Microsoft has pulled Microsoft Exchange Server’s August security updates from Windows Update after finding they break Exchange on non-English installs.
On August 8th, Microsoft released new Exchange Server security updates during the August 2023 Patch Tuesday.
These security updates fix six vulnerabilities, including four remote code execution flaws, one elevation of privileges flaw, and a spoofing vulnerability that can be used to conduct an NTLM Relay Attack.
However, after Microsoft Exchange admins began installing the new updates on non-English servers, they found that the Exchange Windows services were no longer starting.
“Apparently the update cannot be successfully installed on operating systems and Exchange servers in German,” warned IT architect Frank Zoechling.
“The setup fails with the error code 1603 and leaves a faulty Exchange installation. Users of Exchange servers and operating systems in German should therefore not install the update for the time being.”
Microsoft has since updated the August 2023 Exchange Server Security Updates bulletin, warning admins that they temporarily removed the update from Windows and Microsoft Update while they investigate the issue.
“We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update,” explains Microsoft.
“If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information.”
A dedicated support article sheds more light on the issue, stating that the problems are caused by a “localization issue in the Exchange Server August 2023 SU installer”.
Microsoft says that when you install the Microsoft Exchange Server 2019 or 2016 security updates on non-English operating systems, the installer will stop and roll back changes, leaving the Exchange Server Windows services in a disabled state.
For those impacted by the problematic install, Microsoft has shared the following steps that can be used to enable the Windows servers and start Exchange Server:
If you’ve already tried to install the SU, reset the service state before you run Setup again. You can do this by running the following PowerShell script in an elevated PowerShell window:
Change to the following directory: \Exchange Server\V15\Bin.
Enter .\ServiceControl.ps1 AfterPatch, and then press Enter.
Restart the computer.
In Active Directory (AD), create an account that has the specific name that’s provided in this step. To do this, run the following command:
New-ADUser -Name “Network Service” -SurName “Network” -GivenName “Service” -DisplayName “Network Service” -Description “Dummy user to work around the Exchange August SU issue” -UserPrincipalName “Network Service@$((Get-ADForest).RootDomain)“
Wait for AD replication (up to 15 minutes), and then restart the Exchange Server SU installation. Setup should now run successfully.
After the installation finishes, run the following commands:
$acl = Get-Acl -Path “HKLM:\SOFTWARE\Microsoft\MSIPC\Server”
$rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier(“S-1-5-20”)), 983103, 3, 0, 0)
Set-Acl -Path “HKLM:\SOFTWARE\Microsoft\MSIPC\Server” -AclObject $acl
Restart the Exchange server to complete the installation.
After all Exchange servers are updated, you can safely delete the AD account that was created in step 2.
Once you complete these steps and restart the Exchange server, the Windows services should properly start again and Exchange will be back up and running.
For users running English localizations of Windows, it is still advised to download and install the updates to be protected from the disclosed vulnerabilities.