MSP file won't install when trying to install remotely

Joseph Larrew 341 Reputation points Microsoft Employee
2021-03-04T16:11:10.62+00:00

So I'm trying to run the below commands: $creds = Get-Credential $session = New-PSSession -ComputerName <computerName> -Credential $creds Invoke-Command -Session $session -ScriptBlock { Start-Process C:\Windows\System32\msiexec.exe -ArgumentList "/update c:\temp\Exchange2013-KB5000871-x64-en.msp /qn /log c:\temp\logfile.txt" } And inside the logfile, I see a couple of different errors. Error 1: Action start 15:52:25: CA_PATCH_OWA_PERMISSION. 1: ExPatchCa: GetProperty: Get property: RunCommandCmdLine (RunCommandCmdLine): C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "add-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.SnapIn $exitcode=0 $exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null if($exerr.count -gt 0) { if (($exerr[0].Exception -eq $null)-or($exerr[0].Exception.InnerException -eq $null)-or($exerr[0].Exception.InnerException.ErrorCode -eq 0)) { $exitcode=5 } else { $exitcode=$exerr[0].Exception.InnerException.ErrorCode } } remove-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.SnapIn Exit ($exitcode)". (ec: 0x0) 1: ExPatchCa: GetProperty: Get property: RunCommandTimeout (RunCommandTimeout): 300000. (ec: 0x0) 1: ExPatchCa: RunCommand: ExecCommand: exit code: 0x5. timeout: 300000 ms(user set). (ec: 0x0) 1: ExPatchCa: SetProperty: Set property: RunCommandResult: 5. (ec: 0x0) Action ended 14:43:14: CA_PATCH_OWA_PERMISSION. Return value 1. Action start 14:43:14: CA_PATCH_OWA_PERMISSION_ERROR. MSI (s) (48:30) [14:43:14:360]: Product: Microsoft Exchange Server -- The user who's currently logged on doesn't have sufficient permissions to install this package. You need at least Exchange Server Administrator permissions on the current computer to complete this task. The user who's currently logged on doesn't have sufficient permissions to install this package. You need at least Exchange Server Administrator permissions on the current computer to complete this task. Action ended 14:43:14: CA_PATCH_OWA_PERMISSION_ERROR. Return value 3. Action ended 14:43:14: INSTALL. Return value 3. Error 2: Property(S): msgInterimIncorrectRollup = Installation cannot continue. The Setup Wizard has determined that this Interim Update is incompatible with the current Microsoft Exchange Server 2013 Cumulative Update 23 configuration. Property(S): KB5000871 = KB5000871 Property(S): INTERIM_UPDATE_INSTALLED = 4581424 Property(S): _F86B72D172CA4EF3A28E7E64AFB89076 = C:\Windows\Installer\45e3d8.msp MSI (s) (90:0C) [15:52:43:927]: Product: Microsoft Exchange Server - Update 'Security Update for Exchange Server 2013 Cumulative Update 23 (KB5000871) 15.0.1497.12' could not be installed. Error code 1603. Additional information is available in the log file c:\temp\logfile.txt. To dispel that I might not be running as a correct user, the logfile.txt does show Property(S): LogonUser = <user account I ran the Invoke-Command with> The Interim update showing as supposedly installed (4581424) is not actually installed. I tried installing that update also and it didn't work. I'm trying to install the patch that will indeed work if I run it locally. So the action "CA_PATCH_OWA_PERMISSION" fails because the user account supposedly doesn't have permissions and something about an InterimUpdate being installed that isn't... As another note, anyone know how to bypass CRL checking from the command line?[74347-logfile.txt][1] [1]: /api/attachments/74347-logfile.txt?platform=QnA

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,527 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,111 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,342 questions
0 comments
Accepted answer
  1. Joseph Larrew 341 Reputation points Microsoft Employee
    2021-03-08T15:34:33.74+00:00

    So for the final way that I got it working was to enable CredSSP JUST FOR THE DURATION OF THE UPDATE so that credentials can be refreshed. The GPO settings for this are in three places:

    Computer Config > Policies > Admin Templates > Windows Components > WIndows Remote Management > WinRM Client > Allow CredSSP (Enabled)

    Computer Config > Policies > Admin Templates > Windows Components > WIndows Remote Management > WinRM Service > Allow CredSSP (Enabled)

    Computer Config > Policies > Admin Templates > System > Credentials Delegation > Allow delegating fresh credentials - Needs to be enabled and configured with WSMAN/*.<fqdn>

    The thing I did not test was setting certificates for the winRM service. You can check the config by typing winrm get winrm/config/service. Change "get" to "set" to make changes in there.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lucas Liu-MSFT 6,161 Reputation points
    2021-03-05T05:26:54.667+00:00

    Hi anonymous user ,
    1.According to my research the error information, It does mention that the account you are using has insufficient permissions. Please make sure that the account you use to have the Exchange Server Administrator permissions. You could also create a new account and assign the permission to it. Then try to install with a new account.

    2.According to the log you provided, I found the following three lines of error messages. The understanding of this error and the third point in the "Troubleshooting tips" about this security update FAQ. You need to uninstall the previously installed IU or SU before installing this security update again.
    For more information you could refer to: FAQ for March 2021 Exchange Server Security Updates

    1) Unable to install because a previous Interim Update for Microsoft Exchange Server 2013 Cumulative Update 23 has been installed. Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.
    2) Installation cannot continue. The Setup Wizard has determined that this Interim Update is incompatible with the current Microsoft Exchange Server 2013 Cumulative Update 23 configuration.
    3) The version of this file is not compatible with the version of Microsoft Exchange Server 2013 Cumulative Update 23 that you're running. Check your computer to see whether you need an x64 (64-bit) or x86 (32-bit) version of this file.

    3.Certificate Revocation List (CRL) a list of digital certificates that can check if the current program you are running should to be trusted or not. Microsoft not recommend to disable CRL checking, that would make your device fall into a risk Environment.
    In addition, every software has it’s CRL checking ways. Windows has no central switch that would turn off CRL checking for all.
    About how to disable the CRL: Certificate Revocation List (CRL) Verification - an Application Choice

    In additoin, I noted that there are some error code releated with 1603 in log file. Please try the methods provided in this official troubleshooting article: Error 1603 when you try to install a Windows Installer package: A fatal error occurred during installation

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.