Patch – Webbanshee https://webbanshee.net Your Exchange Server Blog Wed, 28 Apr 2021 10:45:47 +0000 en-US hourly 1 https://webbanshee.net/wp-content/uploads/2017/01/WB_BL_RND-150x150.png Patch – Webbanshee https://webbanshee.net 32 32 122610384 Exchange 2019 CU9 with KB5001779 https://webbanshee.net/exchange-2019-cu9-with-kb5001779/ https://webbanshee.net/exchange-2019-cu9-with-kb5001779/#respond Thu, 22 Apr 2021 05:46:46 +0000 https://webbanshee.net/?p=3974 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

Microsoft released another security update in April for Exchange 2019 CU9 and Exchange 2016 CU20.
KB5001779 can break processes initiated by CMDlets you run from a 3rd party or self-developed application against Exchange.......read more

The post Exchange 2019 CU9 with KB5001779 appeared first on Webbanshee.

]]> h2 {font-weight: bold;text-decoration:none;font-size: 18px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;} h5{margin-bottom: 5px;} .wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;} .wpe-box-alert {background-color:#f9f6d9!important;border: 1px solid #aaa895;text-align: justify;} .wpe-box-error1 {background-color:#ffebe8!important;border: 1px solid #c00;text-align: justify;} .wpe-box-alert ul li {list-style:square;padding-bottom: 10px;} .wpe-box-note99 ul li {list-style:square; padding-bottom:10px;} .entry-content img {border-radius:8px;}

Microsoft released another security update in April for Exchange 2019 CU9 and Exchange 2016 CU20. Here are our experiences on installing Exchange 2019 CU9 with KB5001779. We also installed Exchange 2016 CU20 with KB5001779 on our Exchange 2016 servers.

If you run a mixed environment consisting of Exchange 2019 and Exchange 2016 servers you may want to check the schema requirements before. You can find information on that in my post from March:

Exchange 2019 CU8 and Exchange 2016 CU19.

First, I want to mention installing the CUs went well and smoothly. Updating from Exchange 2019 CU8 and Exchange 2016 CU19 required less time than upgrading from Exchange 2019 CU5 and Exchange 2016 CU16 to the mentioned CUs. Also installing security update KB5001779 took only about 30-40 minutes.

These were the good things. What are the backlashes?

KB5001779 can break processes initiated by CMDlets you run from a 3rd party or self-developed application against Exchange.

To be more specific quoting Microsoft:

After application of the Exchange Server April security update CMDlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message:
The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode.
This behavior is expected; please change any code using .AddScript() to use .AddCommand() for continued compatibility.

This Microsoft article was quite helpful in terms of what to expect:

April 2021 Exchange Server Security Updates

Tasks before installing Exchange 2019 CU9 with KB5001779 and Exchange 2016 CU19 KB5001779:

  • Backup your web.config files where you have modified parameters or have added new keys.

    As we experienced it still only the web.config file in the OWA directory takes over parameters and keys you have modified before. To be safe I recommend backup every web.config file you have ever touched/modified. So you can easily reapply the changes you have made.

  • Disable Check for publisher’s certificate revocation in IE.
  • Make sure you have enough free space on the install drive.
  • Take a look at the supportability matrix if you need to upgrade your .NET version.
  • Check Auth methods on service directories like Powershell, OWA, and ECP and note the output.
  • Switch mailbox databases and put the server in maintenance mode.

Order of install:

  • Install the regular Windows patches ( if necessary )
  • Install Exchange 2019 CU9 or Exchange 2016 CU20
  • Install the April security update KB5001779 from an elevated Command Prompt

Sources:

Exchange 2016 CU20:
Exchange 2019 CU9:

Experiences after installing Exchange 2019 CU9 with KB5001779 and Exchange 2016 CU20 KB5001779:

Cumulative Updates CU9 and CU20:

  • We had mailtips disabled. Mailtips were enabled afterward.

