[German]A little brief note for administrators running Exchange Server 2013 or 2016. I just came across a forum post reporting installation errors and some nasty consequences with security update KB4340731.
Cumulative security update KB4340731 released on August 14, 2018 is available for Microsoft Exchange Server 2013 and 2016. According to the KB article, it fixes two vulnerabilities.
- Microsoft Common Vulnerabilities and Exposures CVE-2018-8302
- Microsoft Common Vulnerabilities and Exposures CVE-2018-8374
On German site administrator.de an administrator reported his experience installing this update at Exchange Server 2016 CU9. The problem was that update KB4340731 has been installed automatically via Windows Update and caused an installation error on that machine. As a result, the package was of course not installed.
The administrator wrote, that this machine has never had update issues. This was the reason, why Windows Update was set to download and install updates immediately.
The reason is, that the update package requires administrative permissions for installation, but does not request these from Windows or from the user (in the case of a manual installation from a download). This is a know issue described within this kb article:
When you try to manually install this security update in “normal mode” (not running the update as an administrator) and by double-clicking the update file (.msp), some files are not correctly updated. When this issue occurs, you do not receive an error message or any indication that the security update is not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update does not correctly stop certain Exchange-related services.
To avoid this issue, run the security update in elevated mode, as an administrator. To do this, right-click the update file, and then click Run as administrator.
Wouldn’t normally be a problem. But the update installer seems to stop and disable all Exchange services before installation. Since the package did not pass during installation, the services were not restarted later.
I also found the discussions in the thread interesting. Some users have had almost identical issues with the Exchange 2010 SP3 Rollup 23 update. There is also a script introduced within in the thread to reactivate the inactive services after an update. During the discussion, however, it was pointed out that not all services could always be activated. May, it helps one or your admin in this area or act as a little warning.