Exchange 2019 CU9 with KB5001779

Exchange CU

Microsoft released another security update in April for Exchange 2019 CU9 and Exchange 2016 CU20. Here are our experiences on installing Exchange 2019 CU9 with KB5001779. We also installed Exchange 2016 CU20 with KB5001779 on our Exchange 2016 servers.

If you run a mixed environment consisting of Exchange 2019 and Exchange 2016 servers you may want to check the schema requirements before. You can find information on that in my post from March:

Exchange 2019 CU8 and Exchange 2016 CU19.

First, I want to mention installing the CUs went well and smoothly. Updating from Exchange 2019 CU8 and Exchange 2016 CU19 required less time than upgrading from Exchange 2019 CU5 and Exchange 2016 CU16 to the mentioned CUs. Also installing security update KB5001779 took only about 30-40 minutes.

These were the good things. What are the backlashes?

KB5001779 can break processes initiated by CMDlets you run from a 3rd party or self-developed application against Exchange.

To be more specific quoting Microsoft:

After application of the Exchange Server April security update CMDlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message:
The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode.
This behavior is expected; please change any code using .AddScript() to use .AddCommand() for continued compatibility.

This Microsoft article was quite helpful in terms of what to expect:

April 2021 Exchange Server Security Updates

Tasks before installing Exchange 2019 CU9 with KB5001779 and Exchange 2016 CU19 KB5001779:

  • Backup your web.config files where you have modified parameters or have added new keys.

    As we experienced it still only the web.config file in the OWA directory takes over parameters and keys you have modified before. To be safe I recommend backup every web.config file you have ever touched/modified. So you can easily reapply the changes you have made.

  • Disable Check for publisher’s certificate revocation in IE.
  • Make sure you have enough free space on the install drive.
  • Take a look at the supportability matrix if you need to upgrade your .NET version.
  • Check Auth methods on service directories like Powershell, OWA, and ECP and note the output.
  • Switch mailbox databases and put the server in maintenance mode.

Order of install:

  • Install the regular Windows patches ( if necessary )
  • Install Exchange 2019 CU9 or Exchange 2016 CU20
  • Install the April security update KB5001779 from an elevated Command Prompt

Sources:

Experiences after installing Exchange 2019 CU9 with KB5001779 and Exchange 2016 CU20 KB5001779:

Cumulative Updates CU9 and CU20:

  • We had mailtips disabled. Mailtips were enabled afterward.
  • The web.config files in the following directories have been overwritten. Changes needed to be reapplied.

    Active Sync – [ We have an increased attachment size ] :

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync

    ECP – [ We have additional keys in place. ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews

    Anyway, I always check the OWA web.config as well:

    OWA – [ We have additional keys in place ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

  • Virtual directories for additional OWA and ECP we have in place needed to be recreated.
  • Problems with KB5001779:

    As mentioned the security update breaks CMDlets you run from an external application against Exchange. For example provisioning mailboxes. Although we have read the Microsoft statements and have tested it we ran into this issue.

    Since building a new release for our front-end application took a little bit more time than a change window grants I uninstalled KB5001779 on that Exchange server that the application uses for provisioning. Our development team has released a Hot-Fix since.

    Here is how to get rid of KB5001779:

    Since our Exchange 2019 servers are Core Servers I could not do it via GUI – Installed Updates. It would have been possible to do it via our management server and the Windows Admin Center. In the end, the local way was more sympathetic to me and I have uninstalled the patch via the uninstall string in the registry. You can find the string here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Micorsoft\Windows\CurrrentVersion\Uninstall\Patch

    Copy the value of the uninstall string and paste it into an elevated command prompt, press enter and follow the uninstall wizard. The process took about 30-40 minutes. If the ISO of the Exchange CU isn’t mounted anymore then you will be asked to insert the Exchange Server source disk. Browse to the required file and continue. Restart the server after the patch has been uninstalled.

In case you need information on other CUs take a look into the CU Archives

… or find a general description here: CU Install Exchange

Stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *