank%20you%20-%20reported%20to%20that%20blog%20team...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181339%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181339%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20quick%20question%3A%20Is%20the%20Exchange%202016%20CU17%20affected%20by%20the%20release%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181385%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181385%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BNo%20worries.%20The%20command%20picked%20up%20what%20looked%20like%20two%20attempts%20to%20exploit%20our%20server%20this%20morning%2C%20so%20it's%20important%20people%20run%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181386%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181386%22%20slang%3D%22en-US%22%3E%3CP%3EExchange%202016%2C%20and%20was%20on%20CU17....I%20tried%20to%20install%20straight%20to%20CU19%2C%20and%20get%20%22%3CSPAN%3EThe%20upgrade%20patch%20cannot%20be%20installed%20by%20the%20Windows%20Installer%20service%20because%20the%20program%20to%20be%20upgraded%20may%20be%20missing%2C%20or%20the%20upgrade%20patch%20may%20update%20a%20different%20version%20of%20the%20program.%26nbsp%3B%20Verify%20that%20the%20program%20to%20be%20upgraded%20exists%20on%20you%20computer%20and%20that%20you%20have%20the%20correct%20upgrade%20patch%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3EInstalled%20CU18%20just%20fine...and%20I%20thought%20the%20rollups%20were%20cumulative%20anyhow%2C%20hence%20why%20I%20tried%20to%20go%20straight%20the%20CU19.%26nbsp%3B%20So%2C%20I%20am%20not%20on%20CU18%2C%20and%20cannot%20get%20to%20CU19....what%20is%20%22missing%22%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181477%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181477%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20Exchange%20redirecting%20to%20ADFS%20for%20user%20authentication.%20Can%20this%20vulnerability%20still%20be%20exploited%20in%20this%20configuration%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Mar 19 2021 01:44 PM
Updated by: