[German]The security updates for Microsoft Exchange released on April 13, 2021 was installable without problems for most users. However, there were isolated reports of problems, which I briefly summarize here.
Advertising
An overview of these security updates and the reason for patching can be found in the blog post Exchange Server Security Update KB5001779 (April 13, 2021). At Frank Zöchling's German blog, user asked how it looks like when Exchange Server 2016 whith CU 19 is installed and a few days later CU 20 will get installed. He wondered, whether the security update has to be installed again with CU 20. In this scenario the recommendation is, the administrator should make sure that after the CU 20 installation the security updates from April 2021 are still installed or install it again (CU 20 doesn't include the patches).
No patches for older CUs
In case anyone is hoping that Microsoft will release security updates for older CUs that have fallen out of support, like they did in March 2021: That won't be the case. Blog reader Marc posted Microsoft's response here.
Is Microsoft planning to release April 2021 security updates for older (unsupported) versions of Exchange CUs?
No, we have no plans to release the April 2021 security updates for older or unsupported CUs.
Pwn2Own 2021 vulnerabilities not closed
At this point a short note. In the blog post PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight? I had already given the hint that some vulnerabilities in Exchange could be exploited at the Pwn2Own 2021 hacker conference. However, my assumption that these vulnerabilities will be closed as part of a special update on April 13, 2021 is incorrect.
The RCE vulnerabilities CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 were reported by the National Security Agency (NSA). Therefore, I expect that another security update for Exchange Server should be coming no later than May 2021.
Reported update issues
The majority of blog readers who have provided feedback report no issues related to the installation of the security updates listed in the blog post Exchange Server Security Update KB5001779 (April 13, 2021). Here is a listing of isolated issues that have been observed.
Advertising
Error with PRTG Database Sensors
A number of administrators using PRTG monitoring from Paessler, report, that PRTG database sensors (Remote Powershell) run into an error:
The sensor was able to connect to the device using Remote PowerShell but could not retrieve access to Remote Exchange Management Shell. Ensure that remote management is enabled on the Exchange Server and the user has sufficient rights.
In the meantime, the vendor Peassler is investigating this issue and blog reader Roman got back to us with the following response from the vendor.
PRTG
Unfortunately, several customers have reported exactly this behavior after the Exchange update. In software development, it is unfortunately sometimes the case that one manufacturer (in this case Microsoft) changes something and others then have to follow suit.
We have to analyze the problem and I hope that my colleagues from development can offer a hotfix soon. This also means, that unfortunately, I can't offer you a quick solution at the moment and ask for your patience.
With kind regards,
It is likely that there will be a fix from the vendor that will allow access to the sensors again. If anyone knows anything more, feel free to post the information as a comment. First feedback from German readers was, that they are testing a fix in advance and PRTG works again.
Timestamp on mails wrong
I got feedback via Facebook (I pulled this out) that the timestamps of incoming mails have an incorrect time:
Updates went through. 2019 with no issues. The 2016 Exchange was not operational after reboot, reported HTTP 500 error. But after another restart it is ready again but all incoming mails have only the time 03:39. What went wrong again?
In the meantime, another person with the same problem has reported in the German blog.
Visual Studio Just-In-Time Debugger Error
User Gernot has reported on German site of Frank Zöchling that a debugger error occurred when installing the security update Under Exchange 2016 CU 19 via Windows Update:
An unhandled Microsoft .net Framework Exception occured in w3wp.exe
The error was canceled via a No button and a restart supposedly shows that the updates have been installed.
Note: In the comments at Franky I found this entry. The check script eomt.ps1, to test for the March 2021 hafnium vulnerabilities does not seem to take into account the April 2021 security patch and provides incorrect information.
OWA and Exchange Control Panel (ECP) broken
At Franky's blog there is this comment from Tom, where on Exchange Server 2019 CU 9 the Exchange Control Panel is broken while OWA is still working. Seems to be an isolated case. Here I refer to my blog post Exchange isues with ECP/OWA search after installing security update (March 2021), where there are some hints.
German user Marcel writes at Franky in this comment that both ECP and OWA stopped running on an Exchange 2016 CU20. The cause was missing data in directories. The user gives hints on how he was able to fix this.
Exchange services disabled
Another user Thinky contacted Franky's German blog with this comment and reported problems with Exchange services:
On a customer server (Server 2012R2, Exchange 2013 CU23, latest updates on it), the installation via Windows Updates aborted. Exchange services were then disabled.
Solution: Set all services back to automatic, restarted the system, downloaded and executed the update (cmd as admin!). Then it ran flawlessly.
User Tom confirms at Franky in the comments failed services at two installations.
Similar articles:
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Server Security Update KB5001779 (April 13, 2021)
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?
