Released: March 2021 Exchange Server Security Updates

Published Mar 02 2021 01:08 PM 812K Views

Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021

Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Security updates are available for the following specific versions of Exchange:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB articles)

Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.

The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

For more information, please see the Microsoft Security Response Center (MSRC) blog.

For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers. There is a scripted version of this check available on GitHub here.

 

Mitigations, investigation and remediation:

Are there any mitigations I can implement right now?

MSRC team has released a One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT). The MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 can help understand individual mitigation actions. A stand-alone ExchangeMitigations.ps1 script is also available.

How can I tell if my servers have already been compromised?

Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers. There is a scripted version of this available on GitHub here.

More information about investigations

To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. CSV format and JSON format are available. 

What about remediation?

MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server. Please download a new copy of MSERT often, as updates are made in the tool regularly! Please also see MSRC Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities.

 

Installing and troubleshooting updates:

Does installing the March Security Updates require my servers to be up to date?

Today we shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, we recommend to install a currently supported RU/CU before you install the security updates. If you are unable to get updated quickly, please see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.

How can I get an inventory of the update-level status of my on-premises Exchange servers?

You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

Which of my servers should I update first?

Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.

Will the installation of the Security Updates take as long as installing an RU/CU?

Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.

My organization needs to 'get current' first... we need to apply a Cumulative Update. Any tips for us?

Please see the Upgrade Exchange to the latest Cumulative Update article for best practices when installing Exchange Cumulative Updates. To ensure the easiest upgrade experience (and because in many organizations Exchange and Active Directory roles are separate) you might wish to run /PrepareAD (in the Active Directory site that Exchange is a member of) before running the actual CU Setup. You can use this document as a guide to understand what you might have to do.

Errors during or after Security Update installation! Help!

It is extremely important to read the Known Issues section in the Security Update KB article (here and here depending on the version). If installing the update manually, you must run the update from the elevated command prompt. If you are seeing unexpected behavior, check the article addressing troubleshooting failed installations of Exchange security updates (we will keep updating this article).

 

Additional Q&A:

Are there any other resources that you can recommend?

Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.

My organization is in Hybrid with Exchange Online. Do I need to do anything?

While those security updates do not apply to Exchange Online / Office 365, you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only. You do not need to re-run HCW if you are using it.

Do we need to install those updates on Management Tools only workstations or servers?

Machines with Management Tools only are not impacted (there are no Exchange services installed) and do not require installation of March SUs. Please note that a 'management server' which many of our Hybrid customers have (which is an Exchange server kept on premises to be able to run Exchange management tasks) is different. For Hybrid, please see the Hybrid question above.

The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?

EDIT: Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 are now released and those CUs contain the Security Updates mentioned here (along with other fixes). Customers who have installed SUs for older E2016/2019 CUs can simply update to new CUs and will stay protected.

Are Exchange Server 2003 and Exchange Server 2007 vulnerable to March 2021 Exchange server security vulnerabilities?

No. After performing code reviews, we can state that the code involved in the attack chain to begin (CVE-2021-26855) was not in the product before Exchange Server 2013. Exchange 2007 includes the UM service, but it doesn’t include the code that made Exchange Server 2010 vulnerable. Exchange 2003 does not include the UM service.

 

Major updates to this post:

