Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: 
2016 2019 Subscription Edition
This article describes how to fix errors when you try to install or upgrade to a Cumulative Update using the setup of Exchange Server.
Symptoms
The symptom of a Cumulative Update upgrade failure is the AccessDenied error message.
Cause
The AccessDenied error message occurs when the built-in administrators don't have write permissions for the CustomSD registry key when they try to record/log the event in the application log.
After the Cumulative Update attempt fails, you might notice the following data in the setup log immediately after the end of the Start-PreFileCopy task:
[12/05/2022 12:22:06.0909] [1] Ending processing Start-PreFileCopy
[12/05/2022 12:22:06.0914] [0] The log file path for the language pack removal operation is set to 'C:\ExchangeSetupLogs'.
[12/05/2022 12:22:06.0924] [0] [WARNING] Exception has been thrown by the target of an invocation.
[12/05/2022 12:22:06.0939] [0] [WARNING] Cannot open log for source 'MSExchangeSetup'. You may not have write access.
[12/05/2022 12:22:06.0939] [0] [WARNING] Access is denied
[12/05/2022 12:22:06.0939] [0] CurrentResult SetupLauncherHelper.loadassembly:444: 1
[12/05/2022 12:22:06.0939] [0] The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[12/05/2022 12:22:06.0939] [0] CurrentResult main.run:235: 1
[12/05/2022 12:22:06.0939] [0] CurrentResult setupbase.maincore:396: 1
[12/05/2022 12:22:06.0939] [0] End of Setup
[12/05/2022 12:22:06.0939] [0] **********************************************
In a working scenario, you see the following lines in the setup log data after the Start-PreFileCopy task:
[04/21/2022 08:31:54.0092] [1] Ending processing Start-PreFileCopy
[04/21/2022 08:31:54.0100] [0] The log file path for the language pack removal operation is set to 'C:\ExchangeSetupLogs'.
[04/21/2022 08:31:54.0106] [0] **************
[04/21/2022 08:31:54.0106] [0] Setup will run the task 'remove-InstalledLanguages'
Before removing and reinstalling languages, we need to log the event with ID:1000 with the source Microsoft Exchange Setup.
Log Name: Application
Source: MSExchangeSetup
Date: 12/5/2022 11:33:03 AM
Event ID: 1000
Task Category: Microsoft Exchange Setup
Level: Information
Keywords: Classic
User: N/A
Description: Exchange Setup (build 15.1.2507.6:Languages) was started.
The following test command in Windows PowerShell tries to record the event with ID:1000 in the application log:
Write-EventLog -LogName Application -Source MSExchangeSetup -EntryType Information -EventId 1000 -Message "This is a test message"
If you're experiencing the issue, the command results in the AccessDenied error message as shown in the following screenshot:
This result indicates an issue in accessing the application log to record the event ID:1000.
If you're experiencing the issue, verify the output of the CustomSD registry key by running the following command in Windows PowerShell:
Get-ItemProperty "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application"
The output of this command is:
PrimaryModule : Application
DisplayNameFile : C:\Windows\system32\wevtapi.dll
DisplayNameID : 256
File : C:\Windows\system32\winevt\Logs\Application.evtx
MaxSize : 209715200
Retention : 0
RestrictGuestAccess : 1
AutoBackupLogFiles : 0
CustomSD : O:BAG:SYD:(A;;0xf0005;;;SY)(**A;;0x5;;;BA**)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-21-3081388108-1913582122-755921781-506353)
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Sy stem\CurrentControlSet\Services\Eventlog
PSChildName : Application
PSProvider : Microsoft.PowerShell.Core\Registry
There are three distinct rights that pertain to event logs:
- Read: Corresponds to bit 1 in the Access rights field of the ACE String.
- Write: Corresponds to bit 2 in the Access rights field of the ACE String.
- Clear: Corresponds to bit 4 in the Access rights field of the ACE String.
If we attempt to read the access rights field of the ACE String (A;;0x5;;;BA), these access rights translate to:
- A: Allow
- BA: Built-in Admins
- 0x5: Read + Clear
These results indicate that writing events in the application log isn't allowed, which is the cause of the AccessDenied message.
Resolution
To fix the issue caused by the AccessDenied error message, do the following steps:
Update the access rights from
(A;;0x5;;;BA)to(A;;0x7;;;BA)in the following locations:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\SystemHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
Updating the access right grants the required Write permission.
Restart the upgrade process.