Share via

Exchange Server cannot reach each other after installation of KB5068861

Samson Lo 0 Reputation points
2025-11-26T06:33:33.6933333+00:00

After installation of KB5068861 in all of our 3 Exchange Servers,

"Access id denied" prompted when running "Test-ServiceHealth -Server SERVER2"

Exchange | Exchange Server | Other
Exchange | Exchange Server | Other
A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Steven-N 14,585 Reputation points Microsoft External Staff Moderator
    2025-11-26T08:17:54.1833333+00:00

    Hi Samson Lo

    Thank you for reaching out to Microsoft Q&A forum

    Normally, Test‑ServiceHealth verifies required Windows services on a specified Exchange server; when you target another machine, the cmdlet ultimately calls the Service Control Manager Remote Protocol (SVCCTL/RPC) to enumerate and query services on the remote host. In this situation, the “Access is denied” error indicates your security token isn’t being accepted for remote service queries, most commonly due to UAC remote restrictions on local admin/LAPS accounts, tightened authentication paths and policies, or firewall/endpoint rules blocking SVCCTL traffic. 

    Therefore, confirm that the failure is remote‑access related rather than an Exchange service problem. Run Test‑ServiceHealth locally on SERVER2, if local succeeds but remote fails, fix identity/UAC remoting, WinRM connectivity, and RPC/SVCCTL firewall paths before changing Exchange. And kindly remember to prefer domain admin credentials that are local admins on the target and avoid using local admin/LAPS unless you must, and if so, apply the documented, scoped exception. 

    You can follow the instructions below:

    1/ Checks locally and via remoting: 

    Test-ServiceHealth

    If it passes, focus on remote access rather than Exchange services and validate WinRM from your admin server:

    Test-WSMan SERVER2
Enter-PSSession -ComputerName SERVER2

    2/ Use a domain identity (preferred): Ensure the operator account is a domain user that’s a local Administrator on SERVER2; domain admin tokens aren’t filtered by UAC during network logon, avoiding “access denied” on remote service control.

    3/ If you must use local admin/LAPS, add the targeted UAC exception

    Configure LocalAccountTokenFilterPolicy on SERVER2 to allow full tokens for local admins over the network:

    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ^
    /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    Then restart the Server service or reboot. Apply only to Exchange servers and document the change. (GPO method is supported.)

    4/ Enable firewall rules: Turn on Remote Service Management inbound rules (RPC TCP/135 + dynamic ports).

    5/ Re-run via Invoke-Command

    Invoke-Command -ComputerName SERVER2 -ScriptBlock { Test-ServiceHealth }

    Hope my answer will help you, for any further concern, kindly let me know in the comment section.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.