The Exchange Team

293 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2179885%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179885%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20are%20the%20updates...%3F%20I%20don't%20see%20any%20download%20links%20here%20or%20in%20any%20related%20articles%2C%20there's%20nothing%20available%20with%20an%20update%20check%20on%20servers%2C%20and%20nothing%20new%20in%20the%20Update%20Catalog%20for%20Exchange%20since%20February.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179909%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179909%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Sorry%20for%20double%20post%20since%20we%20can't%20edit%2Fdelete%20here%2C%20but%20wanted%20this%20out%20there%20for%20others)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179941%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179941%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E.%26nbsp%3B%20All%20download%20links%20are%20in%20the%20MSRC%20blog%20post%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179944%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179944%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F575%22%20target%3D%22_blank%22%3E%40Scott%20Schnoll%3C%2FA%3E%26nbsp%3BThanks!%20Those%20links%20were%20non-functioning%20a%20short%20while%20ago%20but%20now%20work.%20Seems%20to%20have%20been%20the%20shuffle%20of%20taking%20things%20live%20ASAP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180198%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180198%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestions%3A%3C%2FP%3E%3CP%3E1-%20Does%20anybody%20installed%20this%20patch%3F%3C%2FP%3E%3CP%3E2-%20Is%20it%20necessary%20to%20put%20the%20Exchange%20in%20Maintenance%20mode%20and%26nbsp%3B%20restart%20the%20server%20after%20apply%20the%20patch%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180246%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180246%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E%26nbsp%3Bgreat%20to%20hear!%20That's%20how%20it%20should%20be.%20And%20yes%2C%20security%20updates%20should%20prompt%20for%20reboot.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180254%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180254%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20information.%20If%20you%20have%20any%20new%20updates%20about%20your%20installation%20process%2C%20please%20share%20with%20us.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180386%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180386%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20these%20vulnerabilities%20exists%20in%20Exchange%202016%20CU%2016%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180392%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180392%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984326%22%20target%3D%22_blank%22%3E%40pquan%3C%2FA%3E%26nbsp%3BYes%2C%20but%20you%20need%20to%20roll%20forward%20to%20apply%20the%20updates.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180612%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180612%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20my%20deepest%20respects%2C%20but%20Exchange%20has%20always%20needed%20patching%20like%20this%2C%20this%20isn't%20new.%26nbsp%3B%20I've%20always%20had%20to%20apply%20Exchange%20updates%20like%20this.%26nbsp%3B%20This%20isn't%20the%20first%20security%20update%20for%20Exchange%2C%20just%20the%20first%20zero%20day%20in%20the%20news%20in%20a%20long%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180674%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180674%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BSorry%20if%20I'm%20coming%20across%20a%20little%20harsh.%26nbsp%3B%20As%20I%20read%20the%20post%2C%20it%20was%20not%20clear%20to%20me%20that%20the%20cause%20of%20the%20ECP%20or%20OWA%20not%20working%20would%20be%20stopped%20services.%26nbsp%3B%20I%20took%20the%20note%20below%20the%20install%20workaround%20instructions%20to%20be%20a%20possible%20side%20effect%20as%20I've%20seen%20that%20in%20the%20past%2C%20regardless%20of%20how%20the%20update%20was%20applied.%26nbsp%3B%20As%20the%20post%20says%20the%20issue%20occurs%20because%20some%20services%20aren't%20properly%20stopped%2C%20I%20thought%20that%20would%20likely%20mean%20some%20files%20wouldn't%20be%20appropriately%20updated%2Fsettings%20applied%20and%2C%20as%20such%2C%20the%20services%20break.%26nbsp%3B%20I%20would%20THINK%20a%20re-install%20of%20the%20patch%20(the%20second%20successful%20install%20I%20did%20of%20it)%20would%20resolve%20the%20issues.%26nbsp%3B%20Unfortunately%2C%20that%20has%20not%20been%20the%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20OWA%20works%2C%20but%20ECP%20is%20broken.%26nbsp%3B%20All%20services%20appeared%20to%20start%20properly%20(except%20POP%2FIMAP%20but%20we%20don't%20use%20them%20anyway).%26nbsp%3B%20Attempting%20to%20access%20ECP%20provides%20login%2C%20then%20redirects%20to%20a%20bad%20URL%20(%3CA%20href%3D%22http%3A%2F%2Flocalhost%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Flocalhost%2F%3C%2FA%3E%3CSTRONG%3Eowa%2Fecp%3C%2FSTRONG%3E)%20which%20returns%20an%20unhelpful%20error%2C%26nbsp%3B%3CSTRONG%3EBad%20Request%3C%2FSTRONG%3E.%26nbsp%3B%20I%20expect%20it%20to%20redirect%20to%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20since%20found%20it%20I%20go%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flocalhost%2Fecp%2F%3FExchClientVer%3D15%3C%2FA%3E%26nbsp%3Bdirectly%2C%20everything%20works.%26nbsp%3B%20Seems%20it's%20just%20the%20handoff%20from%20the%20login%20to%20the%20admin%20center%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20it's%20just%20bad%20timing%20and%20something%20else%20is%20wrong%20not%20related%20to%20the%20patch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180705%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180705%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3BNot%20a%20problem%20whatsoever%3B%20it%20sucks%20when%20things%20go%20wrong.%20It's%20great%20that%20you%20were%20able%20to%20figure%20that%20out!%20I%20have%20to%20admit%20that%20I%20do%20not%20know%20for%20sure%20what%20is%20up%20with%20this%20but%20at%20least%20it%20is%20not%20a%20real%20fire%20for%20you%20right%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180057%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180057%22%20slang%3D%22en-US%22%3E%3CP%3EDirect%20link%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181634%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181634%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F933284%22%20target%3D%22_blank%22%3E%40baskleian%3C%2FA%3E%26nbsp%3BThat%20is%20not%20correct%3B%20ALL%20versions%20are%20affected.%20Only%20CU18%20and%2019%20for%20E2016%20can%20apply%20the%20security%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181659%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181659%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20Our%20Exchange%20servers%20are%20on%20Exchange%202016%20CU19.%26nbsp%3B%20The%20February%20Security%20Updates%20for%20CU19%20were%20not%20installed.%26nbsp%3B%20Does%20this%20security%20update%20need%20to%20be%20installed%20before%20the%20March%202%20Security%20Update%3F%20or%20are%20they%20included%20in%20the%20March%202%20update%20as%20well%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181790%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181790%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985034%22%20target%3D%22_blank%22%3E%40Ma-Po%3C%2FA%3E%26nbsp%3BWhile%20customers%20might%20use%20various%20products%20that%20partially%20mitigate%20the%20original%20attack%20vector%20in%20their%20environment%2C%20it%20is%20important%20to%20understand%20that%20the%20details%20of%20vulnerabilities%20are%20now%20public.%20In%20addition%20to%20the%20fact%20that%20we%20cannot%20speak%20to%20exact%20combination%20of%203rd%20party%20product%20that%20might%20or%20might%20not%20mitigate%20some%20of%20those%20vulnerabilities%2C%20administrators%20should%20realize%20that%20%3CSTRONG%3EExchange%20is%20still%20vulnerable%20if%20not%20updated%3C%2FSTRONG%3E%2C%20and%20different%20attack%20vectors%20could%20exist.%20Our%20strong%20recommendation%20is%20to%20update%20the%20servers%20immediately.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181833%22%20slang%3D%22es-ES%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181833%22%20slang%3D%22es-ES%22%3E%3CP%3EDo%20these%20vulnerabilities%20affect%20servers%20with%20a%20perimeter%20transport%20role%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181871%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181871%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20Guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20I%20have%20updated%20our%20Q%20environment%20with%20non%26nbsp%3B%3CEM%3Eelevated%20command%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Bline%20and%20after%20the%20update%20the%20ECP%20is%20stopped%20working.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20am%20getting%20the%20following%20error%20message%3A%3C%2FP%3E%3CP%3E%22%3C%2FP%3E%3CP%3EServer%20Error%20in%20'%2Fecp'%20Application.%3C%2FP%3E%3CP%3ERuntime%20Error%3CBR%20%2F%3EDescription%3A%20An%20exception%20occurred%20while%20processing%20your%20request.%20Additionally%2C%20another%20exception%20occurred%20while%20executing%20the%20custom%20error%20page%20for%20the%20first%20exception.%20The%20request%20has%20been%20terminated.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20help%20me%20with%20a%20workaround.%20I%20have%20tried%20to%20rebuild%20the%20ECP%20Virtual%20Directories%2C%20but%20have%20the%20same%20issue.%20Should%20I%20install%20again%20the%20security%20patch%20now%20with%20elevated%20command%20line%3F%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181885%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985185%22%20target%3D%22_blank%22%3E%40HYper83%3C%2FA%3E%26nbsp%3BPlease%20see%20the%20%22Known%20issues%22%20section%20on%20the%20update%20KB%20(this%20should%20not%20be%20a%20problem%20if%20update%20is%20installed%20from%20Microsoft%20Update)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDescription%20of%20the%20security%20update%20for%20Microsoft%20Exchange%20Server%202019%2C%202016%2C%20and%202013%3A%20March%202%2C%202021%20(KB5000871)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181912%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181912%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F566588%22%20target%3D%22_blank%22%3E%40ANAND_SUNKA%3C%2FA%3E%26nbsp%3BThere%20are%20no%20schema%20changes%20between%20CU15%20and%20CU18%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fplan-and-deploy%2Factive-directory%2Fad-schema-changes%3Fview%3Dexchserver-2016%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E.%20You%20do%20not%20need%20to%20re-run%20HCW%2C%20no.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182197%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182197%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20two%20exchange%202013%20cu%2023%2C%20diferent%20client%2C%20update%20failed%20and%20now%20exchange%20do%20not%20start.%20Trying%20reinstall%20cu23%2C%20setup%20failed%20with%20error.%20Exchange%202013%20standard%20on%20Windows%20Server%202012%20r2%20cz.%20please%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182466%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182466%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985464%22%20target%3D%22_blank%22%3E%40DStragand%3C%2FA%3E%26nbsp%3BWe%20have%20no%20information%20one%20way%20or%20the%20other.%20Please%20get%20them%20off%20Exchange%202003.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F71901%22%20target%3D%22_blank%22%3E%40Bhavesh%20Shah%3C%2FA%3E%26nbsp%3BThere%20is%20only%20one%20update%20package%20which%20will%20install%20it%20all%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182711%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182711%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20will%20CU20%20for%20Exchange%202016%20be%20released%20in%20March%3F%3C%2FP%3E%3CP%3EIs%20it%20on%20patch%20Tuesday%2C%20March%209th%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182781%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182781%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20like%20csummers83%20also%20asked%20if%20the%20script%3C%2FP%3E%3CPRE%3EImport-Csv%20-Path%20...%3C%2FPRE%3E%3CP%3Egives%20results%20for%20port%20444%2C%20does%20it%20mean%20something%20could%20have%20been%20taken%20or%20was%20just%20tried%3F%3C%2FP%3E%3CP%3EPort%20444%20on%20Exchange%202013%20is%20the%20Exchange%20Back%20end%20port%20and%20is%20not%20open%20to%20internet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2182927%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182927%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20There%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20able%20to%20successfully%20apply%20the%20patch%20for%20Exchange%202010%20on%20a%202008R2%20server.%20However%20after%20the%20multiple%20reboots%20to%20apply%20the%20config%2Fupdates%20it%20then%20failed%20and%20proceeded%20to%20rollback%20the%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20experienced%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183000%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183000%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193019%22%20target%3D%22_blank%22%3E%40Jon%20Skelton%3C%2FA%3E%26nbsp%3BThat's%20the%20plan%20but%20it%20is%20not%20set%20in%20stone%3B%20you%20should%20NOT%20WAIT%20for%20next%20set%20of%20CUs!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183140%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183140%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20wrote%20an%20article%20with%20important%20things%20to%20know%2C%20best%20practices%2C%20and%20helpful%20tips%20for%20deployment%20here.