Skip to content

Emerging Issues for Exchange On-Premises

This page lists emerging issues for Exchange On-Premises deployments, possible root cause and solution/workaround to fix the issues. The page will be consistently updated with new issues found and reflect current status of the issues mentioned.

Updated on Update causing the issue Issue Workaround/Solution
9/11/2024 August 2024 update for Windows After installing the August 2024 update for Windows

1) Microsoft Exchange Transport service may start crashing
2) Microsoft Filtering Management Service may not start or start with long delay
Update on 9/11/2024

Install Windows Update for September 2024 or later

Old information
Please follow steps in this KB
4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, Search in Outlook (cached mode) may show "We're having trouble fetching results from the server...". The search works fine in OWA or Outlook online mode. Please install April 2024 Hotfix Update
4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the Security Update, add-ins may stop working with following error

"Add-in Error Something went wrong and we couldn't start this add-in. Please try again later or contact your system administrator
Please install April 2024 Hotfix Update
4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, Unread envelope icon is not getting updated after applying March 2024 SU Please install April 2024 Hotfix Update
4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, preview of Office documents in OWA may fail with error "Sorry, there was a problem and we can't open this document." Please install April 2024 Hotfix Update
2/20/2024 CU 14 for Exchange 2019 Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details
2/20/2024 CU 14 for Exchange 2019 Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details
2/19/2024 CU 14 for Exchange 2019 Exchange 2019 CU14 RecoverServer fails while creating "New-PushNotificationsVirtualDirectory" with following error:

Exception setting "ExtendedProtectionTokenChecking": "Cannot convert null to type "Microsoft.Exchange.Data.Directory.SystemConfiguration.ExtendedProtectionTokenCheckingMode" due to enumeration values that are not valid.
Please follow the steps from this KB to resolve the issue
11/23/2023 November 2023 Security Update for Exchange 2016, Exchange 2019 Some customers may find queue viewer crashing with error

"Failed to enable constraints. One or more rows contain values violating non-null, unique, or foreign-key constraints"
The error can occur if the Exchange server auth certificate has expired. Solution is to renew the Exchange server auth certificate manually or by using this script
10/12/2023 All versions of August 2023 Security Update for Exchange 2016, Exchange 2019 Users in account forest can't change expired password in OWA in multi-forest Exchange deployments after installing any version of August 2023 Security Update for Exchange servers

Note
The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don't use multiple forests.
** Update on 10/12/2023 **

Follow steps on this article
8/15/2023 Non-English August 2023 Security Update for Exchange 2016, Exchange 2019 When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. The latest SUs have been released that do not require a workaround to install. If you used a workaround to install KB5029388, it is highly recommend to uninstall the KB5029388 to avoid issues down the line. For more information please check out this KB.
6/15/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message:

[ERROR] The operation couldn't be performed because object '' couldn't be found on ''.
Install Exchange Security Update June 2023 or higher to resolve the issue. Check this KB for more details
6/15/2023 Extended protection enabled on Exchange server Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled:

The modified Permissions cannot be changed.
Install Exchange Security Update June 2023 or higher Security Update and create the setting override mentioned in this KB
3/16/2023 Outlook client update for CVE-2023-23397 released These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described on the link on the right.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Awareness: Outlook client update for CVE-2023-23397 released
There is a critical security update for Microsoft Outlook for Windows that is required to address CVE-2023-23397. To address this CVE, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform).
Please check this page for FAQs about the Outlook CVE-2023-23397
3/14/2023 February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 After installing February 2023 security update, customers are seeing EWS application pool crash with Event ID 4999 with following error

E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.

The issue is causing connectivity issues to EWS based clients (Outlook for Mac)
Update on 3/14/2023
The issue is fixed in March 2023 security update for Exchange servers
Please follow the steps in this KB
3/14/2023 February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 Some customers are reporting issues with Outlook/OWA add-ins, like add-in not listing in EAC or with the Get-App command. Additionally, they may notice EWS application pool crash with Event ID 4999 in the application log of the Exchange server. Update on 3/14/2023
The issue is fixed in March 2023 security update for Exchange servers
3/14/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 The Exchange toolbox may start crashing on launch after certificate Serialization for PowerShell is enabled. The error noticed is "Deserialization fails: System.Reflection.TargetInvocationException".

The issue happens only on Exchange 2016 and Exchange 2019
Update on 3/14/2023
The issue is fixed in March 2023 security update for Exchange servers
- - - -
1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 After installing January 2023 security update and enabling certificate signing for serialization of PowerShell, you may find various Exchange commands and scripts (example: RedistributeActiveDatabases.ps1) that use deserialization failing with the error similar to :
Error: "Cannot convert the value of type.....to type"
Use this script to update the auth certificate
1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 RecoverServer will fail at pre-requisites check with following error:
"Exchange Server version Version 15.1 (Build 2507.17) or later must be used to perform a recovery of this server."
Update on 02/23/2023
The issue has been fixed in February 2023 Security Update for Exchange servers, however, the following workaround still needs to be used for servers that are on January 2023 Security Update

Workaround
Use the steps in this article
1/24/2023 January 2023 Security Update for Exchange 2016 installed on Windows 2012 R2, other versions are not affected The Exchange services in Automatic start-up mode will not start after reboot of the server. The services start successfully if started manually Update on 02/23/2023
The issue has been fixed in February 2023 Security Update for Exchange servers
1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 Transport header shows the older version of server once January 2023 SU is installed (the build shown seems to be the build of the last CU) The issue will be addressed in upcoming security update

Updated on 11/8/2022

Issue Possible reason Workaround/Solution
Zero-day vulnerabilities reported in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082 N/A Install November 2022 Exchange Server Security Updates to address the vulnerability

Updated on 5/11/2022

Issue Possible reason Workaround/Solution
After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log.