  • The web.config files in the following directories have been overwritten. Changes needed to be reapplied.

    Active Sync – [ We have an increased attachment size ] :

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync

    ECP – [ We have additional keys in place. ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews

    Anyway, I always check the OWA web.config as well:

    OWA – [ We have additional keys in place ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

  • Virtual directories for additional OWA and ECP we have in place needed to be recreated.

  • Problems with KB5001779:

    As mentioned the security update breaks CMDlets you run from an external application against Exchange. For example provisioning mailboxes. Although we have read the Microsoft statements and have tested it we ran into this issue.

    Since building a new release for our front-end application took a little bit more time than a change window grants I uninstalled KB5001779 on that Exchange server that the application uses for provisioning. Our development team has released a Hot-Fix since.

    Here is how to get rid of KB5001779:

    Since our Exchange 2019 servers are Core Servers I could not do it via GUI – Installed Updates. It would have been possible to do it via our management server and the Windows Admin Center. In the end, the local way was more sympathetic to me and I have uninstalled the patch via the uninstall string in the registry. You can find the string here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Micorsoft\Windows\CurrrentVersion\Uninstall\Patch

    Copy the value of the uninstall string and paste it into an elevated command prompt, press enter and follow the uninstall wizard. The process took about 30-40 minutes. If the ISO of the Exchange CU isn’t mounted anymore then you will be asked to insert the Exchange Server source disk. Browse to the required file and continue. Restart the server after the patch has been uninstalled.

In case you need information on other CUs take a look into the CU Archives

… or find a general description here: CU Install Exchange

Stay safe!

The post Exchange 2019 CU9 with KB5001779 appeared first on Webbanshee.

]]> https://webbanshee.net/exchange-2019-cu9-with-kb5001779/feed/ 0 3974 Exchange 2019 CU8 and Exchange 2016 CU19 https://webbanshee.net/exchange-2019-cu8-and-exchange-2016-cu19/ https://webbanshee.net/exchange-2019-cu8-and-exchange-2016-cu19/#respond Thu, 25 Mar 2021 08:12:09 +0000 https://webbanshee.net/?p=3934 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

Exchange 2019 CU8 and Exchange 2016 CU19 install
Altogether our environment consists of Exchange 2016 and Exchange 2019 servers. Read about schema versions and experiences in this post. ......read more

The post Exchange 2019 CU8 and Exchange 2016 CU19 appeared first on Webbanshee.

]]> h2 {font-weight: bold;text-decoration:none;font-size: 18px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;} h5{margin-bottom: 5px;} .wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;} .wpe-box-alert {background-color:#f9f6d9!important;border: 1px solid #aaa895;text-align: justify;} .wpe-box-error1 {background-color:#ffebe8!important;border: 1px solid #c00;text-align: justify;} .wpe-box-alert ul li {list-style:square;padding-bottom: 10px;} .wpe-box-note99 ul li {list-style:square; padding-bottom:10px;} .entry-content img {border-radius:8px;}

Hello fellow Exchange Admins! I know I am late on this. This post is for the records to have all CUs we installed covered. Anyway, we started to install Exchange 2019 CU8 and Exchange 2016 CU19 on the 4th of march straight after the Microsoft out of band session regarding Hafnium.

Altogether our environment consists of Exchange 2016 and Exchange 2019 servers. Therefore we needed to apply the highest schema prior to installing Exchange 2019 CU8 and Exchange 2016 CU19 in this mixed environment.

Accordingly, we ran /prepareschema,/preparead,/preparedomain from an Exchange 2019 server. That was the first server in our environment we upgraded.