%3C%2FP%3E%0A%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%3CA%20class%3D%22_3t5uN8xUmg0TOwRCOGQEcU%22%20href%3D%22https%3A%2F%2Fblog.expta.com%2F2021%2F03%2Furgent-patch-your-exchange-servers-now.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20ugc%20noreferrer%22%3Ehttps%3A%2F%2Fblog.expta.com%2F2021%2F03%2Furgent-patch-your-exchange-servers-now.html%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183194%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183194%22%20slang%3D%22en-US%22%3E%3CP%3EI%20tried%20to%20install%20this%20patch%20on%20an%20Exchange%202016%20server%20running%20on%20Windows%20Server%202016%20and%20it%20failed%20catastrophically.%20I%20first%20updated%20to%20the%20latest%20CU%2C%20restarted%20the%20server%2C%20and%20tested%20to%20confirm%20everything%20was%20working.%20Then%20I%20tried%20to%20manually%20run%20the%26nbsp%3BKB5000871%20installer.%20It%20kept%20giving%20errors%20about%20processes%20related%20to%20Windows%20services%20that%20needed%20to%20be%20killed.%20I%20killed%20them%20and%20clicked%20%22Retry%22%20to%20continue%20the%20update%20but%20the%20update%20would%20start%20over%20and%20then%20come%20up%20with%20the%20same%20error%20because%20the%20services%20were%20being%20triggered%20to%20start%20by%20something%20in%20the%20OS.%20I%20disabled%20the%20services%20so%20they%20couldn't%20run%20and%20installed%20the%20update.%20After%20that%2C%20the%20Exchange%20server%20was%20hosed.%20Luckily%2C%20it's%20a%20VM%20and%20I%20had%20taken%20a%20checkpoint%20right%20before%20installing%26nbsp%3BKB5000871.%20I%20tried%20removing%26nbsp%3BKB5000871%2C%20restarting%2C%20and%20having%20Windows%20update%20check%20for%20updates%20but%20it%20didn't%20find%26nbsp%3BKB5000871%20as%20an%20available%20update.%20Now%20I've%20got%20a%20client%20who%20is%20scared%20to%20death%20that%20their%20server%20is%20going%20to%20be%20compromised%20and%20I%20have%20to%20tell%20them%20I%20can't%20get%20the%20update%20installed%20because%20it%20seems%20that%20no%20matter%20what%20you%20do%2C%20it%20won't%20install%20properly%20if%20you%20try%20to%20manually%20run%20the%20patch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183212%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183212%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20also%20curious%20about%20if%20the%20%22import-csv%20-path%20(get...%22%20PowerShell%20command%20finds%20'444'%20entries.%20Example%3A%26nbsp%3B%20SeverInfo~a%5D%40server%20FQDN%3A444...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20an%20out%20of%20memory%20error%20before%20the%20script%20finishes%20reading%20all%20log%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInsufficient%20memory%20to%20continue%20the%20execution%20of%20the%20program.%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20Import-Csv%20-Path%20(Get-ChildItem%20-Recurse%20-Path%20%22E%3A%5CProgram%20Files%5CMicrosoft%5CExcha%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20OperationStopped%3A%20(%3A)%20%5B%5D%2C%20OutOfMemoryException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20System.OutOfMemoryException%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183275%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183275%22%20slang%3D%22en-US%22%3E%3CP%3EGoing%20from%202013%20CU9%20to%20CU23%20then%20applying%20the%20patch.%26nbsp%3B%20I%20have%20the%20.net%204.7.2%20and%20the%20Microsoft%20Visual%20C%2B%2B%202013%20Redistributable%20(x64)%20ready%20to%20install.%3C%2FP%3E%3CP%3E2%20Node%20DAG%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BAny%20gotcha's%20for%20this%3F%20Looks%20like%20I%20don't%20need%20to%20extend%20Schema%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183323%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985820%22%20target%3D%22_blank%22%3E%40RonanD560%3C%2FA%3E%26nbsp%3BSchema%20updates%20no%20but%20note%20the%20CU%2022%20change%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fexchange-2013-active-directory-schema-changes-exchange-2013-help%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Also%20make%20sure%20that%20if%20you%20are%20not%20installing%20updates%20from%20Microsoft%20Update%20to%20follow%20the%20Known%20Issues%20from%20the%20update%20KB%20article%20and%20run%20the%20installer%20from%20elevated%20CMD%20prompt.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183328%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183328%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F985285%22%20target%3D%22_blank%22%3E%40csummers93%3C%2FA%3E%26nbsp%3BSafe%20to%20ignore.%20On%20a%20heavily%20used%20Exchange%20Server%2C%20some%20of%20the%20log%20files%20are%20groomed%20(deleted)%20before%20they%20are%20processed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183679%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183679%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F420097%22%20target%3D%22_blank%22%3E%40MI_IS1%3C%2FA%3E%26nbsp%3B.NET%20Framework%20installs%20and%20updates%20can%20peg%20your%20CPU%20and%20make%20installation%20go%20really%20slow%20for%20up%20to%20an%20hour.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblog.expta.com%2F2021%2F03%2Furgent-patch-your-exchange-servers-now.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EURGENT%3A%20Patch%20your%20Exchange%20Servers%20NOW!%20%7C%20The%20EXPTA%20%7Bblog%7D%3C%2FA%3E%26nbsp%3Bfor%20tips.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183732%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183732%22%20slang%3D%22en-US%22%3E%3CP%3ENever%20mind%20my%20post.%20It%20was%20CarbonBlack%20causing%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184489%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184489%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F933284%22%20target%3D%22_blank%22%3E%40baskleian%3C%2FA%3E%20-%20run%20%3CFONT%20color%3D%22%23000000%22%3E%3CSPAN%3ED%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5CBin%5CUpdateCas.ps1%20(Since%20your%20Exchange%20is%20installed%20on%20the%20D%3A%3C%2Fimg%3E%20drive)%20and%20then%20Change%20the%20value%20in%20BinSearchFolders%20to%20D%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5Cbin%3BD%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5Cbin%5CCmdletExtensionAgents%3BD%3A%5CProgram%20Files%5CMicrosoft%5CExchange%20Server%5CV15%5CClientAccess%5COwa%5Cbin%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%3E%3CSPAN%3EIt%20is%20a%20known%20issue%20when%20you%20double%20click%20the%20patch%20to%20launch%20instead%20of%20launching%20it%20from%20an%20elevated%20command%20prompt.%20(I%20did%20the%20same%20thing%20on%20the%20first%20exchange%20server%20I%20patched%20yesterday)%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184521%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184521%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20current%20server%20is%20Exchange%20server%202016%20CU%2015%20%2C%20is%20this%20vulnerbale%20to%20the%20zero%20day%20attack%20%3F%20what%20will%20be%20the%20best%20option%20upadte%20all%20CU%20's%20to%20the%20latest%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184527%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184527%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986441%22%20target%3D%22_blank%22%3E%40RaviVamadeva%3C%2FA%3E%3A%20Yes%2C%20its%20vulnerable%20but%20the%20patch%20is%20not%20available.%20You%20will%20need%20to%20update%20to%20CU18%20or%20CU19%20before%20you%20can%20patch.%20I%20would%20recommend%20upgrading%20to%20CU19%20and%20then%20patching.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184538%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184538%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%20a%20lot%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986053%22%20target%3D%22_blank%22%3E%40GeekSpaz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184893%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184893%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20updated%20our%20servers%2C%20without%20any%20noticeable%20issues%2C%20but%20none%20of%20them%20show%20any%20change%20in%20build%20number.%20All%20of%20them%20still%20show%20the%20build%20number%20of%20Exchange%20Server%202016%20CU19.%20Is%20this%20expected%20behavior%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2184896%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2184896%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986633%22%20target%3D%22_blank%22%3E%40to_vaib%3C%2FA%3E%3A%20My%20apologies%20-%20I%20do%20see%20that%20you%20said%20that.%20We%20did%20our%20CU23%20updates%20back%20in%20November%20so%20I%20don't%20remember%20it%20very%20clearly.%20However%2C%20I%20did%20find%20the%20steps%20we%20went%20by%3A%3C%2FP%3E%3CP%3EInstall%20procedure%3C%2FP%3E%3CUL%3E%3CLI%3EExtract%20the%20exchange%20media%20and%20run%20the%20following%20Prerequisites%3A%3C%2FLI%3E%3CUL%3E%3CLI%3ERun%20%3CSTRONG%3Esetup.exe%20%2FPrepareSchema%20%2FIAcceptExchangeServerLicenseTerms%3C%2FSTRONG%3E%20(requires%20Enterprise%20Admins%20and%20Schema%20Admins%20permissions%2C%20and%20must%20be%20performed%20in%20the%20same%20AD%20Site%20as%20the%20Schema%20Master%20on%20a%20server%20with%20the%20RSAT-ADDS-Tools%20feature%20installed%20%E2%80%93%20the%20Schema%20Master%20itself%20would%20meet%20these%20requirements)%3C%2FLI%3E%3CLI%3ERun%20%3CSTRONG%3Esetup.exe%20%2FPrepareAD%20%2FIAcceptExchangeServerLicenseTerms%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3ERun%20%3CSTRONG%3Esetup.exe%20%2FPrepareDomain%20%2FIAcceptExchangeServerLicenseTerms%3C%2FSTRONG%3E%20in%20each%20domain%20in%20your%20forest%20that%20contains%20Exchange%20servers%20or%20mailboxes%3C%2FLI%3E%3C%2FUL%3E%3CLI%3EInstall%20the%20following%3A%3C%2FLI%3E%3CUL%3E%3CLI%3E.net%26nbsp%3B%204.7.2%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdotnet.microsoft.com%2Fdownload%2Fdotnet-framework%2Fnet472%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdotnet.microsoft.com%2Fdownload%2Fdotnet-framework%2Fnet472%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3EVisual%20C%2B%2B%20Redistributable%20Packages%20for%20Visual%20Studio%202013%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D40784%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D40784%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CLI%3EMicrosoft%20Exchange%20Server%202013%20Cumulative%20Update%2023%3A%3C%2FLI%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D58392%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D58392%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2185036%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2185036%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3B%2C%20in%20our%20case%20on%20Exchange%202010%20the%20admin%20didn't%20elevate%20the%20command%20prompt%20on%20the%20first%20attempt%20and%20we%20had%20all%20sorts%20of%20issues%20with%20OWA.%26nbsp%3B%20After%20uninstalling%20the%20rollup%20we%20had%20to%20reinstall%20the%20prior%20rollup%20to%20get%20everything%20back%20to%20working%20the%20way%20it%20was%20before.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2185261%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2185261%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20for%20All%3C%2FP%3E%3CP%3EWe%20have%20applied%20what%20the%20Microsoft%20specialists%20recommend%20to%20install%20this%20patch%20ASAP%20and%20%22immediately%22.%20That's%20OK.%3C%2FP%3E%3CP%3EWe%20have%20applied%20the%20patch%20on%20servers%202012%20exchange%202013%20DAGs%20and%20CAS%20CU23%20successfully%20without%20issues.%20%22ofcourse%20we%20found%20the%20exchange%20services%20were%20disabled%22%20we%20enabled%20them%2C%20all%20is%20ok%20except%20OWA%20and%20ECP.%20unfortunately%2C%20untill%20writing%20this%20post%20and%20only%20500%20error%20and%20we%20cannot%20find%20the%20right%20solution%20to%20retrieve%20these%20service%20back.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20the%20specialists%20who%20strongly%26nbsp%3B%20recommend%20to%20install%20this%20patch%20immediately%2C%20Please%2C%20support%20us%20by%20clear%20steps%20how%20can%20we%20fix%20it!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186435%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186435%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F987501%22%20target%3D%22_blank%22%3E%40itsupport-bhms%3C%2FA%3E%26nbsp%3BAs%20far%20as%20Exchange%20is%20concerned%2C%20yes%20you%20can%20go%20from%20CU4%20to%20CU23.%20You%20will%20have%20to%20do%20prep%2C%20though%3A%20you%20will%20need%20to%20extend%20the%20schema%2C%20run%20%2Fadprep.%20You%20will%20likely%20need%20to%20update%20.NET%20framework%20and%20possibly%20some%20other%20dependencies.%20Please%20run%20the%20Health%20Checker%20script%2C%20it%20will%20give%20you%20an%20idea.%20PLEASE%20make%20sure%20that%20you%20are%20running%20updates%20from%20elevated%20CMD%20prompt%20(especially%20security%20updates)%20-%20as%20best%20practices%20for%20installing%20Exchange%20updates%20say%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fplan-and-deploy%2Finstall-cumulative-updates%3Fview%3Dexchserver-2019%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUpgrade%20Exchange%20to%20the%20latest%20Cumulative%20Update%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186451%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186451%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20following%20note%20on%20the%20update%20site%20is%20incorrect.%20The%20issue%20with%20the%20ECP%2FOWA%20not%20working%20when%20the%20update%20is%20installed%20with%20Microsoft%20Update%20is%20incorrect.%20It%20broke%20the%20OWA%2FECP%20for%20both%20our%20Exchange%202013%20servers%20as%20well%20as%20our%20Exchange%202019%20Servers.