Emerging Issues for Exchange On-Premises
This page lists emerging issues for Exchange On-Premises deployments, possible root cause and solution/workaround to fix the issues. The page will be consistently updated with new issues found and reflect current status of the issues mentioned.
Updated on | Update causing the issue | Issue | Workaround/Solution |
---|---|---|---|
9/11/2024 | August 2024 update for Windows | After installing the August 2024 update for Windows 1) Microsoft Exchange Transport service may start crashing 2) Microsoft Filtering Management Service may not start or start with long delay |
Update on 9/11/2024 Install Windows Update for September 2024 or later Old information Please follow steps in this KB |
4/23/2024 | March 2024 Security Update for Exchange 2019,2016 | After installing the March 2024 Security Update, Search in Outlook (cached mode) may show "We're having trouble fetching results from the server...". The search works fine in OWA or Outlook online mode. | Please install April 2024 Hotfix Update |
4/23/2024 | March 2024 Security Update for Exchange 2019,2016 | After installing the Security Update, add-ins may stop working with following error "Add-in Error Something went wrong and we couldn't start this add-in. Please try again later or contact your system administrator |
Please install April 2024 Hotfix Update |
4/23/2024 | March 2024 Security Update for Exchange 2019,2016 | After installing the March 2024 Security Update, Unread envelope icon is not getting updated after applying March 2024 SU | Please install April 2024 Hotfix Update |
4/23/2024 | March 2024 Security Update for Exchange 2019,2016 | After installing the March 2024 Security Update, preview of Office documents in OWA may fail with error "Sorry, there was a problem and we can't open this document." | Please install April 2024 Hotfix Update |
2/20/2024 | CU 14 for Exchange 2019 | Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. | As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details |
2/20/2024 | CU 14 for Exchange 2019 | Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. | As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details |
2/19/2024 | CU 14 for Exchange 2019 | Exchange 2019 CU14 RecoverServer fails while creating "New-PushNotificationsVirtualDirectory" with following error: Exception setting "ExtendedProtectionTokenChecking": "Cannot convert null to type "Microsoft.Exchange.Data.Directory.SystemConfiguration.ExtendedProtectionTokenCheckingMode" due to enumeration values that are not valid. |
Please follow the steps from this KB to resolve the issue |
11/23/2023 | November 2023 Security Update for Exchange 2016, Exchange 2019 | Some customers may find queue viewer crashing with error "Failed to enable constraints. One or more rows contain values violating non-null, unique, or foreign-key constraints" |
The error can occur if the Exchange server auth certificate has expired. Solution is to renew the Exchange server auth certificate manually or by using this script |
10/12/2023 | All versions of August 2023 Security Update for Exchange 2016, Exchange 2019 | Users in account forest can't change expired password in OWA in multi-forest Exchange deployments after installing any version of August 2023 Security Update for Exchange servers Note The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don't use multiple forests. |
** Update on 10/12/2023 ** Follow steps on this article |
8/15/2023 | Non-English August 2023 Security Update for Exchange 2016, Exchange 2019 | When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. | The latest SUs have been released that do not require a workaround to install. If you used a workaround to install KB5029388, it is highly recommend to uninstall the KB5029388 to avoid issues down the line. For more information please check out this KB. |
6/15/2023 | January 2023 Security Update for Exchange 2016, Exchange 2019 | When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message: [ERROR] The operation couldn't be performed because object ' |
Install Exchange Security Update June 2023 or higher to resolve the issue. Check this KB for more details |
6/15/2023 | Extended protection enabled on Exchange server | Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled: The modified Permissions cannot be changed. |
Install Exchange Security Update June 2023 or higher Security Update and create the setting override mentioned in this KB |
3/16/2023 | Outlook client update for CVE-2023-23397 released | These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described on the link on the right. More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family). Awareness: Outlook client update for CVE-2023-23397 released There is a critical security update for Microsoft Outlook for Windows that is required to address CVE-2023-23397. To address this CVE, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform). |