In order to determine your current schema version use the commands below:

Forest Range Upper:
Get-ADObject “CN=ms-Exch-Schema-Version-Pt,$((Get-ADRootDSE).schemaNamingContext)” -Property Rangeupper

Forest Object Version:
Get-ADObject (dir “AD:\CN=Microsoft Exchange,CN=Services,$((Get-ADRootDSE).configurationNamingContext)”).DistinguishedName -Property objectVersion

Domain Object Version:
Get-ADObject “CN=Microsoft Exchange System Objects,$((Get-ADRootDSE).defaultNamingContext)” -Property objectVersion

After you have determined your current schema versions check the minimum schema version required to install Exchange 2019 CU8 or Exchange 2016 CU19 from this handy list on eightwone.com.

Tasks before installing Exchange 2019 CU8 and Exchange 2016 CU19:

  • Backup your web.config files where you have modified parameters or have added new keys.

    As we experienced it still only the web.config file in the OWA directory takes over parameters and keys you have modified before. To be safe I recommend backup every web.config file you have ever touched/modified. So you can easily reapply the changes you have made.

  • Disable Check for publisher’s certificate revocation in IE.
  • Make sure you have enough free space on the install drive.
  • Take a look at the supportability matrix if you need to upgrade your .NET version.
  • Check Auth methods on service directories like Powershell, OWA, and ECP and note the output.
  • Switch mailbox databases and put the server in maintenance mode.

Order of install:

  • Install the regular Windows patches ( if necessary )
  • Install Exchange 2019 CU8 or Exchange 2016 CU19
  • Install the Hafnium patch KB5000871 from an elevated Command Prompt

Sources:

Experiences after Exchange 2019 CU8 and Exchange 2016 CU19 has been installed:

  • We had mailtips disabled. Mailtips were enabled afterward.

  • The web.config files in the following directories have been overwritten. Changes needed to be reapplied.

    Active Sync – [ We have an increased attachment size ] :

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync

    ECP – [ We have additional keys in place. ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews

    Anyway, I always check the OWA web.config as well:

    OWA – [ We have additional keys in place ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

  • Virtual directories for additional OWA and ECP we have in place needed to be recreated.

  • Problems with Exchange 2019 CU8 and Exchange 2016 CU19:

    As mentioned above we started to upgrade our Exchange 2019 servers first. After the first server was upgraded customers reported that delegated users lost their access rights on shared mailboxes. This was a minor issue since only a few customers were affected and could be solved by reapplying those access rights.

    Another issue that started after we had the CU in place was time-outs from a 3rd party archiving software. Nothing fatally critical but from time to time some mailboxes could not be archived because the process ran into a time out. On the next run, those mailboxes were archived but new ones ran into a time-out.

    However, in the event log of the patched servers, we could find the event IDs Microsoft mentions in this article. Microsoft states that upgrading to Exchange 2019 CU9 will solve the problem.
    As soon as we upgrade to Exchange 2019 CU9 I will update this post.

 

In case you need information on other CUs take a look into the CU Archives

… or find a general description here: CU Install Exchange

Stay safe!
 

The post Exchange 2019 CU8 and Exchange 2016 CU19 appeared first on Webbanshee.

]]> https://webbanshee.net/exchange-2019-cu8-and-exchange-2016-cu19/feed/ 0 3934 CU14 Exchange 2016 and KB4536987 https://webbanshee.net/cu14-exchange-2016/ https://webbanshee.net/cu14-exchange-2016/#comments Sat, 15 Feb 2020 09:22:28 +0000 https://webbanshee.net/?p=3327 CU14 Exchange 2016 is compatible with .NET versions 4.7.2 and 4.8. It comes with a vulnerability where Microsoft released KB4536987.
See how it went......read more

The post CU14 Exchange 2016 and KB4536987 appeared first on Webbanshee.

]]> h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;} h5{margin-bottom: 5px;} .wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;} .wpe-box-alert {background-color:#f9f6d9!important;border: 1px solid #aaa895;text-align: justify;} .wpe-box-error1 {background-color:#ffebe8!important;border: 1px solid #c00;text-align: justify;} .wpe-box-alert ul li {list-style:square;padding-bottom: 10px;} .wpe-box-note3 ul li {list-style:square; padding-bottom:10px;} .embedly-card-hug {background: #fefefe;}

We are currently upgrading our Exchange 2016 servers to CU14 Exchange 2016 and started to install CU14 on servers that host only relayed copies.