%20We%20had%20to%20manually%20uninstall%20the%26nbsp%3BKB5000871%20and%20reinstall%20with%20the%20elevated%20command%20prompt%20to%20get%20the%20OWA%2FECP%20working%20once%20more.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ENote%3A%26nbsp%3B%3C%2FSTRONG%3E%3CSPAN%3EThis%20issue%20does%20not%20occur%20if%20you%20install%20the%20update%20through%20Microsoft%20Update.%26nbsp%3B%20-%20Installing%20through%20microsoft%20update%20did%20indeed%20cause%20the%20issue%20in%20our%20case.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180244%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180244%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438789%22%20target%3D%22_blank%22%3E%40Elvecio_M%3C%2FA%3E%26nbsp%3BI've%20halfway%20through%20my%20servers%2C%20no%20issues%20thus%20far.%20Exchange%20security%20updates%20temporarily%20stop%20and%20disable%20all%20Exchange%20services%2C%20so%20definitely%20maintenance%20beforehand.%20All%20but%20one%20server%20I've%20updated%20wanted%20a%20reboot%2C%20and%20I%20rebooted%20that%20one%20anyway.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2191698%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2191698%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BThanks%20Nino.%20I%20saw%20that%20and%20just%20ran%20it%20this%20morning.%20Came%20back%20clean.%20So%20I%20feel%20based%20on%20the%20information%20we%20have%20up%20to%20this%20point%20we%20were%20very%20lucky.%20Do%20you%20think%20it%20can%20be%20said%20with%20reasonable%20confidence%20that%20if%20all%20you%20found%20were%20Autodiscover%20log%20entries%20and%20MSERT%20did%20not%20find%20anything%2C%20that%20there%20is%20a%20high%20likelihood%20you%20were%20just%20probed%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20a%20question%20I%20hope%20someone%20can%20answer%3A%20the%20autodiscover%20entries%20correspond%20to%20a%20POST%20in%20the%20IIS%20logs%20to%20%2Fecp%2Fy.js.%20This%20file%20doesn't%20exist%20on%20the%20server%20and%20I%20haven't%20been%20able%20to%20find%20a%20good%20explanation%20of%20what%20is%20going%20on%20here%20in%20the%20attack.%20Is%20the%20POST%20request%20sent%20to%20this%20file%20what%20contains%20the%20commands%20to%20perform%20authentication%20bypass%3F%20Or%20is%20it%20what%20is%20performing%20the%20autodiscover%20request%3F%20Is%20it%20even%20a%20real%20file%3F%20Does%20it%20matter%20if%20it%20doesn't%20actually%20exist%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20I%20don't%20understand%20how%20this%20works.%20If%20anyone%20could%20shed%20some%20light%20please!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2191763%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2191763%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20seeing%20HTTP%20status%20code%20241%20in%20IIS%20logs%20taken%20from%20compromised%20Exchange%20servers%20-%20is%20this%20something%20that%20anyone%20else%20has%20noticed%20or%20is%20there%20someone%20at%20Microsoft%20who%20can%20collaborate%20this%20unusual%20code%20appearing%20in%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190193%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F98445%22%20target%3D%22_blank%22%3E%40Brent%20Berwick%3C%2FA%3E%26nbsp%3BThose%20particular%20Autodiscover%20entries%20mean%20that%20the%20machine%20was%20'probed'%2C%20yes.%20I%20hesitate%20to%20make%20a%20statement%20of%20the%20state%20of%20the%20machine%20because%20all%20of%20the%20logs%20should%20be%20reviewed%2C%20but%20we%20have%20seen%20quite%20a%20few%20cases%20where%20this%20was%20the%20only%20thing%20on%20the%20machine%20and%20no%20other%20evidence%20of%20compromise%20was%20found.%20Please%20make%20sure%20the%20rest%20of%20results%20are%20clean%20and%20that%20the%20machine%20is%20updated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180282%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180282%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20meant%20by%20%22defense%20in%20depth%22%20for%20the%202010%20patch%20since%20it%20is%20clear%20the%20issues%20have%20not%20been%20fully%20patched%20since%20there%20are%20other%20patches%20for%202013%2C%202016%20and%202019%3F%26nbsp%3B%20Am%20I%20save%20to%20assume%20only%20one%20part%20of%20the%20attack%20chain%20has%20been%20mitigated%3F%26nbsp%3B%26nbsp%3BWe%20have%20been%20struggling%20to%20get%20hybrid%20mode%20working%20to%20move%20off%202010%20to%20Exchange%20Online%20since%20last%20year.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180283%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180283%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F361918%22%20target%3D%22_blank%22%3E%40Tim_Aylett%3C%2FA%3E%26nbsp%3BThe%20KB%20article%20for%20Exchange%202010%20is%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fprod.support.services.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%3Fpreview%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDescription%20of%20the%20security%20update%20for%20Microsoft%20Exchange%20Server%202010%20Service%20Pack%203%3A%20March%202%2C%202021%20(KB5000978)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190316%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190316%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20those%20who%20installed%26nbsp%3BKB5000871%2C%20after%20reboot%20server%2C%20the%20Exchange%20Management%20Shell%20and%20ECP%20not%20working%20anymore.%20In%20eventlog%2C%3C%2FP%3E%3CP%3EEvent%20ID%2015021%2C%20HTTPEvent%20%E2%80%9Cerror%20occurred%20while%20using%20SSL%20configuration%20for%20endpoint%200.0.0.0%3A444%E2%80%B3%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20refer%20this%20link%20to%20fix%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.stormbreaker.tech%2F%3Fp%3D173%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.stormbreaker.tech%2F%3Fp%3D173%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180287%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180287%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F931060%22%20target%3D%22_blank%22%3E%40EddieRowe%3C%2FA%3E%26nbsp%3BExchange%202010%20is%20not%20vulnerable%20to%20the%20same%20attack%20chain%20as%20Exchange%202013%2F2016%2F2019%2C%20but%20there%20is%20a%20vulnerability%20that%20we%20have%20addressed%20for%20Exchange%202010%20and%20our%20recommendation%20is%20to%20install%20the%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180361%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180361%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99m%20applying%20the%20updates%20to%20all%20my%20servers%20(2010%2F2013%2F2016%2F2019).%20The%20updates%20install%20OK%2C%20but%20it%20doesn%E2%80%99t%20ask%20for%20a%20restart.%20Is%20one%20required%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190353%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190353%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20help%20and%20update%20the%20post%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986962%22%20target%3D%22_blank%22%3E%40Atout76%3C%2FA%3E%26nbsp%3B%20OWA%20and%20ECP%20ERRORS%20after%20the%20update%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fclient-connectivity%2Fowa-stops-working-after-update%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Ftroubleshoot%2Fclient-connectivity%2Fowa-stops-working-after-update%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2192309%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192309%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20prepare%20to%20release%20an%20update%20for%20CU%2016%20in%20the%20future%3F%20because%20we%20could%20not%20update%20CU%20easily.%20Many%20jobs%20to%20be%20done...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190517%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190517%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-header%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-16%20lia-quilt-column-left%20lia-quilt-column-header-left%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-left%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-08%20lia-quilt-column-right%20lia-quilt-column-header-right%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-right%22%3E%3CDIV%20class%3D%22lia-menu-navigation-wrapper%20lia-menu-action%20lia-component-message-view-widget-action-menu%22%3E%3CDIV%20class%3D%22lia-menu-navigation%22%3E%3CDIV%20class%3D%22dropdown-default-item%22%3E%3CDIV%20class%3D%22dropdown-positioning%22%3E%3CDIV%20class%3D%22dropdown-positioning-static%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-quilt-row%20lia-quilt-row-main%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-24%20lia-quilt-column-single%20lia-quilt-column-main%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-single%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20your%20reply%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F931060%22%20target%3D%22_blank%22%3E%40EddieRowe%3C%2FA%3E%26nbsp%3B%26nbsp%3B%22Exchange%202010%20is%20not%20vulnerable%20to%20the%20same%20attack%20chain%20as%20Exchange%202013%2F2016%2F2019%2C%20but%20there%20is%20a%20vulnerability%20that%20we%20have%20addressed%20for%20Exchange%202010%20and%20our%20recommendation%20is%20to%20install%20the%20update.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20exactly%20does%20this%20mean%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20discovered%20that%2C%20like%20the%20Exchange%20Health%20script%20mentioned%20in%20the%20blog%20post%2C%20the%20scripts%20linked%20to%20below%20are%20also%20incompatible%20with%20Exchange%202010%3A%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EUpdate%20%5B03%2F04%2F2020%5D%3C%2FSTRONG%3E%3A%20The%20Exchange%20Server%20team%20released%20a%20script%20for%20checking%20HAFNIUM%20indicators%20of%20compromise%20(IOCs).%20See%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%23scan-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EScan%20Exchange%20log%20files%20for%20indicators%20of%20compromise%3C%2FA%3E.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20only%20are%20those%20%3CSTRONG%3E%3CEM%3Escripts%3C%2FEM%3E%20%3C%2FSTRONG%3Eincompatible%20with%20Exchange%202010%2C%20but%20both%20the%20code%20of%20the%20scripts%20and%20the%20the%20manual%20methods%20described%20seem%20to%20be%20pointing%20to%20a%20completely%20different%20logging%20filestructure%20(and%2C%20presumably%20architecture)%20meant%20to%20scan%20exchange%202013%20through%202019.%20I%20can't%20even%20modify%20the%20code%20to%20point%20to%20different%20relative%20paths%20or%20registry%20entries%20to%20query%20for%20said%20paths.%20Nothing%20lines%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGiven%20your%20reply%20to%20Eddie%2C%20does%20that%20mean%20that%20CVE-2021-26855%2C%20CVE-2021-26857%2C%20CVE-2021-26858%2C%20CVE-2021-27065%20do%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20apply%20to%20exchange%202010%3F%3C%2FP%3E%3CUL%3E%3CLI%3EIF%20any%20of%20them%20DO%20apply%2C%20In%20order%20to%20locate%20IOCs%2C%20should%20I%20be%20trying%20to%20figure%20out%20the%20equivalent%20logs%20and%20perhaps%20even%20logging%20formats%20etc%20on%20my%20exchange%20server%20on%20my%20own%20to%20look%20for%20the%20same%20activity%3F%20With%20the%20assumption%20that%20we%20might%20have%20been%20compromised%20with%20the%20same%20end%20results%2C%20but%20with%20another%20%22attack%20chain%22%3F%26nbsp%3B%3C%2FLI%3E%3CLI%3EIF%20NONE%20of%20those%20CVEs%20apply%2C%20what%20CVEs%20DO%20apply%3F%20What%20is%20the%20vulnerability%3F%20Is%20it%20active%20and%20in%20the%20wild%20already%3F%20And%20what%20exactly%20should%20I%20be%20looking%20for%20and%20in%20what%20logs%2C%20etc%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20my%20responsibility%20to%20my%20company%20and%20co-workers%20to%20do%20whatever%20due%20diligence%20must%20be%20done%20to%20discover%20if%20we%20have%20been%20compromised%20after%20a%20zero-day%20notification%20like%20this%20applies%20to%20our%20environment.%20As%20it%20stands%20I%20have%20no%20idea%20what%20I%20am%20looking%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180367%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180367%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20these%20security%20updates%20available%20for%20Exchange%202016%20CU%2016%3F%26nbsp%3B%20Or%20are%20these%20security%20updates%20to%20address%20vulnerabilities%20only%20in%20Exchange%202016%20CU%2018%2C%2019%3B%20respectively.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2192410%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192410%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BOn%20a%20Windows%202019%20Core%20installation%2C%20outside%20of%20running%20Healthchecker%2C%20how%20do%20you%20confirm%20the%20installation%20of%26nbsp%3BKB5000871%20%3F%26nbsp%3B%20It%20does%20not%20show%20up%20in%20the%20WAC%20or%20via%20the%20get-hotfix%20command.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190541%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190541%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383794%22%20target%3D%22_blank%22%3E%40ChrisJButler%3C%2FA%3E%26nbsp%3BIf%20you%20look%20through%20all%20of%20the%20CVEs%20(reference%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20-%20the%20only%20CVE%20that%20applies%20to%20Exchange%202010%20is%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-26857%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-26857%3C%2FA%3E.%20It%20is%20a%20%22Remote%20Code%20Execution%22%20but%20it%20is%20not%20a%20'start'%20of%20the%20attach%20chain%20that%20Exchange%202013%2C%202016%2C%202019%20are%20vulnerable%20to%20(as%20they%20all%20basically%20begin%20with%26nbsp%3BCVE-2021-26855).%3C%2FP%3E%0A%3CP%3EAs%20MSTIC%20blog%20post%20says%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20the%20exploitation%20of%20CVE-2021-26857%20requires%20%22administrator%20permission%20or%20another%20vulnerability%20to%20exploit%22.