Please check this page for FAQs about the Outlook CVE-2023-23397 |
3/14/2023 | February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 | After installing February 2023 security update, customers are seeing EWS application pool crash with Event ID 4999 with following error E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021. The issue is causing connectivity issues to EWS based clients (Outlook for Mac) |
Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers Please follow the steps in this KB |
3/14/2023 | February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 | Some customers are reporting issues with Outlook/OWA add-ins, like add-in not listing in EAC or with the Get-App command. Additionally, they may notice EWS application pool crash with Event ID 4999 in the application log of the Exchange server. | Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers |
3/14/2023 | January 2023 Security Update for Exchange 2016, Exchange 2019 | The Exchange toolbox may start crashing on launch after certificate Serialization for PowerShell is enabled. The error noticed is "Deserialization fails: System.Reflection.TargetInvocationException". The issue happens only on Exchange 2016 and Exchange 2019 |
Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers |
- | - | - | - |
1/24/2023 | January 2023 Security Update for Exchange 2016, Exchange 2019 | After installing January 2023 security update and enabling certificate signing for serialization of PowerShell, you may find various Exchange commands and scripts (example: RedistributeActiveDatabases.ps1) that use deserialization failing with the error similar to : Error: "Cannot convert the value of type.....to type" |
Use this script to update the auth certificate |
1/24/2023 | January 2023 Security Update for Exchange 2016, Exchange 2019 | RecoverServer will fail at pre-requisites check with following error: "Exchange Server version Version 15.1 (Build 2507.17) or later must be used to perform a recovery of this server." |
Update on 02/23/2023 The issue has been fixed in February 2023 Security Update for Exchange servers, however, the following workaround still needs to be used for servers that are on January 2023 Security Update Workaround Use the steps in this article |
1/24/2023 | January 2023 Security Update for Exchange 2016 installed on Windows 2012 R2, other versions are not affected | The Exchange services in Automatic start-up mode will not start after reboot of the server. The services start successfully if started manually | Update on 02/23/2023 The issue has been fixed in February 2023 Security Update for Exchange servers |
1/24/2023 | January 2023 Security Update for Exchange 2016, Exchange 2019 | Transport header shows the older version of server once January 2023 SU is installed (the build shown seems to be the build of the last CU) | The issue will be addressed in upcoming security update |
Updated on 11/8/2022
Issue | Possible reason | Workaround/Solution |
---|---|---|
Zero-day vulnerabilities reported in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082 | N/A | Install November 2022 Exchange Server Security Updates to address the vulnerability |
Updated on 5/11/2022
Issue | Possible reason | Workaround/Solution |
---|---|---|
After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log. Event ID 4999 Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024. |
The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server | Install May 2022 Exchange Server Security Updates to resolve the issue |
Updated on 3/16/2022
Issue | Possible reason | Workaround/Solution |
---|---|---|
After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log. Event ID 4999 Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024. |
The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server | Update 3/16/2022 Follow the steps from KB 5013118 to resolve the issue |
Old Issues
Email Stuck in Transport Queues
Issue | Possible reason | Workaround/Solution |
---|---|---|
You may observe emails building up in the transport queues of Exchange Server 2016 and Exchange Server 2019. The issue does not impact Exchange 2013 servers. Following events may be noticed in the application log: Log Name: Application Source: FIPFS Logged: 1/1/2022 1:03:42 AM Event ID: 5300 Level: Error Computer: server1.contoso.com Description: The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long. Log Name: Application Source: FIPFS Logged: 1/1/2022 11:47:16 AM Event ID: 1106 Level: Error Computer: server1.contoso.com Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error. |
