Updated Jun13: Corrected Ex2010SP3RU28 link
A quick note that an update was released for current Exchange versions as well as Exchange 2010 related to the following advisory:
- ADV190018 Microsoft Exchange Server Defense in Depth Update
Unfortunately – or perhaps understandably – the advisory doesn’t present any more details than, ‘”Microsoft has released an update for Microsoft Exchange Server that provides enhanced security as a defense in depth measure.”.
You can download the security updates here:
- Security Update For Exchange Server 2019 CU1 (v15.2.330.8, KB4503027)
- Security Update For Exchange Server 2019 (v126.96.36.199, KB4503027)
- Security Update For Exchange Server 2016 CU11 (v15.1.1591.17, KB4503027)
- Security Update For Exchange Server 2016 CU12 (v15.1.1713.7, KB4503027)
- Security Update for Exchange Server 2013 CU22 (v15.0.1473.5, KB4503028)
- Exchange 2010 SP3 RU28 (v14.3.461.1, KB4503028)
Be advised that the Security Updates for Exchange 2013-2019 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CU’s, and you cannot apply the update for Exchange 2016 CU12 to Exchange 2016 CU11. I would suggest tagging the Cumulative Update in the file name when you store it, e.g. Exchange2016-KB4503027-x64-en_CU11.msp.
As with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.
Michel, thank you for the notice. Can you verify the link to the 2010 SP3 UR28? When I follow it I get to UR27.
Looks like the original MS provided link is invalid as it also points to UR27.
Meanwhile it’s been fixed – https://www.microsoft.com/en-us/download/details.aspx?id=58354
Microsoft have released this as a critical update and it automatically tried to install on 2 of my exchange 2019 cu1 on server 2019. It failed to complete on both and it fails to uninstall, reinstall or let me reapply CU1 and AD topology service now crashes. Going to hack the registry entries for all exchange components back to RTM version which should let me reapply CU1. And nothing on the EHLO blog about the update. Very poor from Microsoft.
I have met the same problem. EX 2019 CU1 in upgrade mode also does not solve this problem.
So copying \Setup\ServerRoles\Common from the CU1 ISO to \Exchange Server\bin should give you a working (hybrid version!) server again.
Then check all the top level registry keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15
and delete any “watermark” keys.
Then Create a file “profile.ps1” in “C:\Windows\System32\WindowsPowerShell\v1.0” containing the following command: New-Alias Stop-SetupService Stop-Service
Then run the security in depth update again from an elevated command prompt. Not Windows update.
And if it still doesn’t work, enable MSI logging and post where the update fails back here.
I also found this to be a temporary solution.
In the past I had to apply the powershell profile part, as this was already screwed for the last security update.
I will test the registry part as that is new for me. I’ve moved the mailboxes to another database.
When you update Exchange, a “watermark” registry key is created on each component while it is being updated. If an update fails and this key remains then you cant install further exchange updates until it’s deleted.
Terrible design, and I have had this happen countless times in the past. And things like the fix required above have been around for years but still not handled by the installer.
Also outrageous that there is zero about this on the EHLO blog. I can only assume that they have found vulnerabilities that are extremely serious and are keeping quiet about them until this update has been widely deployed.