%20But%20again%2C%20as%26nbsp%3BCVE-2021-26855%20does%20not%20apply%20to%20Exchange%202010%2C%20that%20can%20not%20be%20the%20%22other%20known%20vulnerability%22%20on%20Exchange%202010.%3C%2FP%3E%0A%3CP%3EIt%20is%2C%20however%2C%20still%20an%20issue%20that%20was%20discovered%20as%20a%20part%20of%20the%20big%20picture%20here%2C%20but%20because%20it%20is%20not%20exploited%20in%20the%20wild%20as%20other%20versions%20(because%26nbsp%3BCVE-2021-26855%20does%20not%20apply)%20-%20it%20is%20a%20'Defense%20in%20depth'%20update.%20We%20deemed%20it%20important%20enough%20to%20ship%20a%20fix%20for%20such%20old%20code%2C%20but%20it%20is%20not%20actively%20exploited%20because%20there%20is%20not%20an%20'entry%20point'%20as%20with%20other%20versions.%3C%2FP%3E%0A%3CP%3EHope%20that%20helps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190549%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190549%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99ve%20no%20idea%20why%20the%20patch%20would%20not%20deploy%20even%20though%20I%20was%20100%25%20on%20cu19%20exchange%202016.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ended%20up%20deploying%20via%20windows%20update%20and%20it%20worked%20with%20no%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.jpg%22%20style%3D%22width%3A%203024px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261405i86BAE042FDB79651%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22image.jpg%22%20alt%3D%22image.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180368%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180368%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20only%20supports%20the%20current%20and%20last%20CU.%20You%20will%20need%20to%20install%20one%20of%20these%20CUs%20before%20you%20can%20install%20the%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190556%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYES%2C%20my%20good%20man%2C%20it%20certainly%20does!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20just%20lowered%20my%20blood%20pressure%20by%20a%20few%20points%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20joined%20techcommunity.microsoft.com%20and%20since%20I%20am%20already%20logged%20in%20as%20my%20live.com%20account%20in%20another%20tab%20for%20Skype%2C%20I%20was%20logged%20in%20using%20those%20credentials%2C%20and%20was%20taken%20to%20a%20page%20where%20I%20needed%20to%20create%20a%20profile%2C%20choose%20a%20profile%20name%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20microsoft%20(live%2C%20what%20have%20you)%20account%20has%20my%20gmail%20account%20as%20my%20primary%20login%20name%2C%20and%20my%20profile%20in%20this%20community%20shows%20that%20gmail%20address%20correctly%20as%20my%20email%20address%20for%20the%20profile%20and%20for%20the%20microsoft%20account.%20I%20filled%20out%20the%20Personal%20information%20page%20next%20and%20put%20in%20my%20work%20information%2C%20including%20my%20non-office365%20work%20email%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEmail%20notifications%20are%20turned%20on%20but%20I%20received%20not%20a%20single%20email%20from%20the%20blog%2C%20neither%20at%20setup%20of%20my%20profile%20nor%20when%20you%20replied%20with%20a%20mention%20of%20me%20here.%20Any%20idea%20where%20I%20should%20look%20%3F%20I%20just%20happened%20to%20be%20refreshing%20this%20blog%20just%20after%20posting%20my%20comment%20or%20I%20would%20have%20missed%20your%20very%20helpful%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2192782%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192782%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20a%20few%20customers%20were%20we%20get%20an%20error%20while%20running%20the%20script.%20It%20can%20not%20access%20the%20%3CSPAN%3E%22%25exchangeinstallpath%25%5COABGeneratorLog%3C%2FSPAN%3E%3CSPAN%3E%22%20because%20the%20directory%20%22OABGeneratorLog%22%20does%20not%20exist.%20Is%20this%20suspicous%20or%20is%20it%20possible%20that%20there%20has%20been%20no%20%22OABGeneratorLog%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERunning%20the%20MSERT.EXE%20tool%20does%20not%20find%20any%20threats%20on%20those%20systems.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThank%20you!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EJan%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190586%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190586%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383794%22%20target%3D%22_blank%22%3E%40ChrisJButler%3C%2FA%3E%26nbsp%3BUmm...%20I'd%20like%20to%20be%20able%20to%20say%20that%20I%20fully%20understand%20how%20this%20notification%20thing%20works%20but%20alas%2C%20I%20do%20not.%20%3A(%3C%2Fimg%3E%20I%20can%20tell%20you%20that%20I%20do%20get%20email%20notifications%20if%20I%20get%26nbsp%3B%40%20mentioned%20in%20posts.%20I%20know%20you%20mentioned%20notifications%20are%20on%2C%20but%20I%20wonder%20if%20you%20mean%20the%20%22Email%20me%20when%20someone%20replies%22%20thing%20that%20I%20see%20on%20individual%20comments%20(like%20this%20one)%20or%20when%20you%20click%20on%20your%20account%20avatar%2C%20then%20My%20Subscriptions%20%26gt%3B%20Notification%26nbsp%3Bsettings%20%26gt%3B%20Post's%20I'm%26nbsp%3B%40%20mentioned%20in%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180369%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180369%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20are%20currently%20applying%20it%20and%20also%20no%20issues%20so%20far.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193553%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F119208%22%20target%3D%22_blank%22%3E%40Navishkar%20Sadheo%3C%2FA%3E%22I%20am%20running%20Exchange%20Server%202016%20CU%2016......am%20I%20affected%20by%20this%3F%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes!%20You%20need%20to%20go%20current%20first%20(CU19%20(or%2018))%20and%20than%20apply%20the%20security%20fix.%20Or%26nbsp%3Bat%20least%20use%20the%20mitigation%20mentioned%20in%20this%20article%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Exchange%20Server%20Vulnerabilities%20Mitigations%20%E2%80%93%20updated%20March%206%2C%202021%20%E2%80%93%20Microsoft%20Security%20Response%20Center%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194172%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194172%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Occasional-Visitor%20lia-component-message-view-widget-author-username%22%3E%3CSPAN%20class%3D%22%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F986053%22%20target%3D%22_blank%22%3E%40GeekSpaz%3C%2FA%3E%26nbsp%3B%2C%20thanks%20for%20the%20suggestions%20to%20run%26nbsp%3B%3CSPAN%3EC%3A%5CProgram%20Files%5CMicrosoftExchange%20ServerV14%5CBin%5CUpdateCas.ps1%20and%20the%20IISReset%2C%20but%20sadly%20that%20made%20no%20difference.%26nbsp%3B%20I%20also%20see%20in%20the%20troubleshooting%20a%20suggestion%20to%20run%20UpdateConfigFiles.ps1%20after%20UpdateCas.ps1.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20remain%20unable%20to%20patch%20our%20Exchange%202010%20SP3%20servers%20with%20RU31%20or%20Ru32%20so%20it%20would%20appear%20to%20be%20me%20that%20RU31%20is%20broken%20and%20the%20defect%20is%20also%20in%20RU32.%26nbsp%3B%20After%20patching%20the%20server%20with%20the%20CAS%20role%20and%20holding%20the%20test%20mailbox%2C%20I%20see%20errors%20on%20the%20OTHER%20webmail%20server%20that%20has%20NOT%20been%20patched.%26nbsp%3B%20Not%20patched%20because%20applying%20to%20one%20server%20takes%20it%20out.%26nbsp%3B%20On%20the%20webmail%20server%20I%20found%20an%20event%20136%20and%20Source%20MSExchange%20OWA%20at%20the%20same%20time%20the%20OWA%20login%20says%20%22%20The%20mailbox%20you're%20trying%20to%20access%20isn't%20currently%20available.%20If%20the%20problem%20continues%2C%20contact%20your%20helpdesk.%22%26nbsp%3B%20%3CSTRONG%3EAre%20these%20Exchange%202010%20SP3%20servers%20looking%20to%20have%20the%20same%20RU%20level%20in%20order%20to%20have%20basic%20functionality%20working%3F%3C%2FSTRONG%3E%26nbsp%3B%20Is%20it%20possible%20that%20this%20is%20just%20an%20issue%20known%20to%20an%20experienced%20Exchange%20admin%20(which%20we%20do%20not%20have...why%20I%20am%20trying%20get%20us%20to%20O365)%3F%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%3CBR%20%2F%3E%22The%20sign-in%20to%20Outlook%20Web%20App%20failed.%20User%20%2FO%3Dxxxxx%2FOU%3Dyyyyy%2Fcn%3DRecipients%2Fcn%3Dtest2%20has%20a%20mailbox%20on%2014.3.123.0%20server%20version.%20However%2C%20no%20Client%20Access%20server%20or%20front-end%20server%20with%20a%20matching%20version%20was%20found%20to%20handle%20the%20request.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EFor%20users%20on%20Exchange%202007%20and%20above%2C%20you%20can%20configure%20the%20Outlook%20Web%20Access%20URL%20for%20redirection%20using%20the%20externalURL%20parameter%20on%20the%20Exchange%20%2Fowa%20virtual%20directory.%22%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194511%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194511%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BThis%20bring%20up%20an%20interesting%20talking%20point.%26nbsp%3B%20MS%20made%20the%20decision%20to%20fork%20the%20code%20for%20Exchange%202019%2FO365%20long%20ago%20and%20one%20of%20the%20selling%20points%20for%20Exchange%202019%20was%20more%20mature%20code%20base%20with%20less%20updates%20and%20better%20stability.%26nbsp%3B%20If%20MS%20fixed%20the%20issue%20is%20O365%20at%20some%20point%20before%20this%20patch%20was%20released%20that%20says%20a%20lot%20about%20their%20priorities%20and%20doesn't%20portend%20well%20for%20on-prem%20customers%20and%20future%20critical%20updates.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20this%20will%20be%20fleshed%20more%20so%20that%20confidence%20doesn't%20wane%20for%20on-prem%20customers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194515%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194515%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192630%22%20target%3D%22_blank%22%3E%40Netronin%3C%2FA%3E%26nbsp%3BI'm%20just%20here%20to%20say%20that%20I%20never%20said%20that%20%22MS%20fixed%20the%20issue%20is%20O365%20at%20some%20point%20before%20this%20patch%20was%20released%22.%20I%20have%20no%20idea%20where%20%3CEM%3Ethat%3C%2FEM%3E%20came%20from%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194695%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194695%22%20slang%3D%22en-US%22%3E%3CP%3EAuto%20updates%20and%20the%20remediation%20CU's%20error%20out%2C%20cant%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22the%20upgrade%20patch%20cannot%20be%20installed%20by%20the%20windows%20installer%20service.....%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190550%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190550%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20servers%20have%20started%20to%20log%20a%20new%20event%20in%20the%20Application%20log.%26nbsp%3B%20I%20wonder%20if%20this%20is%20the%20attack%20failing%20due%20to%20the%20security%20update%20being%20in%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20width%3D%22100%25%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%2285%25%22%3E%3CP%3E%5BEcp%5D%20An%20internal%20server%20error%20occurred.%20The%20unhandled%20exception%20was%3A%20System.ArgumentException%3A%20Invalid%20input%20value%3CBR%20%2F%3EParameter%20name%3A%20input%3CBR%20%2F%3Eat%20Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String%20input)%3CBR%20%2F%3Eat%20Microsoft.Exchange.HttpProxy.BEResourceRequestHandler.ResolveAnchorMailbox()%3CBR%20%2F%3Eat%20Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox%26amp%3B%20anchorMailbox)%3CBR%20%2F%3Eat%20Microsoft.Exchange.HttpProxy.ProxyRequestHandler.%3CBEGINCALCULATETARGETBACKEND%3Eb__3b()%3CBR%20%2F%3Eat%20Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate%20tryDelegate%2C%20FilterDelegate%20filterDelegate%2C%20CatchDelegate%20catchDelegate)%3C%2FBEGINCALCULATETARGETBACKEND%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180373%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180373%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F65924%22%20target%3D%22_blank%22%3E%40Jeff%20Guillet%3C%2FA%3E%26nbsp%3BOur%20suggestion%20is%20to%20restart%20the%20server%2C%20yes.%20I%20have%20seen%20the%20update%20tell%20to%20reboot%20but%20I%20guess%20depending%20on%20the%20scenario...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180394%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180394%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180456%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180456%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F931060%22%20target%3D%22_blank%22%3E%40EddieRowe%3C%2FA%3E%26nbsp%3BYeah%20that%20should%20be%20fixed%20now.%20I%20just%20had%20to%20reload%20the%20page%20and%20it%20says%2032%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2198671%22%20slang%3D%22de-DE%22%3ESubject%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2198671%22%20slang%3D%22de-DE%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3Ewe%20are%20running%20%3CSPAN%3EExchange%20Server%202016%20CU12%3C%2FSPAN%3E.%20I%20can't%20find%20anything%20about%20it%20in%20any%20docs.%20Are%20we%20not%20affected%3F%3F%3F%3C%2FP%3E%3CP%3ERg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2179942%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2179942%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F285725%22%20target%3D%22_blank%22%3E%40ajc196%3C%2FA%3E%26nbsp%3B-%20downloads%20will%20be%20on%20the%20Microsoft%20Update%20soon.%20You%20can%20get%20them%20right%20away%20if%20you%20go%20to%20individual%20CVEs%20mentioned%20in%20the%20MSRC%20blog%20post%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180411%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180411%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20some%20typos.