The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues. | Run this script on each Exchange server in your organization. You can run this script on multiple servers in parallel. Check this article for detailed steps. |
November 2021 Security Update
Following are the known issues after installing November 2021 Security Updates for Exchange On-Premises servers
Issue | Possible reason | Workaround/Solution |
---|---|---|
Hybrid OWA Redirect is broken after application of November SU for Exchange 2013/2016 and 2019. Users using Exchange 2016 and 2019 server will see error ":-( Something went wrong. We can't get that information right now. Please try again later. Exchange 2013 users will see error "External component has thrown an exception." Some On-Premises environments, that are not using FBA, may also see cross-site OWA redirection fail with similar errors. |
After installing November SU, the OWA redirection URL for hybrid users is providing an encoded URL for &., causing the redirect to fail | Update 1/12/2022 The OWA redirection issue is fixed in January 2022 security updates. Please install the relevant update to fix the issue. Alternatively, you can also use the workarounds provided in KB article 5008997 |
September Cumulative Updates
Following are the known issues after installing September 2021 Cumulative Updates for Exchange On-Premises servers
Issue | Possible reason | Workaround/Solution |
---|---|---|
After installing the September 2021 CU, the Microsoft Exchange Transport Services will continue to crash. You can see the following message for the 4999 crash event Watson report about to be sent for process id: 10072, with parameters: E12IIS, c-RTL-AMD64, 15.02.0986.005, MSExchangeDelivery, M.Exchange.Transport, M.E.T.AcceptedDomainTable..ctor, System.FormatException, 28d7-DumpTidSet, 15.02.0986.005. |
Having a Wild Card Only (*) Accepted Domain Set on an Internal Relay. This is an open relay and is very bad to have set. | Remove the Accepted Domain that is set to * and properly configure an anonymous relay on a receive connector or change to an External Relay. More Information: Allow anonymous relay on Exchange servers |
July 2021 Security Update/Cumulative Updates
Following are the known issues after installing July 2021 Security Updates/Cumulative Updates for Exchange On-Premises servers
Issue | Possible reason | Workaround/Solution |
---|---|---|
OWA/ECP stops working after installing July Security Update with following error: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 |
The issue occurs if OAuth certificate is missing or expired | Follow steps on this article to re-publish the Oauth certificate. Do note it takes up to an hour for certificate to change place |
OWA/ECP stops working when accessed from load balanced URL, but works if directly accessed from the server URL | The root cause for the issue is under investigation | Follow steps in this article to fix the issue |
PrepareAD with Exchange 2016 CU21/Exchange 2019 CU10 error: Used domain controller dc1.contoso.com to read object CN=AdminSDHolder,CN=System,DC=Contoso,DC=COM. [ERROR] Object reference not set to an instance of an object. |
The issue is under investigation | Follow steps in this article to fix the issue |
PrepareSchema in environments that have empty root AD domain | July Security Update for Exchange 2013 have shipped schema changes and needs Exchange role installed for PrepareSchema, this makes it difficult for environments that have Exchange 2013 as the highest installed Exchange server and do not have an Exchange server installed in the same AD site as that of root AD domain. | Option 1 Introduce a new server that meets system requirements for Exchange 2013 Management tools, in the root AD domain. Install just the Exchange 2013 Management Tools role on this server. Install the July security fix, perform Schema update. Option 2 PrepareSchema using Exchange 2016 21/Exchange 2019 CU10 media, as the CU's have the changes. However, once Exchange 2016/2019 media is used to perform schema update, you will need to continue using Exchange 2016/2019 media in the future as well. |
The Schema Version number for Exchange 2013 environment remains on 15312, even after installing SU and performing PrepareSchema | This is expected behavior. The schema version is going to remain 15312 after installing Security Update and performing PrepareSchema | |
After installing Exchange 2016 CU21/Exchange 2019 CU10, the values added to custom attributes using EAC are not retained. The scenario works fine in Exchange 2016 CU20/Exchange 2019 CU9 | The issue is under investigation | Workaround 1: Use EAC from Internet Explorer Workaround 2: Add the values using Exchange Management Shell |