Event ID 4999
Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024.
The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server Install May 2022 Exchange Server Security Updates to resolve the issue

Updated on 3/16/2022

Issue Possible reason Workaround/Solution
After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log.

Event ID 4999
Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024.
The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server Update 3/16/2022

Follow the steps from KB 5013118 to resolve the issue

Old Issues

Email Stuck in Transport Queues

Issue Possible reason Workaround/Solution
You may observe emails building up in the transport queues of Exchange Server 2016 and Exchange Server 2019. The issue does not impact Exchange 2013 servers.

Following events may be noticed in the application log:

Log Name: Application
Source: FIPFS
Logged: 1/1/2022 1:03:42 AM
Event ID: 5300
Level: Error
Computer: server1.contoso.com
Description: The FIP-FS "Microsoft" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005.
Error Description: Can't convert "2201010001" to long.

Log Name: Application
Source: FIPFS
Logged: 1/1/2022 11:47:16 AM
Event ID: 1106
Level: Error
Computer: server1.contoso.com
Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error.
The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues. Run this script on each Exchange server in your organization. You can run this script on multiple servers in parallel. Check this article for detailed steps.

November 2021 Security Update

Following are the known issues after installing November 2021 Security Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution
Hybrid OWA Redirect is broken after application of November SU for Exchange 2013/2016 and 2019.

Users using Exchange 2016 and 2019 server will see error ":-( Something went wrong. We can't get that information right now. Please try again later.

Exchange 2013 users will see error "External component has thrown an exception."

Some On-Premises environments, that are not using FBA, may also see cross-site OWA redirection fail with similar errors.
After installing November SU, the OWA redirection URL for hybrid users is providing an encoded URL for &., causing the redirect to fail Update 1/12/2022

The OWA redirection issue is fixed in January 2022 security updates. Please install the relevant update to fix the issue.

Alternatively, you can also use the workarounds provided in KB article 5008997

September Cumulative Updates

Following are the known issues after installing September 2021 Cumulative Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution
After installing the September 2021 CU, the Microsoft Exchange Transport Services will continue to crash. You can see the following message for the 4999 crash event

Watson report about to be sent for process id: 10072, with parameters: E12IIS, c-RTL-AMD64, 15.02.0986.005, MSExchangeDelivery, M.Exchange.Transport, M.E.T.AcceptedDomainTable..ctor, System.FormatException, 28d7-DumpTidSet, 15.02.0986.005.
Having a Wild Card Only (*) Accepted Domain Set on an Internal Relay. This is an open relay and is very bad to have set. Remove the Accepted Domain that is set to * and properly configure an anonymous relay on a receive connector or change to an External Relay.

More Information: Allow anonymous relay on Exchange servers

July 2021 Security Update/Cumulative Updates

Following are the known issues after installing July 2021 Security Updates/Cumulative Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution
OWA/ECP stops working after installing July Security Update with following error:
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
The issue occurs if OAuth certificate is missing or expired Follow steps on this article to re-publish the Oauth certificate. Do note it takes up to an hour for certificate to change place
OWA/ECP stops working when accessed from load balanced URL, but works if directly accessed from the server URL The root cause for the issue is under investigation Follow steps in this article to fix the issue
PrepareAD with Exchange 2016 CU21/Exchange 2019 CU10 error:
Used domain controller dc1.contoso.com to read object CN=AdminSDHolder,CN=System,DC=Contoso,DC=COM. [ERROR] Object reference not set to an instance of an object.
The issue is under investigation Follow steps in this article to fix the issue
PrepareSchema in environments that have empty root AD domain July Security Update for Exchange 2013 have shipped schema changes and needs Exchange role installed for PrepareSchema, this makes it difficult for environments that have Exchange 2013 as the highest installed Exchange server and do not have an Exchange server installed in the same AD site as that of root AD domain. Option 1
Introduce a new server that meets system requirements for Exchange 2013 Management tools, in the root AD domain. Install just the Exchange 2013 Management Tools role on this server.
Install the July security fix, perform Schema update.

Option 2
PrepareSchema using Exchange 2016 21/Exchange 2019 CU10 media, as the CU's have the changes.
However, once Exchange 2016/2019 media is used to perform schema update, you will need to continue using Exchange 2016/2019 media in the future as well.
The Schema Version number for Exchange 2013 environment remains on 15312, even after installing SU and performing PrepareSchema This is expected behavior. The schema version is going to remain 15312 after installing Security Update and performing PrepareSchema
After installing Exchange 2016 CU21/Exchange 2019 CU10, the values added to custom attributes using EAC are not retained. The scenario works fine in Exchange 2016 CU20/Exchange 2019 CU9 The issue is under investigation Workaround 1:
Use EAC from Internet Explorer

Workaround 2:
Add the values using Exchange Management Shell