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDescription%20of%20the%20security%20update%20for%20Microsoft%20Exchange%20Server%202010%20Service%20Pack%203%3A%20March%202%2C%202021%20(KB5000978)%3C%2FA%3E%26nbsp%3Bhas%20a%20link%20to%20download%20Update%20Rollup%2032%20for%20Exchange%20Server%202010%20SP3%2C%20but%20when%20you%20click%20on%20that%20link%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D102774%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDownload%20Update%20Rollup%203%20For%20Exchange%202010%20SP3%20(KB5000978)%20from%20Official%20Microsoft%20Download%20Center%3C%2FA%3E%26nbsp%3Bsays%20it%20is%20Rollup%203%20instead%20of%2032.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276630%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276630%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%3CSPAN%3E%26nbsp%3BHello%20Nino.%26nbsp%3BKB5001779%2C%20just%20like%20KB5000871%20is%20not%20visible%20by%20running%26nbsp%3Bget-hotfix%20or%20by%20looking%20for%20updates%20in%20WAC%20when%20installed%20on%20a%20Windows%202019%20Core%20server.%26nbsp%3B%20%26nbsp%3BThis%20is%20not%20a%20problem%20with%20other%20Windows%20Server%20security%20hotfixes%20-%20only%20with%20Exchange%20hotfixes.%26nbsp%3B%20%26nbsp%3BThis%20is%20an%20issue%20for%20administrators%2C%20installers%2C%20etc.%26nbsp%3B%20When%20will%20this%20be%20addressed%3F%26nbsp%3B%26nbsp%3B%20Do%20you%20see%20the%20same%20thing%20on%20your%20Windows%202019%20Core%20servers%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181650%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181650%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%2C%20Thanks%20for%20the%20quick%20response!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180549%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180549%22%20slang%3D%22en-US%22%3E%3CP%3EInstalling%20on%20our%20first%20server%20to%20gauge%20the%20impact.%20Getting%20lots%20of%20%22Files%20in%20use%22%20errors.%20We're%20killing%20processes%20and%20retrying%20multiple%20times%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2202066%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Nino%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20ran%20the%20CompareExchangeHashes%20script%20and%20it%20returned%20the%20IIS%20Default%20Website's%20web.config%20as%20suspicious.%3C%2FP%3E%3CP%3EWhen%20I%20check%20the%20file%2C%20it%20was%20created%20when%20I%20was%20updating%20our%20Exchange%20server%20(2019)%20to%20the%20latest%20CU.%20It%20hasn't%20been%20modified%20since.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20really%20find%20anything%20suspicious%20in%20the%20file%20itself%20either..%20Is%20this%20a%20false%20positive%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181667%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181667%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20clarify%20this%20statement%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3E%22The%20initial%20attack%20requires%20the%20ability%20to%20make%20an%20untrusted%20connection%20to%20Exchange%20server%20port%20443%22%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20media%20seems%20interprets%20this%20as%20being%20able%20to%20make%20an%20untrusted%20HTTP%20(aka%20not%20encrypted)%20connection%20to%20an%20HTTPS%20port.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMany%20of%20us%20use%20SSL-offloading%2FSSL-bridging%20reverse%20Proxies%20(F5%20Big-IP%2C%20Citrix%20Netscaler%2C%20Kemp%2C%20nginx%2C%20Apache%2C%20HAProxy.....and%20also%20some%20cloud%20services%20as%20Azure%20Application%20Proxy%20or%20be%20it%20also%20CDNs%20like%20Cloudflare%20etc.)%20to%20get%20Exchange%20hooked%20up%20to%20the%20internet%20and%20do%20SSL%20bridging.%3CBR%20%2F%3EBy%20nature%20these%20technologies%26nbsp%3Bprevent%20HTTP%20connections%20to%20HTTPS%20ports.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOr%2C%20do%20you%20mean%20by%20%22untrusted%20connections%22%20that%20the%20user%20is%20not%20authenticated%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20yes%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMany%20of%20us%20also%20use%20these%20technologies%20to%20do%20pre-authentication%20before%20anyone%20can%20access%20anything%20anonymously%20on%20port%20443%20(there%20was%20also%20a%20question%20about%20ADFS%20some%20posts%20before%2C%20I%20might%20add%20the%20question%20what%20if%20we%20do%20pre-authentication%20with%20Azure%20AD%3F).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAre%20these%20users%20protected%2C%20or%20does%20this%20issue%20concern%20those%20web%20API%20connections%20to%20EWS%2FOAB%2FECP%2FActiveSync%20where%20we%20have%20to%20turn%20off%20pre-authentication%20since%20this%20would%20break%20those%20services%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EJust%20asking%20out%20of%20curiosity%2C%20I%20know%20the%20vulnerability%20still%20exists%20of%20anyone%20can%20access%20the%20server%20directly%20from%20LAN.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAlso%2C%20because%20everybody%20around%20me%20is%20hyping%2Ffreaking%20out%2C%20even%20though%20many%20have%20such%20technologies%20in%20place.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20guess%20nobody%20with%20will%20hook%20up%20an%20Exchange%20server%20to%20the%20Internet%20just%20by%20Port-forwarding%20the%20port%20443%20on%20the%20firewall%20directly%20to%20the%20server%2C%20or%20by%20configuring%20a%20public%20IP%20address%20on%20the%20server's%20network%20interface%20and%20connect%20it%20directly%20to%20the%20provider%20switch%2C%20at%20least%20not%20in%20the%20last%2010%20years.%20(Hell%2C%20we%20were%20doing%20that%20since%20ISA%202000).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMarc%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180567%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180567%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20the%20Known%20Issue%20of%20applying%20it%20by%20double%20click%20breaking%20ECP%2FOWA...%20It's%20great%20the%20article%20warns%20you%20of%20that...%20would%20be%20better%20if%20it%20told%20you%20HOW%20TO%20FIX%20IT%20too!%26nbsp%3B%20Or%20where%20to%20find%20how%20to%20fix%20it.%26nbsp%3B%26nbsp%3BSo...%20anyone%20know%20how%20to%20fix%20it%3F!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Cancelled%20mid-way.%26nbsp%3B%20Rolled%20back.%26nbsp%3B%20Re-installed%20correctly%2C%20ECP%20is%20broken%3B%20OWA%20works).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180595%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BThanks%2C%20but%20that's%20not%20really%20helpful.%26nbsp%3B%20As%20I%20said%2C%20it's%20great%20that%20it's%20a%20known%20issue.%26nbsp%3B%20That%20it's%20known%20that%20the%20update%20doesn't%20properly%20prompt%20for%20elevation%20and%20that%20it%20must%20be%20run%20from%20an%20elevated%20command%20prompt.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20done%20is%20done.%26nbsp%3B%20ECP%20is%20broken.%26nbsp%3B%20HOW%20DO%20WE%20FIX%20IT%3F%26nbsp%3B%20There's%20no%20mention%20of%20restoring%20ECP%20%2F%20OWA%20if%20you%20failed%20to%20run%20it%20initially%20from%20an%20elevated%20command%20prompt.%26nbsp%3B%20Why%20not%3F%20It%20would%20be%20helpful%20to%20folks%20who%20may%20not%20have%20read%20the%20blog%20but%20were%2C%20instead%2C%20told%20to%20install%20this%20update%20and%20ASSUMED%20it%20would%20properly%20elevate%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20wait%20for%20the%20next%20CU%20and%20install%20that%2C%20will%20that%20fix%20it%3F%26nbsp%3B%20I'd%20rather%20not%20wait%2C%20but%20I%20assume%20the%20next%20CU%20is%20due%20soon...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2175901%22%20slang%3D%22en-US%22%3EReleased%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2175901%22%20slang%3D%22en-US%22%3E%3CP%3ENote%3A%20this%20post%20is%20getting%20frequent%20updates%3B%20please%20keep%20checking%20back.%20Last%20update%3A%203%2F19%2F2021%3C%2FP%3E%3CP%3EMicrosoft%20has%20released%20a%20set%20of%20out%20of%20band%20security%20updates%20for%20vulnerabilities%20for%20the%20following%20versions%20of%20Exchange%20Server%3A%3C%2FP%3EExchange%20Server%202013%20Exchange%20Server%202016%20Exchange%20Server%202019%3CP%3ESecurity%20updates%20are%20available%20for%20the%20following%20specific%20versions%20of%20Exchange%3A%3C%2FP%3E%3CP%3EIMPORTANT%3A%20If%20manually%20installing%20security%20updates%2C%20you%20must%20install%20.msp%20from%20elevated%20command%20prompt%20(see%20Known%20Issues%20in%20update%20KB%20articles)%3C%2FP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202010%20(update%20requires%20SP%203%20or%20any%20SP%203%20RU%20%E2%80%93%20this%20is%20a%20Defense%20in%20Depth%20update)%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202013%20(update%20requires%20CU%2023)%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202016%20(update%20requires%20CU%2019%20or%20CU%2018)%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%20Server%202019%20(update%20requires%20CU%208%20or%20CU%207)%3C%2FA%3E%20NEW!%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2021-exchange-server-security-updates-for-older-cumulative%2Fba-p%2F2192020%22%20target%3D%22_blank%22%3ESecurity%20Updates%20for%20older%20Cumulative%20Updates%20of%20Exchange%20Server%20(the%20list%20is%20now%20finalized)%3C%2FA%3E%3CP%3EBecause%20we%20are%20aware%20of%20active%20exploits%20of%20related%20vulnerabilities%20in%20the%20wild%20(limited%20targeted%20attacks)%2C%20our%20recommendation%20is%20to%20install%20these%20updates%20immediately%20to%20protect%20against%20these%20attacks.%3C%2FP%3E%3CP%3EThe%20vulnerabilities%20affect%20Microsoft%20Exchange%20Server.%20Exchange%20Online%20is%20not%20affected.%3C%2FP%3E%3CP%3EFor%20more%20information%2C%20please%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Security%20Response%20Center%20(MSRC)%20blog%3C%2FA%3E.%3C%2FP%3E%3CP%3EFor%20technical%20details%20of%20these%20exploits%20and%20how%20to%20help%20with%20detection%2C%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EHAFNIUM%20Targeting%20Exchange%20Servers%3C%2FA%3E.%26nbsp%3BThere%20is%20a%20scripted%20version%20of%20this%20check%20available%20on%20GitHub%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMitigations%2C%20investigation%20and%20remediation%3A%3C%2FP%3EAre%20there%20any%20mitigations%20I%20can%20implement%20right%20now%3F%3CP%3EMSRC%20team%20has%20released%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F15%2Fone-click-microsoft-exchange-on-premises-mitigation-tool-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EOne-Click%20Microsoft%20Exchange%20On-Premises%20Mitigation%20Tool%20(EOMT)%3C%2FA%3E.%20The%20MSTIC%20blog%20post%20called%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Exchange%20Server%20Vulnerabilities%20Mitigations%20%E2%80%93%20March%202021%3C%2FA%3E%26nbsp%3Bcan%20help%20understand%20individual%20mitigation%20actions.%20A%20stand-alone%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchangeMitigations.ps1%3C%2FA%3E%26nbsp%3Bscript%20is%20also%20available.%3C%2FP%3EHow%20can%20I%20tell%20if%20my%20servers%20have%20already%20been%20compromised%3F%3CP%3EInformation%20on%20Indicators%20of%20Compromise%20(IOCs)%20%E2%80%93%20such%20as%20what%20to%20search%20for%2C%20and%20how%20to%20find%20evidence%20of%20successful%20exploitation%20(if%20it%20happened)%2C%20can%20be%20found%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EHAFNIUM%20Targeting%20Exchange%20Servers%3C%2FA%3E.%20There%20is%20a%20scripted%20version%20of%20this%20available%20on%20GitHub%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3EMore%20information%20about%20investigations%3CP%3ETo%20aid%20defenders%20in%20investigating%20these%20attacks%20where%20Microsoft%20security%20products%20and%20tooling%20may%20not%20be%20deployed%2C%20we%20are%20releasing%20a%20feed%20of%20observed%20indicators%20of%20compromise%20(IOCs).%20The%20feed%20of%20malware%20hashes%20and%20known%20malicious%20file%20paths%20observed%20in%20related%20attacks%20is%20available%20in%20both%20JSON%20and%20CSV%20formats%20at%20the%20below%20GitHub%20links.%20This%20information%20is%20being%20shared%20as%20TLP%3AWHITE.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSample%2520Data%2FFeeds%2FMSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ECSV%20format%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSample%2520Data%2FFeeds%2FMSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EJSON%20format%3C%2FA%3E%20are%20available.%26nbsp%3B%3C%2FP%3EWhat%20about%20remediation%3F%3CP%3EMSTIC%20team%20has%20(on%20March%206th)%20updated%20their%20blog%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Exchange%20Server%20Vulnerabilities%20Mitigations%20%E2%80%93%20March%202021%3C%2FA%3E%26nbsp%3Bto%20include%20information%20about%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fintelligence%2Fsafety-scanner-download%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMicrosoft%20Support%20Emergency%20Response%20Tool%20(MSERT)%3C%2FA%3E%26nbsp%3Bhaving%20been%20updated%20to%20scan%20Microsoft%20Exchange%20Server.%20Please%20download%20a%20new%20copy%20of%20MSERT%20often%2C%20as%20updates%20are%20made%20in%20the%20tool%20regularly!%20Please%20also%20see%20MSRC%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F16%2Fguidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EGuidance%20for%20responders%3A%20Investigating%20and%20remediating%20on-premises%20Exchange%20Server%20vulnerabilities%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInstalling%20and%20troubleshooting%20updates%3A%3C%2FP%3EDoes%20installing%20the%20March%20Security%20Updates%20require%20my%20servers%20to%20be%20up%20to%20date%3F%3CP%3EToday%20we%20shipped%20Security%20Update%20(SU)%20fixes.%20These%20fixes%20can%20be%20installed%20only%20on%20servers%20that%20are%20running%20the%20specific%20versions%20listed%20previously%2C%20which%20are%20considered%20up%20to%20date.