{"id":685,"date":"2020-03-11T21:26:45","date_gmt":"2020-03-12T02:26:45","guid":{"rendered":"http:\/\/itblog.ldlnet.net\/?p=685"},"modified":"2020-03-17T17:04:10","modified_gmt":"2020-03-17T22:04:10","slug":"exchange-server-security-update-kb4540123-fails-with-0x80070643","status":"publish","type":"post","link":"https:\/\/itblog.ldlnet.net\/index.php\/2020\/03\/11\/exchange-server-security-update-kb4540123-fails-with-0x80070643\/","title":{"rendered":"Exchange Server Security Update KB4540123 fails with 0x80070643"},"content":{"rendered":"\n

PLEASE READ THE ENTIRE POST<\/h2>\n\n\n\n

I had a failure on one of my two Exchange 2019 CU4 servers when installing the Security Update for them:<\/p>\n\n\n\n

\"Exchange<\/figure>\n\n\n\n

I could not restart the install as it would fail when getting to the services stoppage part of the installation. I saw this error in the ServiceControl.log file in the C:\\ExchangeSetupLogs Directory<\/p>\n\n\n

[20:19:52] -----------------------------------------------\n[20:19:52] * ServiceControl.ps1: 3\/11\/2020 8:19:52 PM\n[20:19:52] Performing service control with options: \n[20:19:55] Saving service and registry data\n[20:19:55] State file C:\\ExchangeSetupLogs\\ServiceState.xml already exists.\n[20:19:55] Overwrite is specified. File C:\\ExchangeSetupLogs\\ServiceState.xml is going to be overwritten with a new state.\n[20:19:55] Saving service state to 'C:\\ExchangeSetupLogs\\ServiceState.xml'...\n[20:20:01] State file C:\\ExchangeSetupLogs\\ServiceStartupMode.xml already exists.\n[20:20:01] Overwrite is specified. File C:\\ExchangeSetupLogs\\ServiceStartupMode.xml is going to be overwritten with a new state.\n[20:20:01] Saving services startup mode.\n[20:20:01] Adding to installed roles list: AdminTools\n[20:20:01] Adding to installed roles list: ClientAccessMailboxRole\n[20:20:01] Adding to installed roles list: Mailbox\n[20:20:01] Adding to installed roles list: Bridgehead\n[20:20:01] Adding to installed roles list: Mailbox\n[20:20:01] Stopping services for the following roles: AdminTools ClientAccess FrontendTransport Bridgehead Mailbox\n[20:20:01] Stopping services for 'AdminTools ClientAccess FrontendTransport Bridgehead Mailbox'...\n[20:20:01] [Error] System.ArgumentNullException: Value cannot be null.\nParameter name: array\n   at System.Array.Reverse(Array array)\n   at CallSite.Target(Closure , CallSite , Type , Object )\n[20:41:36] -----------------------------------------------\n<\/pre>\n\n\n\n
I had searched around based on the error code 0x80070643<\/strong> and found these answers that some had used to get the installation to work.<\/p>\n\n\n\n
LINK HERE<\/a><\/em><\/strong><\/p>\n\n\n\n
I downloaded the .msp file<\/a><\/em><\/strong> to install manually and read the answers on the web-page. It was said that there was an issue with the ServiceControl.ps1 file that is in the Exchange Server BIN directory when running Patch with the Verbose logging enabled:<\/p>\n\n\n
MSI (s) (E8:68) [10:09:37:577]: Invoking remote custom action. DLL: C:\\Windows\\Installer\\MSI347C.tmp, Entrypoint: CAQuietExec\n\nMSI (s) (E8!D0) [10:09:37:583]: PROPERTY CHANGE: Deleting QtExecCmdLine property. Its current value is '\"E:\\Exchange 2019\\\\bin\\QuietExe.exe\" \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \" -command . 'E:\\Exchange 2019\\\\bin\\servicecontrol.ps1'BeforePatch\"'.\n\nCAQuietExec:  Error 0x80070001: Command line returned an error.\n\nCAQuietExec:  Error 0x80070001: CAQuietExec Failed\n\nCustomAction CA_SAVEDATA_STOP_SERVICES returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)\n\nAction ended 10:09:40: CA_SAVEDATA_STOP_SERVICES. Return value 3.\n<\/pre>\n\n\n\n
I kept reading and digging into the fix for the file. It was said to modify a number of lines in the ServiceControl.ps1 script:<\/p>\n\n\n
In the lines of the script (876 and 885), it was:\n\n876: add-pssnapin -Name Microsoft.Exchange.Management.Powershell.Setup -ea SilentlyContinue\n885: remove-pssnapin -Name Microsoft.Exchange.Management.Powershell.Setup\n\nI changed the lines to say \"Microsoft.Exchange.Management.Powershell.Support\" instead of \"Microsoft.Exchange.Management.Powershell.Setup\":\n\n876: add-pssnapin -Name Microsoft.Exchange.Management.Powershell.Support -ea SilentlyContinue\n885: remove-pssnapin -Name Microsoft.Exchange.Management.Powershell.Support\n\nAlso,  there was an error referencing the script's inability to stop the WMI service without the -Force flag,  so I changed that as well. (Line 342)\n\n342: Stop-SetupService -ServiceName $servicename -ev script:servicecontrolerror -force\n\n3. Next, Change all the Stop-SetupService Entries in the script to Stop-Service\n4. Next, Change all the Start-SetupService to Start-Service\n5. Next, Add the following to StopServices function to bypass the attempt that was trying to stop services, because they have already been stopped ...\nStart at line 300\n\n300:\tStatus \"Stopping services for '$Roles'...\"\n301:\t$services = Get-ServiceToControl $Roles -Active\n302: ##Change Here\n303:          if ($services -eq $null) {\n304:        return $true\n305:        }\n306: ##End Change Here\n307:\t[array]::Reverse($services)\n\n6. I noticed that these 2 files ServiceStartupMode.xml and ServiceState.xml may have permission issue since the last failure in the C:\\ExchangeSetupLogs directory. So, I also renamed the files to .old\n\n<\/pre>\n\n\n\n
