[German]Addendum from the August 2023 patchday, which caused issues for administrators of Microsoft Exchange 2016/2019. On non-English systems the installation failed and the Exchange server was partially dead afterwards. I had warned here my German users in my articles and Microsoft withdrew the security updates August 2023 for Exchange. Now Microsoft has published a support article with a workaround for these problems.
August 2023 SU install issues
In in my blog post Exchange Server Security Updates (August 8, 2023) I pointed out that users in Germany had massive problems installing the August 2023 security updates for Exchange 2016/2019. Administrators of non-English Exchange installations ran into installation errors (e.g. 0x80070643 or 1603) when installing the August 2023 security updates. As of August 9, 2023, Microsoft then withdrew the update and recommended to roll back the installation:
We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update last night. If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information. Update: Please see Known Issues below for more information.
see the hints in the Techcommunity post Released: August 2023 Exchange Server Security Updates and in my German blog post Desaster Exchange August 2023-Sicherheitsupdate – nicht installieren!.
There is a workaround
Microsoft then published a support article titled Exchange Server 2019 and 2016 August 2023 security update installation fails on non-English operating systems (thanks to Stefan A for the comment). Regarding the issues, Microsoft confirms the observations of my German blog readers:
When the Microsoft Exchange Server 2019 or 2016 August 2023 security update (SU) is installed on a Windows Server-based device running a non-English operating system version, the setup suddenly stops and the changes are rolled back. However, the Exchange Server services remain in a disabled state.
What is interesting is the root cause behind this behavior, as Microsoft states a localization issue in the Exchange Server August 2023 SU installer that causes these installation issues when it is a non-English Windows Server system running Exchange. My interpretation is that an AD user Network Service cannot be created.
To successfully install the August 2023 updates, Microsoft suggests the following steps for affected administrators. If an attempt has already been made to install the SU, reset the service status before running the setup again. This can be done with a PowerShell script that must be run with the following steps in the PowerShell console with administrator privileges:
- Change to the following directory: \Exchange Server\V15\Bin.
- FRun the following script .\ServiceControl.ps1 AfterPatch aus .
Restart the Windows server and create afterward the missing Active Directory (AD) account manually. For this purpose, Microsoft specifies to execute the following command:
New-ADUser -Name "Network Service" -SurName "Network" -GivenName "Service" -DisplayName "Network Service" -Description "Dummy user to work around the Exchange August SU issue" -UserPrincipalName "Network Service@$((Get-ADForest).RootDomain)"
Then wait for the AD replication (up to 15 minutes). After that, the installation of the Exchange Server security update can be restarted. The installation should now run successfully, Microsoft promises at least. After the installation the following commands have to be executed.
$acl = Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server" $rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0) $acl.SetAccessRule($rule) Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server" -AclObject $acl
In Microsoft's support post, the above script is not executable in the $rule line because the closing parenthesis is missing – I've added the missing ) in the above code.
The Exchange server must then be restarted to complete the installation. After the successful installation of the security update on the Exchange server, the above manually created AD account can be deleted again.
Cookies helps to fund this blog: Cookie settings