%20If%20your%20servers%20are%20running%20older%20Exchange%20Server%20cumulative%20or%20rollup%20update%2C%20we%20recommend%20to%20install%20a%20currently%20supported%20RU%2FCU%20before%20you%20install%20the%20security%20updates.%20If%20you%20are%20unable%20to%20get%20updated%20quickly%2C%20please%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2021-exchange-server-security-updates-for-older-cumulative%2Fba-p%2F2192020%22%20target%3D%22_blank%22%3EMarch%202021%20Exchange%20Server%20Security%20Updates%20for%20older%20Cumulative%20Updates%20of%20Exchange%20Server%3C%2FA%3E.%3C%2FP%3EHow%20can%20I%20get%20an%20inventory%20of%20the%20update-level%20status%20of%20my%20on-premises%20Exchange%20servers%3F%3CP%3EYou%20can%20use%20the%20Exchange%20Server%20Health%20Checker%20script%2C%20which%20can%20be%20downloaded%20from%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FExchangeHealthChecker%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EGitHub%3C%2FA%3E%20(use%20the%20latest%20release).%20Running%20this%20script%20will%20tell%20you%20if%20you%20are%20behind%20on%20your%20on-premises%20Exchange%20Server%20updates%20(note%20that%20the%20script%20does%20not%20support%20Exchange%20Server%202010).%3C%2FP%3EWhich%20of%20my%20servers%20should%20I%20update%20first%3F%3CP%3EExploitation%20of%20the%20security%20vulnerabilities%20addressed%20in%20these%20fixes%20requires%20HTTPS%20access%20over%20the%20Internet.%20Therefore%2C%20our%20recommendation%20is%20to%20install%20the%20security%20updates%20first%20on%20Exchange%20servers%20exposed%2Fpublished%20to%20the%20Internet%20(e.g.%2C%20servers%20publishing%20Outlook%20on%20the%20web%2FOWA%20and%20ECP)%20and%20then%20update%20the%20rest%20of%20your%20environment.%3C%2FP%3EWill%20the%20installation%20of%20the%20Security%20Updates%20take%20as%20long%20as%20installing%20an%20RU%2FCU%3F%3CP%3EInstallation%20of%20Security%20Updates%20does%20not%20take%20as%20long%20as%20installing%20a%20CU%20or%20RU%2C%20but%20you%20will%20need%20to%20plan%20for%20some%20downtime.%3C%2FP%3EMy%20organization%20needs%20to%20'get%20current'%20first...%20we%20need%20to%20apply%20a%20Cumulative%20Update.%20Any%20tips%20for%20us%3F%3CP%3EPlease%20see%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fplan-and-deploy%2Finstall-cumulative-updates%3Fview%3Dexchserver-2019%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EUpgrade%20Exchange%20to%20the%20latest%20Cumulative%20Update%3C%2FA%3E%26nbsp%3Barticle%20for%20best%20practices%20when%20installing%20Exchange%20Cumulative%20Updates.%20To%20ensure%20the%20easiest%20upgrade%20experience%20(and%20because%20in%20many%20organizations%20Exchange%20and%20Active%20Directory%20roles%20are%20separate)%20you%20might%20wish%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fplan-and-deploy%2Fprepare-ad-and-domains%3Fview%3Dexchserver-2019%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Erun%20%2FPrepareAD%3C%2FA%3E%26nbsp%3B(in%20the%20Active%20Directory%20site%20that%20Exchange%20is%20a%20member%20of)%20before%20running%20the%20actual%20CU%20Setup.%20You%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fwebcastdiag864.blob.core.windows.net%2F2021presentationdecks%2FMarch%25202021%2520Exchange%2520Server%2520Security%2520Update%2520-%2520EN.pdf%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ethis%20document%3C%2FA%3E%20as%20a%20guide%20to%20understand%20what%20you%20might%20have%20to%20do.%3C%2FP%3EErrors%20during%20or%20after%20Security%20Update%20installation!%20Help!%3CP%3EIt%20is%26nbsp%3Bextremely%20important%26nbsp%3Bto%20read%20the%20Known%20Issues%20section%20in%20the%20Security%20Update%20KB%20article%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E%26nbsp%3Bdepending%20on%20the%20version).%20If%20installing%20the%20update%20manually%2C%26nbsp%3Byou%20must%20run%20the%20update%20from%20the%20elevated%20command%20prompt.%20If%20you%20are%20seeing%20unexpected%20behavior%2C%20check%20the%26nbsp%3Barticle%26nbsp%3Baddressing%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fexupdatefaq%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Etroubleshooting%20failed%20installations%20of%20Exchange%20security%20updates%3C%2FA%3E%26nbsp%3B(we%20will%20keep%20updating%20this%20article).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditional%20Q%26amp%3BA%3A%3C%2FP%3EAre%20there%20any%20other%20resources%20that%20you%20can%20recommend%3F%3CP%3EMicrosoft%20Defender%20Security%20Research%20Team%20has%20published%20a%20related%20blog%20post%20called%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F06%2F24%2Fdefending-exchange-servers-under-attack%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EDefending%20Exchange%20servers%20under%20attack%3C%2FA%3E%20which%20can%20help%20you%20understand%20some%20general%20practices%20around%20detection%20of%20malicious%20activity%20on%20your%20Exchange%20servers%20and%20help%20improve%20your%20security%20posture.%3C%2FP%3EMy%20organization%20is%20in%20Hybrid%20with%20Exchange%20Online.%20Do%20I%20need%20to%20do%20anything%3F%3CP%3EWhile%20those%20security%20updates%20do%20not%20apply%20to%20Exchange%20Online%20%2F%20Office%20365%2C%20you%20need%20to%20apply%20those%20Security%20Updates%20to%20your%20on-premises%20Exchange%20Server%2C%20even%20if%20it%20is%20used%20for%20management%20purposes%20only.%20You%20do%20not%20need%20to%20re-run%20HCW%20if%20you%20are%20using%20it.%3C%2FP%3EDo%20we%20need%20to%20install%20those%20updates%20on%20Management%20Tools%20only%20workstations%20or%20servers%3F%3CP%3EMachines%20with%20Management%20Tools%20only%20are%20not%20impacted%20(there%20are%20no%20Exchange%20services%20installed)%20and%20do%20not%20require%20installation%20of%20March%20SUs.%20Please%20note%20that%20a%20'management%20server'%20which%20many%20of%20our%20Hybrid%20customers%20have%20(which%20is%20an%20Exchange%20server%20kept%20on%20premises%20to%20be%20able%20to%20run%20Exchange%20management%20tasks)%20is%20different.%20For%20Hybrid%2C%20please%20see%20the%20Hybrid%20question%20above.%3C%2FP%3EThe%20last%20Exchange%202016%20and%20Exchange%202019%20CU%E2%80%99s%20were%20released%20in%20December%20of%202020.%20Are%20new%20CU%E2%80%99s%20releasing%20in%20March%202021%3F%3CP%3EEDIT%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-march-2021-quarterly-exchange-updates%2Fba-p%2F2205283%22%20target%3D%22_blank%22%3EExchange%20Server%202016%20CU%2020%20and%20Exchange%20Server%202019%20CU%209%20are%20now%20released%3C%2FA%3E%20and%20those%20CUs%26nbsp%3Bcontain%20the%20Security%20Updates%20mentioned%20here%20(along%20with%20other%20fixes).%20Customers%20who%20have%20installed%20SUs%20for%20older%20E2016%2F2019%20CUs%20can%20simply%20update%20to%20new%20CUs%20and%20will%20stay%20protected.%3C%2FP%3EAre%20Exchange%20Server%202003%20and%20Exchange%20Server%202007%20vulnerable%20to%20March%202021%20Exchange%20server%20security%20vulnerabilities%3F%3CP%3ENo.%20After%20performing%20code%20reviews%2C%20we%20can%20state%20that%20the%20code%20involved%20in%20the%20attack%20chain%20to%20begin%20(CVE-2021-26855)%20was%20not%20in%20the%20product%20before%20Exchange%20Server%202013.%20Exchange%202007%20includes%20the%20UM%20service%2C%20but%20it%20doesn%E2%80%99t%20include%20the%20code%20that%20made%20Exchange%20Server%202010%20vulnerable.%20Exchange%202003%20does%20not%20include%20the%20UM%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMajor%20updates%20to%20this%20post%3A%3C%2FP%3E3%2F19%2F2021%3A%20Added%20a%20link%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F16%2Fguidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EGuidance%20for%20responders%3A%20Investigating%20and%20remediating%20on-premises%20Exchange%20Server%20vulnerabilities%3C%2FA%3E%203%2F17%2F2021%3A%20Removed%20the%20mention%20of%26nbsp%3BCompareExchangeHashes.ps1%20script%20(deprecated).%20Added%20a%20Q%26amp%3BA%20pair%20for%20Management%20Tools%20only%20machines.%203%2F16%2F2021%3A%20Added%20a%20note%20about%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-march-2021-quarterly-exchange-updates%2Fba-p%2F2205283%22%20target%3D%22_blank%22%3EExchange%202016%20CU%2020%20and%20Exchange%202019%20CU%209%3C%2FA%3E%203%2F15%2F2021%3A%20Added%20a%20link%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F15%2Fone-click-microsoft-exchange-on-premises-mitigation-tool-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EOne-Click%20Microsoft%20Exchange%20On-Premises%20Mitigation%20Tool%20(EOMT)%3C%2FA%3E%203%2F12%2F2021%3A%20Added%20a%20Q%26amp%3BA%20pair%20for%20Exchange%202003%2F2007%203%2F11%2F2021%3A%20Added%20a%20note%20about%20final%20list%20of%20SU%20releases%20for%20out%20of%20support%20CUs%203%2F10%2F2021%3A%20Added%20a%20note%20that%20the%20MSERT%20tool%20should%20be%20downloaded%20often%20as%20it%20gets%20updated%20regularly%203%2F9%2F2021%3A%20Added%20a%20link%20to%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchangeMitigations.ps1%20mitigation%20script%3C%2FA%3E%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FCSS-Exchange%2Ftree%2Fmain%2FSecurity%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3ECompareExchangeHashes.ps1%20file%20hashes%20check%3C%2FA%3E%20script.%203%2F8%2F2021%3A%20Added%20a%20link%20about%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fmarch-2021-exchange-server-security-updates-for-older-cumulative%2Fba-p%2F2192020%22%20target%3D%22_blank%22%3EUpdates%20for%20older%20Cumulative%20Updates%20of%20Exchange%20Server%3C%2FA%3E%20and%20information%20about%20a%20feed%20of%20observed%20indicators%20of%20compromise%20(IOCs).%203%2F8%2F2021%3A%20Added%20a%20link%20to%20%3CA%20href%3D%22https%3A%2F%2Fwebcastdiag864.blob.core.windows.net%2F2021presentationdecks%2FMarch%25202021%2520Exchange%2520Server%2520Security%2520Update%2520-%2520EN.pdf%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ethe%20guide%3C%2FA%3E%20that%20can%20help%20with%20steps%20that%20need%20to%20be%20taken%20to%20get%20current%20and%20update%203%2F8%2F2021%3A%20Added%20a%20note%20about%20elevated%20CMD%20prompt%20installation%20of%20.msp%20files%203%2F7%2F2021%3A%20Reorganized%20information%20to%20make%20it%20easier%20to%20navigate%203%2F6%2F2021%3A%20Added%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Einformation%3C%2FA%3E%20about%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fintelligence%2Fsafety-scanner-download%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMSERT%3C%2FA%3E%20tool%20to%20help%20with%20remediation%203%2F6%2F2021%3A%20linked%20to%20an%20article%20about%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fexupdatefaq%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Etroubleshooting%20failed%20installations%20of%20Exchange%20security%20updates%3C%2FA%3E%203%2F5%2F2021%3A%20linked%20to%20the%20new%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F05%2Fmicrosoft-exchange-server-vulnerabilities-mitigations-march-2021%2F%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EMSTIC%20blog%20post%20on%20Vulnerability%20Mitigations%3C%2FA%3E%3CP%3EThe%20Exchange%20Team%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2175901%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20releasing%20a%20set%20of%20out%20of%20band%20security%20updates%20for%20Exchange%20Server.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2175901%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202010%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202019%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn%20premises%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180573%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F265098%22%20target%3D%22_blank%22%3E%40Keith-Work-711%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3B-%20please%20make%20sure%20to%20check%20%22KNOWN%20ISSUES%22%20in%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fdescription-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%20KB%20article%20talking%20about%20updates%3C%2FA%3E.%20This%20is%20not%20an%20issue%20with%20this%20particular%20update%2C%20rather%20-%20all%20security%20updates%20need%20to%20be%20run%20elevated%20if%20installed%20manually.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180606%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180606%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%20If%20ECP%20is%20broken%2C%20you%20might%20try%20resetting%20the%20ECP%20virtual%20directory.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180611%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180611%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%20we%20are%20running%20them%20from%20an%20elevated%20command%20prompt.%20Other%20servers%20have%20not%20had%20this%20issue%20of%20the%20%22Files%20in%20use%22%20and%20seem%20to%20have%20installed%20clean.%20Hopefully%20just%20a%20single%20server%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180620%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F984395%22%20target%3D%22_blank%22%3E%40LeeMEI%3C%2FA%3E%26nbsp%3B-%20Well%2C%20the%20article%20%3CEM%3Edoes%3C%2FEM%3E%20give%20you%20some%20guidance%20around%20what%20to%20do%20if%20services%20are%20not%20starting%20(I%20might%20be%20assuming%20that%20ECP%20is%20not%20running%20because%20of%20this%20but%20I%20did%20not%20ask%20this%20before)%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3ETo%20fix%20this%20issue%2C%20use%20Services%20Manager%20to%20restore%20the%20startup%20type%20to%20Automatic%2C%20and%20then%20start%20the%20affected%20Exchange%20services%20manually.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EOr%20are%20you%20saying%20that%20all%20services%20are%20running%20and%20still%20ECP%20does%20not%20work%3F%20Did%20the%20update%20actually%20successfully%20install%20(after%20elevated%20installation)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186423%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186423%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20running%20exchange%202013%20CU4.