Microsoft regularly releases Cumulative updates (CU) and security updates (SU) to patch the on-premises Exchange Server 2019 against possible malicious attacks and other threats. The Exchange admins may face troubles after installing server updates, resulting in failed CU and SU installation. This could make the Exchange Server 2019 unresponsive, bringing the email service to a standstill. In this blog, we will discuss failed installations of CU and SU followed by the methods to resolve or repair these issues.

It is always recommended to run the Setup Assistance PowerShell script before running the upgrade

Related: Troubleshooting Exchange Online Mailbox Provisioning Errors

Issue 1: HTTP 500 errors in ECP or OWA

You might encounter HTTP 500 errors in Outlook while starting Exchange Control Panel (ECP) and Outlook on the Web (ECP). The login process might fail despite entering the right credentials after installing updates. You will get the following error message:

Could not load file or assembly Microsoft.Exchange.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35′ or one of its dependencies. The system cannot find the file specified.

Resolution: To resolve this HTTP 500 error, you should reinstall the security update through an elevated command prompt emerging after opening the User Account Control window.

The issue here in this case, is during the installation some files are copied, and the other are deleted as part of the upgrade process before it got interrupted. A very nice script from Microsoft called CopyMissingDll.ps1 can help in fixing your issue. This script will check all the Exchange installations and copy the missing file from the source ISO file of the Exchange server.

All that you need when you run this script is the top root path for the mounted ISO file e.g G: or F:

Issue 2: HTTP 400 errors when loading ECP and OWA

This issue is similar to that of the previous one that flashes HTTP 500 error. Despite installing the Cumulative Updates (CU) and providing the right credentials, you may experience problems in the loading of the Exchange Control Panel (ECP) and Outlook Web Access (OWA). The login process failure will flash the following HTTP 400 error:

HTTP 400 – bad request
Cannot serialize context

Likewise, you will get the below message as you launch Exchange Management Shell

 ErrorCode : -2144108477

TransportMessage : The WS-Management service cannot process the request because the XML is invalid.
ErrorRecord : Connecting to remote server exchange.contoso.com failed with the following error message : For more information, see the about_Remote_Troubleshooting Help topic.

Reason: This error surfaces in case the username has a dollar sign at the end. For example, admin$

Resolution: A simple solution to this issue would be to rename the username and omit the dollar sign. You may also create an administrative account with no dollar sign at the end of its name.

Issue 3: No Images in EXP or OWA 

OWA or ECP may fail to show images after the installation of the security update

Reason: Improper installation is the main reason behind this flaw.

Resolution: To remedy this situation you can uninstall and reinstall the Windows Installer Patch (.msp) file. For this, you should run the update by using an administrative command prompt. Proceed with server reboot of the file installation.  

Issue 4: Blank page in EAC or OWA

When you try to log in to the OWA or Exchange Admin Center (EAC) from Exchange Server 2019, you may get a blank page. This will proceed with the logging of event ID 15021.

Reason: This results due to one or more issues arising with the SSL bindings such as incorrect installation of the update, no binding certificate, or incorrect binding information.

Resolution: To correct this error, check the SSL certificate and restart the Internet Information Services by following the requisite steps.

Issue 5: Fail to log in to EAC or OWA

Singing into EAC or OWA in Exchange Server 2019 often results in the hanging of the web browser. You may also receive the message regarding reaching out of the redirect limit. It will log Event 1003 in the event viewer.
Reason: This is mainly because of the expiration of the Exchange Server Open Authentication (OAuth) certificate.
Resolution: You will need to renew the (OAuth) certificate by following the required steps.

Issue 6: The CU or SU installation fails due to improper halt of the services

Resolution: Before installing the CU or CU in Exchange Server 2019, reboot the server properly. If you are using any antivirus software, turn it off during the setup. If the services still do not stop or start, proceed with the below steps:

  • Rename the ExchangeSetupLogs folder stored in your system drive 
  • In the services.msc console, change the startup type of Exchange services to Automatic. This holds for services that were active prior to the setup attempt
  • Restart the setup

Issue 7: Exchange Services do not start despite SU installation

Resolution: Set the current state of the services from disabled to Automatic and start the services manually. 
Please note that some services remain disabled by default, these include MSExchangeIMAP4, MSExchangeIMAP4BE, MSExchangePOP3, and MSExchangePOP3BE.

You will need to scan the Exchange log to find out the disabled services during SU installation.

Issue 8: Error due to delay in update rollup Installation  

You may face delays when installing an update rollup on a system, not connected to the internet. The error message will be something like this:
Creating Native images for .Net assemblies.
This issue arises because of the network requests to connect to the URL below:
http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl
The motive of these network requests is to access the Certificate Revocation List for every assembly that leads the compilation of Native image generation (Ngen) to native code. Due to internet disconnection of the server that runs the Exchange Server, each request has to wait until time out for the process to continue.

Resolution: In the absence of internet connection, disable the option ‘Check for Publisher’s Certificate Revocation’. For this, do the following in the Internet Explorer: 

  • Click Tools ->Internet Options -> Advanced -> Security.
  • Uncheck the ‘Check for publisher’s certificate revocation’ option and click ok.

Check the option again after the completion of the update rollup installation.

Alternatively, before installing the Cumulative Update, uninstall the previously installed Interim Update (IU)

Issue 9: Upgrade patch cannot be installed error

The issue arises when the Window Installer service fails to install an upgrade patch of a specific program. This happens if the upgrade patch updates another version of the program or if the program that you want to update is missing. 

Reason: This error occurs if you have installed the wrong versions of the Cumulative Update (CU) or Security Update (SU), or in case of a mismatch between the SU and CU versions. 

Solution: Upgrade the program with the correct CU or download the right SU for the concerned CU

Issue 10: Pending restart from previous installation

When you run the SU or CU update, it may fail and flash the below error message:

Microsoft Exchange Server setup cannot continue because a restart from a previous installation or update is pending

Reason: The update fails mainly because of the cancellation of a previous installation due to failure.
Solution: Run the HealthChecker script to detect the status and find any issues arising during configuration or installation. Running the SetupAssist script can also help in resolving this error.

Issue 11: Mail flow stops with the CU or SU installation

Resolution: To resolve this issue, you should ensure meeting the below requirements:

Conclusion

Microsoft recommends installing the latest Security Updates (SU) or Cumulative Updates (CU), as they safeguard the Exchange from the possible threats and virus attacks. Mostly, an unpatched Exchange Server faces frequent malicious attacks after the release of Microsoft updates or patches. This leads to severe data intrusion threats, causing a breach in your organization’s confidential data. Installing the latest CUs or Sus would be the right move to avert these risks.

In case, the server becomes corrupt or damaged due to a server failure or server attack, a recommended practice would be to create a fresh server to use it to restore the mailboxes recovered from the backup. Even if fixed, a compromised server can expose your data to potential threats, hence it is always try to create a new server.

If you do not have a backup, using a third-party Exchange recovery software would be advisable. Several renowned brands provide tools for this purpose.

For instance, Veeam Data Platform is a popular mode to protect Secure backup & recovery of Exchange items. Likewise, Recovery Manager for Exchange from Quest makes it simpler and quicker to find and export Exchange data without requiring a dedicated recovery server.

Stellar Repair for Exchange from Stellar is equally promising software to recover mailboxes from corrupt or compromised Exchange Server and save them as PST files. You may also export the extracted mailboxes from damaged Exchange database directly to your new Live Exchange Server or Office 365 tenant in a few clicks.

5/5 - (1 vote)