Windows Update Doesn't Detect Missing Security Updates for Exchange 2016 CU22

Sam Kear 26 Reputation points
2022-01-31T14:55:22.803+00:00

I am having continuing issues with Windows update not properly detecting all necessary security updates for Exchange 2016 CU22 running on Windows Server 2016. The current example of this is with KB5008631. Windows update indicates "Your device is up to date." but the Exchange Health Checker script indicates KB5008631 is not installed. I have also confirmed this by running get-hotfix in powershell.

It seems like this has happened with the last several security updates for CU22. I'm able to install them manually via an elevated command prompt just fine but can't determine why Windows update sees these as missing.

We are not using any patch management system on this server and have always just ran windows update manually during maintenance windows. As far as I can tell the server is configured to go directly to the internet for updates but maybe I'm missing something.

PS > $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
PS > $MUSM.Services | select Name, IsDefaultAUService

Name IsDefaultAUService


Windows Update True

Any help in troubleshooting this would be appreciated.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,373 questions
{count} vote

5 answers

Sort by: Most helpful
  1. Limitless Technology 39,406 Reputation points
    2022-01-31T20:25:57.6+00:00

    Hello @Sam Kear

    Firstly, I would recommend you to always use the latest Exchange Health Check app, as there are frequent "tweaks" to the script due to some issues reported by the community.

    On the other hand, it usually roots to the fact that the KB in question was not execute with elevated privileges, and there for some files or changes may be missing, or versions don't match.

    Hope this helps with your query,

    ---------
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Aaron Xue-MSFT 2,586 Reputation points Microsoft Vendor
    2022-02-01T01:36:59.797+00:00

    Hi @Sam Kear ,

    You could follow the link to download andrun the healthchecker script to check the Exchange build number.

    https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

    Or you could check the Exchange version on control panel.
    The Exchange server version in my test lab is 15.1.2375.12.
    170053-1.png
    According to the document, so it is Exchange server 2016 CU22 Oct21SU.
    170054-2.png

    If you have installed the latest Su, the version number will be 15.1.2375.18.
    You could get more details of the exchange build numbers from this document.
    https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Aaron Xue-MSFT 2,586 Reputation points Microsoft Vendor
    2022-02-03T07:06:25.913+00:00

    Hi @Sam Kear ,

    Yes, it's the normal behavior.

    Windows would show the update of windows system, not the exchange
    .
    We recommend you to install the Jan22su through the CMD.

    You could follow below steps to install it. (In this case, I was installing the NOV22su. Same as the Jan22Su)

    1.Download the Jan22su from this link.
    https://support.microsoft.com/zh-cn/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-january-11-2022-kb5008631-2ee4d1f3-8341-4a4d-86be-4b73bc944f1b

    2.Select Start, and then type cmd.

    3.Right-click Command Prompt from the search results, and then select Run as administrator.

    4.If the User Account Control window appears, select the option to open an elevated Command Prompt window, and then select Continue. If the UAC window doesn’t appear, continue to the next step.

    5.Type the full path of the .msp file for the security update, and then press Enter.

    For example, my security update ‘s Installation package is in C:\Users\Administrator.CONTOSO\Downloads.
    170819-5.png
    So I typed C:\Users\Administrator.CONTOSO\Downloads\ Exchange2016-KB5007409-x64-en.msp in CMD


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  4. MKR 1 Reputation point
    2022-05-10T07:20:42.45+00:00

    Hi @Aaron Xue-MSFT ,

    so, there is nothing I can do to ensure that the Exchange SUs get automatically detected by windows update?
    If so, does anybody know a method to automate the installation of Exchange SUs?

    Thanks ahead!

    0 comments No comments

  5. LouPs 0 Reputation points
    2023-01-17T16:00:02.0233333+00:00

    I (the company I work for) have a quite a few clients having this same issue. Some are not. Sam, are you still having this issue?

    I have a case open with MSFT windows team. He is saying it is a GPO conflict. I removed the WU policies without success. Noticed the WU policy has "Give me updates for other Microsoft products when I update Windows" enabled in the GP for WU and is not checked in WU GUI and is Grey'd out. WU does detect .Net and other MSFT updates. Just not Exchange.
    I have a client that pulls updates directly from MSFT. They do not have any issues detecting SU's.

    0 comments No comments