%26nbsp%3B%20Can%20we%20do%20direct%20upgrade%20to%20CU%2023%3F%26nbsp%3B%20thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183642%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183642%22%20slang%3D%22en-US%22%3E%3CP%3EAll%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%26nbsp%3B%20getting%20while%20running%20the%20update%20for%20Exchange%20server%202016%20CU18%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Windows%20Installer%20looking%20for%20Insert%20the%20'Microsoft%20Exchange%20Server'%20disk%20and%20click%20OK%22.%20It's%20looking%20for%20MSEXCHANGSERVER.MSI%20file%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180622%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180622%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F265098%22%20target%3D%22_blank%22%3E%40Keith-Work-711%3C%2FA%3E%20My%20best%20practice%20is%20to%20always%20restart%20the%20server%20before%20I%20apply%20updates.%20That%20way%20all%20file%20locks%20are%20removed%20and%20you%20know%20the%20server%20is%20coming%20up%20healthy%20(or%20not)%20before%20the%20updates%20are%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180628%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180628%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11042%22%20target%3D%22_blank%22%3E%40Susan%20Bradley%3C%2FA%3E%26nbsp%3Bwhile%20it's%20disappointing%20that%20updates%20for%20Exchange%20and%20potentially%20other%20products%20have%20this%20quirk%2C%20that's%20not%20what%20I'm%20really%20bothered%20by.%26nbsp%3B%20It's%20a%20known%20issue%2C%20so%20why%20isn't%20there%20a%20reference%20to%20how%20to%20resolve%20it%20if%20the%20problem%20is%20experienced%3F%26nbsp%3B%20I'm%20not%20trying%20to%20suggest%20the%20post%20should%20include%20in-depth%20resolutions%20to%20the%20potential%20issue(s)%2C%20but%20rather%2C%20a%20brief%20note%20such%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F65924%22%20target%3D%22_blank%22%3E%40Jeff%20Guillet%3C%2FA%3E%26nbsp%3Bsuggests%2C%20resetting%20the%20virtual%20directory%20(assuming%20that%20works)%20or%20a%20link%20to%20another%20post%20concerning%20recovering%20from%20that%20issue%20should%20it%20have%20occurred.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20looking%20to%20troubleshoot%20this%20here%2C%20so%20if%20Jeff's%20solution%20doesn't%20work%2C%20I'll%20be%20posting%20to%20other%20forums%20tomorrow.%26nbsp%3B%20Just%20frustrated%20that%20a%20known%20issue%20exists%20and%20Microsoft%2C%20while%20acknowledging%20it's%20a%20known%20issue%2C%20posts%20absolutely%20no%20information%20about%20recovering%20from%20it%20if%20it%20occurs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180752%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180752%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efor%20OWA%3C%2FP%3E%3CP%3EPlease%20execute%20UpdateCas.ps1%20in%20Exchange%20Install%20Patch%3C%2FP%3E%3CP%3E%5CExchange%20Server%5CV15%5CBin%5CUpdateCas.ps1%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20ECP%3C%2FP%3E%3CP%3Ethe%20below%20link%20solve%20my%20problem%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fie%2Fen-US%2F44289975-878d-4f51-a73d-f38176ec714d%2Fowa-suddenly-displays-blank-page-after-logon-ecp-displays-stack-trace-could-not-load-file-or%3Fforum%3Dexchangesvrgeneral%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fie%2Fen-US%2F44289975-878d-4f51-a73d-f38176ec714d%2Fowa-suddenly-displays-blank-page-after-logon-ecp-displays-stack-trace-could-not-load-file-or%3Fforum%3Dexchangesvrgeneral%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180768%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180768%22%20slang%3D%22en-US%22%3E%3CP%3EPatched%20our%20test%20Exchange%202013%20CU%2023%20servers%2C%20no%20issues%20identified.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180266%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180266%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Article%20mentions%20updates%20are%20available%20for%20%22Exchange%20Server%202010%20(RU%2031%20for%20Service%20Pack%203%20%E2%80%93%20this%20is%20a%20Defense%20in%20Depth%20update)%22%20but%20I%20don't%20see%20a%20link%20to%20this%20update%20in%20the%20other%20attached%20articles%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%25C2%25A0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F03%2F02%2Fmultiple-security-updates-released-for-exchange-server%2F%25C2%25A0%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180857%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180857%22%20slang%3D%22en-US%22%3E%3CP%3EWindows%202016%20DC%2C%20Exchange%20Svr%202016%20CU17%26nbsp%3B%20and%20both%20servers%20are%20failing%20to%20install%20the%20KB5000871%20with%20%22The%20upgrade%20patch%20cannot%20be%20installed%20by%20the%20Windows%20Installer%20service%20because%20the%20program%20to%20be%20upgraded%20may%20be%20missing%2C%20or%20the%20upgrade%20patch%20may%20update%20a%20different%20version%20of%20the%20program.%26nbsp%3B%20Verify%20that%20the%20program%20to%20be%20upgraded%20exists%20on%20you%20computer%20and%20that%20you%20have%20the%20correct%20upgrade%20patch.%26nbsp%3B%20%26nbsp%3BI%20have%20done%20both.%26nbsp%3B%20I%20have%20downloaded%20it%20from%20the%20Catalog%20and%20the%20Download%20Center%20and%20no%20difference.%26nbsp%3B%20%26nbsp%3BAny%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2180881%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2180881%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Sraine%2C%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20will%20need%26nbsp%3BExchange%20Server%202016%20(CU%2019%2C%20CU%2018).%20It%26nbsp%3B%20looks%20you%20have%20Exchange%202016%20CU17.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181292%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181292%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20following%20article%20contains%20instructions%20for%20detecting%20whether%26nbsp%3B%3CSPAN%3ECVE-2021-26855%20exploitation%20has%20taken%20place%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EImport-Csv%20-Path%20(Get-ChildItem%20-Recurse%20-Path%20%22%24env%3APROGRAMFILES%5CMicrosoft%5CExchange%20Server%5CV15%5CLogging%5CHttpProxy%22%20-Filter%20'*.log').FullName%20%7C%20Where-Object%20%7B%20%20%24_.AuthenticatedUser%20-eq%20%22%20-and%20%24_.AnchorMailbox%20-like%20'ServerInfo~*%2F*'%20%7D%20%7C%20select%20DateTime%2C%20AnchorMailbox%3C%2FPRE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F03%2F02%2Fhafnium-targeting-exchange-servers%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20command%20is%20broken%20(it%20will%20never%20execute%20and%20generates%20a%20PowerShell%20continuation%20prompt%20(%26gt%3B%26gt%3B).%20This%20can%20be%20fixed%20by%20changing%20the%20double%20quote%20after%20%24_.AuthenticatedUser%20-eq%20%3CSTRONG%3E%22%3C%2FSTRONG%3E%20to%20two%20single%20quotes%20%3CSTRONG%3E''%3C%2FSTRONG%3E%20-%20please%20update%20the%20article%20ASAP!%3C%2FP%3E%3CPRE%3EImport-Csv%20-Path%20(Get-ChildItem%20-Recurse%20-Path%20%22%24env%3APROGRAMFILES%5CMicrosoft%5CExchange%20Server%5CV15%5CLogging%5CHttpProxy%22%20-Filter%20'*.log').FullName%20%7C%20Where-Object%20%7B%20%20%24_.AuthenticatedUser%20-eq%20''%20-and%20%24_.AnchorMailbox%20-like%20'ServerInfo~*%2F*'%20%7D%20%7C%20select%20DateTime%2C%20AnchorMailbox%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2202085%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202085%22%20slang%3D%22en-US%22%3E%3CP%3EI%20run%20CompareExchangeHashes%20on%20three%20servers%20(2x2013%2C1x2019)%2C%20but%20script%20result%20have%20thousands%20rows%20with%20NoHashMatch.%20I%20do%20not%20understand%20why.%20One%20server%20not%20probed%2C%20one%20probed%20(only%20autodiscover%20test)%2C%20one%20probed%20and%20compromited%20with%20backdoor.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2186428%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2186428%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11565%22%20target%3D%22_blank%22%3E%40Ar%C5%ABnas%20Mal%C5%ABkas%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F987450%22%20target%3D%22_blank%22%3E%40Jan_Gross%3C%2FA%3E%26nbsp%3B-%20this%20is%20a%20cause%20for%20concern%3B%20this%20indicates%20that%20someone%20has%20tried%20to%20use%20the%20exploit.%20Not%20that%20they%20succeeded%2C%20but%20they%20tried.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181306%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181306%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F392293%22%20target%3D%22_blank%22%3E%40ChrisAtMaf%3C%2FA%3E%26nbsp%3BThank%20you%20-%20reported%20to%20that%20blog%20team...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181339%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181339%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20quick%20question%3A%20Is%20the%20Exchange%202016%20CU17%20affected%20by%20the%20release%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181385%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181385%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5374%22%20target%3D%22_blank%22%3E%40Nino%20Bilic%3C%2FA%3E%26nbsp%3BNo%20worries.%20The%20command%20picked%20up%20what%20looked%20like%20two%20attempts%20to%20exploit%20our%20server%20this%20morning%2C%20so%20it's%20important%20people%20run%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181386%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181386%22%20slang%3D%22en-US%22%3E%3CP%3EExchange%202016%2C%20and%20was%20on%20CU17....I%20tried%20to%20install%20straight%20to%20CU19%2C%20and%20get%20%22%3CSPAN%3EThe%20upgrade%20patch%20cannot%20be%20installed%20by%20the%20Windows%20Installer%20service%20because%20the%20program%20to%20be%20upgraded%20may%20be%20missing%2C%20or%20the%20upgrade%20patch%20may%20update%20a%20different%20version%20of%20the%20program.%26nbsp%3B%20Verify%20that%20the%20program%20to%20be%20upgraded%20exists%20on%20you%20computer%20and%20that%20you%20have%20the%20correct%20upgrade%20patch%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3EInstalled%20CU18%20just%20fine...and%20I%20thought%20the%20rollups%20were%20cumulative%20anyhow%2C%20hence%20why%20I%20tried%20to%20go%20straight%20the%20CU19.%26nbsp%3B%20So%2C%20I%20am%20not%20on%20CU18%2C%20and%20cannot%20get%20to%20CU19....what%20is%20%22missing%22%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181477%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181477%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20Exchange%20redirecting%20to%20ADFS%20for%20user%20authentication.%20Can%20this%20vulnerability%20still%20be%20exploited%20in%20this%20configuration%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181507%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181507%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20the%20Exchange%20environment%20and%20all%20https%20Services%20like%20OWA%2CECP%20etc.%20behind%20a%20Web-Application%20Module%20like%20Big-IP%20from%20F5.%20Is%20there%20the%20same%20risiko%20for%20this%26nbsp%3B%3CSPAN%3Evulnerabilities%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2183662%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2183662%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20environment%20is%20in%20Hybrid%20mode%2C%203%20node%20DAG%2C%20Exchange%202013%20CU23%20on%20Windows%20Server%202012.%20Before%20attempting%20to%20apply%20the%20patch%20I%20ran%20Windows%20Update%20and%20installed%20all%20available%20updates%2C%20rebooted%2C%20waited%20until%20.Net%20optimization%20was%20done%20(upgraded%20from%20.Net%20Framework%204.7.2%20%26gt%3B%204.8).%20Took%20a%20snapshot%20of%20the%20server%20(thank%20goodness)%2C%20UAC%20is%20disabled%2C%20ran%20the%20update%20from%20an%20elevated%20command%20prompt%2C%20failed%20miserably.%20Update%20program%20would%20only%20stop%20the%20following%20service%3A%20Microsoft%20Exchange%20Search%20Host%20Controller.%20Update%20rolled%20back%20automatically%20and%20stated%20that%20the%20update%20ended%20%22prematurely.%22%20All%20other%20services%20remained%20running.%20Tried%20again%20and%20this%20time%20I%20manually%20stopped%20all%20Exchange%20services%20as%20well%20as%20the%20WWW%20service%20before%20running%20the%20update%20from%20an%20elevated%20command%20prompt...same%20thing.%20Failed.%20Reverted%20snapshot%2C%20tried%20second%20way%20again...fail.%20Reverted%20snapshot%20again%20and%20ran%20the%20update%20through%20via%20Windows%20Update...success!%20These%20security%20updates%20for%20Exchange%20Server%20always%20seem%20to%20be%20a%20crap%20shoot%20whether%20they%20install%20gracefully%20or%20not.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181577%22%20slang%3D%22en-US%22%3ERe%3A%20Released%3A%20March%202021%20Exchange%20Server%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181577%22%20slang%3D%22en-US%22%3E%3CP%3ETrying%20to%20update%20our%20Exch%202013%20CU23%20server%2C%20and%20am%20getting%20this%20error.%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EThis%20upgrade%20patch%20cannot%20be%20installed%20by%20the%20Windows%20Installer%20service%20because%20the%20program%20to%20be%20upgrade%20may%20be%20missing%2C%20or%20the%20upgrade%20patch%20may%20update%20a%20different%20version%20of%20the%20program.%20Verify%20that%20the%20program%20to%20be%20upgraded%20eists%20on%20your%20computer%20and%20that%20your%20have%20the%20correct%20upgrade%20path.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EI%20tried%20running%20the%20install%20troubleshooter%2C%20and%20FixMissingMSI%20app%20to%20see%20if%20there%20were%20fixes%20or%20corrupt%20registry%20entries%2C%20no%20dice.%20Any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Mar 19 2021 01:44 PM
Updated by: