New Exchange Server Security Update and Hotfix Packaging

exchange server header

Keeping your Exchange servers up-to-date (and keeping your infrastructure up-to-date) is more important than ever. That’s why we recommend that customers always install the latest Exchange Server updates. We know that updating software can be burdensome, so we’re continuously looking for ways to improve the Exchange Server update experience to help customers get current and stay current.

Today, we’re excited to announce that we have made changes in the way we deliver Security Updates (SUs) and Hotfixes (HFs) for Exchange Server. These changes address the biggest issue customers face when updating—installing updates with insufficient permissions, and as a result possibly leaving the Exchange server in a bad state.

Historically, Exchange Server SUs have been packaged as Windows Installer patch (.msp) files, which are self-contained packages containing the information required to update the application. A requirement of using .msp files is that they must be installed using elevated permissions.

Installation of .msp files happens in the security context of the account used to install the update. If User Account Control (UAC) is enabled (which we strongly recommend) and you manually install the update by double-clicking the .msp file, the installation process runs in a non-elevated mode, which often results in a bad server state. For this reason, with each SU release we have reminded admins to install the update from an elevated command prompt.

Starting with today’s SU release, we will now ship SUs and hotfixes in two different packages:

  • Windows Installer patch file (.msp), which works best for automated installations
  • Self-extracting, auto-elevating installer (.exe), which works best for manual installations

We will continue to release the .msp file via Microsoft Update and the Microsoft Update Catalog. For admins who manually install updates, the new .exe package is the best option. It can be downloaded via Microsoft Download Center (just follow the link in the corresponding KB).

This new packaging is for SUs and hotfixes only. It does not apply to Cumulative Updates (CUs) or Interim Updates (IUs). CUs already check for the proper permissions before allowing Setup to proceed.

About the EXE Package

The EXE package is a wrapper for the .msp file that ensures the installation runs with the required permissions. To install the update, simply double-click the .exe file and follow the instructions. The installation process checks permission prerequisites and if the check fails, it will try to elevate the permissions to the required admin level:

  • If elevation is not successful, installation stops without making any changes to the Exchange server.
  • If elevation is successful (or if the proper admin permissions are already in use), the package will extract the .msp file into the current user’s temp folder and start the installation process.

Whether or not the installation is successful, the package also performs cleanup by deleting the extracted temporary files.

Here’s what the process looks like:


NOTE: The installation process might be interrupted if it is not able to extract the .msp file into the current user’s temp folder. This is a known issue and will be fixed with a future release. You can work around this by manually creating the folder specified in the error.EXEWrapper02.jpg

Installation Logging

The .exe package automatically logs the installation process, including verbose and debugging information. This allows the logs to be used to troubleshoot failed installations.

Here’s how logging works:

  1. The package queries the “MsiInstallPath” registry value under HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15Setup to determine the Exchange Server installation path
  2. It creates a subfolder under the Logging directory called Update and under that folder, two more subfolders: msi and exe
  3. The log files are then written to these two folders in this format:

The exe folder contains log files which are generated by the .exe wrapper, the msi folder contains verbose and debug logs, generated by the msiexec process during processing of the .msp package.


Error Handling

If the installer can’t determine the Exchange Server installation path, the logs will be written to msi and exe subfolders under %temp%Exchange UpdateLogging.

If the installer can’t write to the log files, it will log an exception into the Application event log. If you don’t find any log files related to the installation of an Exchange Server SU or HF, check the Application event log for events with Exchange SU Installer as the Event Source. These events should indicate why the logs could not be written.

These are the most common events being logged by the exe wrapper:

Log entry (What we log)

Description (What it means)

INFO: Copying temporary files to {0}.

The temporary .msp file is being copied into a temp folder.

INFO: Deleting temporary files {0}.

The unwrapped .msp file was deleted pre/post installation.

INFO: Exchange Server Update is being installed.

Happens when the installation of the .msp file is initiated.

COMPLETED: The Exchange Server Update installed successfully.

The Exchange Server update was successfully installed.

ERROR: The extracted files could not be found at {0}.

The unwrapped .msp file was not found and therefore the installation failed.

WARNING: The Exchange Server Update requires a reboot to complete installation.

Installation was successful and a reboot is pending to complete the process.

ERROR: Exchange Setup couldn’t extract the contents of the patch file. More information: {0}.

A problem occurred during the extraction of the temporary .msp file. An exception message will also be logged.

ERROR: While installing the Exchange Server Update, error {0} occurred.

Encountered an error occurred during installation. The error code will be logged.

Command Line Usage

The new update package supports command line parameters, that can be used to install those Exchange updates in unattended mode or as part of your own automation. Here are the most common ones:



Msiexec equivalent


Specifies unattended mode where installation shows only a progress bar.

Note: If a restart is required for the update, using this switch will restart the server automatically.

msiexec /p filename.msp /passive /l*vx


Specifies quiet mode – no user interaction is required.

Note: If a restart is required for the update, using this switch will restart the server automatically.

msiexec /p filename.msp /quiet /l*vx


Shows all available parameters.

msiexec /help

Even if the installer doesn’t prompt for a reboot, it’s strongly recommended to restart the server after installation.


We never used the Microsoft Update catalog and need help getting the old version of update package. Help?!
You can search the Microsoft Update Catalog for your version of Exchange (for example “Exchange Server 2019”). Here are quick links with search strings for Exchange 2013, 2016 and 2019. Once the results come up, sort by the “Last updated” column to display the latest security update. Use the Download button to download the .cab file and then rick-click on the .cab and choose Open to reveal the .msp file. Extract the .msp file and proceed using it (but remember that .msp requires elevation when installing!)

We hope you find that the new .exe update package improves your Exchange Server update experience and makes it easier for you to stay current. Feel free to leave us a comment and let us know what you think.

The Exchange Server Team

Read full article (Microsoft Exchange Blog)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Leave a Reply
Previous Post
citrix logo header

Troubleshooting login issues on Citrix websites

Next Post
exchange server header

Released: May 2022 Exchange Server Security Updates

Related Posts