CU14 Exchange 2016 and KB4536987

CU Exchange Server

We are currently upgrading our Exchange 2016 servers to CU14 Exchange 2016 and started to install CU14 on servers that host only relayed copies.

CU14 Exchange 2016 is a bridge CU. It is compatible with .NET 4.7.2 and compatible with .NET 4.8 as well. You can upgrade from .Net 4.7.2 to .Net 4.8 after you have CU14 Exchange 2016 in place.

CU14 ( and CU15 ) both come with a vulnerability for which Microsoft released a patch in February.
The patch is classified important and should be installed after CU14 has been installed.

You can read more about the mentioned vulnerability and download the patch from Microsoft here.

Tasks before installing CU14 Exchange 2016:

  • Backup your web.config files where you have modified parameters or have added new keys.

    As we experienced it still only the web.config file in the OWA directory takes over parameters and keys you have modified before. To be safe I recommend backup every web.config file you have ever touched/modified. So you can easily reapply the changes you have made.

  • Disable Check for publisher’s certificate revocation in IE.
  • Make sure you have enough free space on the install drive.
    I noticed from 2010 and 2013 times a recommendation for at least 10GB of free space.
  • Take a look at the supportability matrix if you plan to upgrade to .NET 4.8
  • Check Auth methods on service directories like Powershell, OWA, and ECP and note the output.
  • Switch mailbox databases and put the server in maintenance mode.

Order of install:

  • Install the regular Windows patches ( if necessary )
  • Install CU14 Exchange 2016
  • Install patch KB4536987 for Exchange Server 2016 CU14 from an elevated Command Prompt

The CU installation itself took between 2 and 3 hours on the servers in our environment.

Experiences after CU14 Exchange 2016 has been installed:

  • We had mailtips disabled. Mailtips were enabled afterward.
  • To go for sure we checked the Authentication methods on the Virtual Directories again and validated them against the output we made before. All fine.
  • The web.config files in the following directories have been overwritten. Changes needed to be reapplied.

    Active Sync – [ We have an increased attachment size ] :

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync

    ECP – [ We have additional keys in place. ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews

    Anyway, I always check the OWA web.config as well:

    OWA – [ We have additional keys in place ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

  • Virtual directories for additional OWA and ECP needed to be recreated.

Experiences vulnerability patch KB4536987:

After the install and restart it happened on some servers that the content index state on relayed copies was and stayed in status failed.

The following command displayed the cause:

Get-MailboxDatabaseCopyStatus -Server Servername | fl Identity, ContentIndexErrorMessage

Output:

ContentIndexErrorMessage:
The Microsoft Exchange Search Host Controller Service is not running on server Servername

After restarting the Microsoft Exchange Search Host Controller Service the ContentIndexState went back to AutoSuspend.

It took about 45 – 60 minutes to install the patch.

Update
The following subreddit gave me a hint. Thx! No problems appeared on servers where the patch has been installed through an elevated Command Prompt.

Anyone installed KB4536987 yet? from exchangeserver

Start the patch from an elevated Command Prompt.
 
Update
After installing KB4536987 on the last of our servers one of the mailbox database copies switched to failed and suspended and could not be resumed. A reseed failed with:

Error: The Microsoft Exchange Replication service encountered an unexpected error in log replay for database ‘DBName\ServerName’. Error MapiExceptionDatabaseError: LogReplayRequest rpc failed.

The cause was once again the Microsoft Exchange Search Host Controller Service. We installed KB4536987 through an elevated command prompt. The service was in a running state after the patch has been installed. So we restarted the service. After that, we were able to reseed the copy.

Good Luck!
 
A general description how to install a Cumulative Update on Exchange 2016 can be found here:
 
Install CU Exchange 2016

3 thoughts on “CU14 Exchange 2016 and KB4536987”

  1. Anyone have any experience installing this update in a hybrid exchange/o365 scenario? Just wondering if any additional steps are necessary either before or after install, or if it’s even safe to install.

  2. i have installed CU 15 first and it went successfully.
    However security update installation update got failed and rolled back the installation. But my exchange server is down now. Exchange Services Serveries are not starting.

    Event code: 3008
    Event message: A configuration error has occurred.
    Event time: 3/14/2020 6:04:08 PM
    Event time (UTC): 3/14/2020 3:04:08 PM
    Event ID: 29461c9a52cc469eaf7ffedc30688c4c
    Event sequence: 1
    Event occurrence: 1
    Event detail code: 0

    Application information:
    Application domain: /LM/W3SVC/1/ROOT/EWS-58-132286718480736892
    Trust level: Full
    Application Virtual Path: /EWS
    Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS\
    Event code: 3008
    Event message: A configuration error has occurred.
    Event time: 3/14/2020 6:04:08 PM
    Event time (UTC): 3/14/2020 3:04:08 PM
    Event ID: 29461c9a52cc469eaf7ffedc30688c4c
    Event sequence: 1
    Event occurrence: 1
    Event detail code: 0

    Application information:
    Application domain: /LM/W3SVC/1/ROOT/EWS-58-132286718480736892
    Trust level: Full
    Application Virtual Path: /EWS
    Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS\

    same Error for other directories also.

    Any idea how to roll back ? tried to copy back web.config ..but no luck

    Regards

    1. Hi Thomas,

      SharedWebConfig.config under C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ could be missing.

      I have checked the web.config file on one of our servers under:
       
      C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS and there is a link back to the SharedWebConfig file in HttpProxy:

      Within the Assembly Bindings key:

      I found this Microsoft description on how to generate the missing file:

      https://support.microsoft.com/en-us/help/3099532/event-id-1309-and-you-can-t-access-owa-and-ecp-after-you-install-excha

      Hopefully, this helps.

      Regards
      Sam

Leave a Reply

Your email address will not be published. Required fields are marked *