Once I made those changes. I renamed the original ServiceContol.ps1 to a .old file and saved this modified file to the BIN directory. I was then able to successfully run the Security Update.<\/p>\n\n\n\n
BUT WHY DID THIS SERVER FAIL AND NOT THE OTHER?!?<\/h3>\n\n\n\n
Both are CU4, but the server that failed had been upgraded from CU1 where the one that did NOT fail was a clean installation of CU4. So, I checked the ServiceConrol.ps1 file on both servers:<\/p>\n\n\n\n
\"\"
Older Exchange Install
Date of ServiceControl.ps1 is 1\/1\/2020<\/figcaption><\/figure>\n\n\n\n
\"\"
CU4 Clean Installation
Date of ServiceControl.ps1 is 2\/3\/2020<\/figcaption><\/figure>\n\n\n\n
I have not tested this, but maybe if I had copied the ServiceControl.ps1 file from the CU4 clean installation to the original install, the script might have worked since the creation dates are different and I have no other version information to go on. I will verify this though. For now, the changes to the script allowed me to successfully install the Security Update Successfully. <\/p>\n\n\n\n
NOTE: <\/strong>All the Exchange and IIS Services were in a Startup Mode: Disabled<\/strong> state and I had to reset them ALL to Automatic. <\/strong>Once that was completed and the server rebooted, Exchange was returned to normal state. ****Also, just to be safe, I ran a great script that assures the server is out of maintenance mode. You can get the script HERE<\/a><\/em><\/strong>. You can also get the script to put the server into maintenance mode. You can get the script HERE<\/a><\/em><\/strong>. These scripts will work on Exchange 2013 and above servers.<\/p>\n\n\n\n
UPDATE \/ 3\/12\/2020 2:39 AM EST<\/h2>\n\n\n\n
Something was still wrong with the server. ActiveSync and PAM started breaking. I started having all sorts of authentication problems.<\/em> I decided to restore the server from backup from Tuesday. I forgot to backup the ServiceControl.ps1 file that modified, but I moved the one from the successful installation to the restored server and am currently running the update. I will see if it works and send the information to you.<\/p>\n\n\n\n
UPDATE \/ 3\/12\/2020 3:45 AM EST<\/h2>\n\n\n\n
The restore worked great and placing the ServiceControl.ps1 file in the BIN directory on the prior failed Exchange Server did allow for the installation to complete successfully. I have tested ActiveSync and Authentication which is now functioning properly. Hooray!<\/p>\n\n\n\n
SEND ME YOUR IDEAS\/ FOR POSTS!
HAPPY TROUBLESHOOTING!<\/h3>\n\n\n\n
REFERENCES:<\/em><\/strong>
Exchange Server Security Update fails with 0x80070643<\/a>
Exchange Maintenance Mode Script (Start)<\/a>
Exchange Maintenance Mode Script (Stop)<\/a>
Exchange Server 2019 CU4 Security Update<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
PLEASE READ THE ENTIRE POST I had a failure on one of my two Exchange 2019 CU4 servers when installing the Security<\/p>\n
Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":161,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,2,3,16],"tags":[233,9,150,149,151,147,148,8,13],"class_list":["post-685","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exchange","category-general","category-powershell","category-windows","tag-0x80070643","tag-exchange","tag-exchange-2013","tag-exchange-2016","tag-exchange-2019","tag-exchange-setup","tag-exchange-upgrade","tag-powershell","tag-script","odd"],"_links":{"self":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/comments?post=685"}],"version-history":[{"count":9,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/685\/revisions"}],"predecessor-version":[{"id":704,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/685\/revisions\/704"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media\/161"}],"wp:attachment":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media?parent=685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/categories?post=685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/tags?post=685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}