CU14 Exchange 2016 is a bridge CU. It is compatible with .NET 4.7.2 and compatible with .NET 4.8 as well. You can upgrade from .Net 4.7.2 to .Net 4.8 after you have CU14 Exchange 2016 in place.

CU14 ( and CU15 ) both come with a vulnerability for which Microsoft released a patch in February.
The patch is classified important and should be installed after CU14 has been installed.

You can read more about the mentioned vulnerability and download the patch from Microsoft here.

Tasks before installing CU14 Exchange 2016:

  • Backup your web.config files where you have modified parameters or have added new keys.

    As we experienced it still only the web.config file in the OWA directory takes over parameters and keys you have modified before. To be safe I recommend backup every web.config file you have ever touched/modified. So you can easily reapply the changes you have made.

  • Disable Check for publisher’s certificate revocation in IE.
  • Make sure you have enough free space on the install drive.
    I noticed from 2010 and 2013 times a recommendation for at least 10GB of free space.
  • Take a look at the supportability matrix if you plan to upgrade to .NET 4.8
  • Check Auth methods on service directories like Powershell, OWA, and ECP and note the output.
  • Switch mailbox databases and put the server in maintenance mode.

Order of install:

  • Install the regular Windows patches ( if necessary )
  • Install CU14 Exchange 2016
  • Install patch KB4536987 for Exchange Server 2016 CU14 from an elevated Command Prompt

The CU installation itself took between 2 and 3 hours on the servers in our environment.

Experiences after CU14 Exchange 2016 has been installed:

  • We had mailtips disabled. Mailtips were enabled afterward.
  • To go for sure we checked the Authentication methods on the Virtual Directories again and validated them against the output we made before. All fine.
  • The web.config files in the following directories have been overwritten. Changes needed to be reapplied.

    Active Sync – [ We have an increased attachment size ] :

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync

    ECP – [ We have additional keys in place. ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews

    Anyway, I always check the OWA web.config as well:

    OWA – [ We have additional keys in place ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

  • Virtual directories for additional OWA and ECP needed to be recreated.

Experiences vulnerability patch KB4536987:

After the install and restart it happened on some servers that the content index state on relayed copies was and stayed in status failed.

The following command displayed the cause:

Get-MailboxDatabaseCopyStatus -Server Servername | fl Identity, ContentIndexErrorMessage

Output:

ContentIndexErrorMessage:
The Microsoft Exchange Search Host Controller Service is not running on server Servername

After restarting the Microsoft Exchange Search Host Controller Service the ContentIndexState went back to AutoSuspend.

It took about 45 – 60 minutes to install the patch.

Update
The following subreddit gave me a hint. Thx! No problems appeared on servers where the patch has been installed through an elevated Command Prompt.

Anyone installed KB4536987 yet? from exchangeserver

Start the patch from an elevated Command Prompt.
 
Update
After installing KB4536987 on the last of our servers one of the mailbox database copies switched to failed and suspended and could not be resumed. A reseed failed with:

Error: The Microsoft Exchange Replication service encountered an unexpected error in log replay for database ‘DBName\ServerName’. Error MapiExceptionDatabaseError: LogReplayRequest rpc failed.

The cause was once again the Microsoft Exchange Search Host Controller Service. We installed KB4536987 through an elevated command prompt. The service was in a running state after the patch has been installed. So we restarted the service. After that, we were able to reseed the copy.

Good Luck!
 
A general description how to install a Cumulative Update on Exchange 2016 can be found here:
 
Install CU Exchange 2016

The post CU14 Exchange 2016 and KB4536987 appeared first on Webbanshee.

]]> https://webbanshee.net/cu14-exchange-2016/feed/ 3 3327