J003-Content-Hold-Off-On-Upgrading-NET-Framework-_SQPatching – it’s probably the single most important piece of work sysadmins must regularly perform and a patch management solution can really take the headache out of it. Some, lacking the time to test all patches appropriately but recognizing the need to keep systems up to date, may simply enable automatic updates and let the servers tend to themselves, or will approve all updates in WSUS or other patch management software without first testing to be sure nothing gets broken. That’s usually not a disastrous an idea as it sounds, but at least once every year or so, that approach will come back to bite you in the behind. So it is with .NET Framework 4.6.1 and Exchange 2013, which is pretty important since the newest version of the .NET Framework just became a recommended update on Windows Update.

Unsupported means serious business

If you are running Exchange 2013, this version of the .NET Framework is not supported with Exchange. Please note how strongly that wording is considered when it comes from Microsoft. You won’t find a statement that says if you run Diablo 3 on an Exchange Server, you’re unsupported. You won’t find a statement that says if you make every single one of your users an Exchange admin, you’re unsupported. But we all know how bad an idea both of those are. However, you will find a statement from Microsoft that clearly says that .NET 4.6.1 is not supported with Exchange, because, to put it succinctly, it breaks stuff! There’s a KB that documents at least one major problem over at http://support.microsoft.com/en-us/kb/3095369. Unexpected failovers sound like lots of fun!

Blocking the install

There is a KB article you can use to block the installation of .NET Framework 4.6.1, which you may want to look at if you don’t control patching and don’t have complete faith that whoever does won’t push 4.6.1 down onto your Exchange 2013 servers. You can find that at https://support.microsoft.com/en-us/kb/3133990.

How to recover if it is already too late

If you already got 4.6.1 deployed to your Exchange 2013 servers, you need to get it off and get back to a fully working, and fully patched, 4.5.2. Here’s how you can do that.

  1. Sure, the server may have already rebooted, but this way you can kick all those pesky users off the server (heh)!
  2. Open the EMS and stop all Exchange services with this command.
    (Test-ServiceHealth).ServicesRunning | %{Stop-Service $_ -Force}
  3. Go to Control Panel, add/remove programs, view the installed updates, find KB3102467, and uninstall it.
  4. Reboot, again.
  5. Confirm that you are now running 4.5.2. If you are not sure how to do that, check out https://msdn.microsoft.com/en-us/library/hh925568(v=vs.110).aspx for how to look at the registry or query through code. I favour the registry key, which should be

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

and you should see a Release DWORD with a value of 379893.

  1. If you don’t have 4.5.2 installed, go install it. You can use Windows Update to install NET 4.5.2 via the KB2934520 update or better yet, you can download it from http://go.microsoft.com/fwlink/?LinkId=328856. Once installed, reboot, again.
  2. Stop all the Exchange services again with this command.
    (Test-ServiceHealth).ServicesRunning | %{Stop-Service $_ -Force}
  3. Repair the .NET 4.5.2 using the offline installer you downloaded from http://go.microsoft.com/fwlink/?LinkId=328856. Of course, if you took the easy way out and used Windows Update, you will have to download it now.
  4. Apply the following patches, either from Windows Update (which by now you are probably pretty tired of) or by direct download; KB3122654 and KB3127226.
  5. Reboot, again.
  6. Block the install of 4.6.1 by following the steps at https://support.microsoft.com/en-us/kb/3133990.

This may, of course, make that small subset of SysAdmins who don’t like to update their systems more than annually to smile smugly and with a really bad accent say “Patches?! We don’t need no stinkin’ patches!” but if you are reading this blog, you know better! Patching is critical-but so too is testing, and this patch didn’t pass testing. Stay tuned though, as 4.6.2 will probably be out soon, and will probably not only work with, but be recommend for, Exchange. We’ll blog when that happens!

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.

Get your free 30-day GFI MailEssentials trial

Email open you up to threats. See how you can protect yourself against malware and time-wasting spam.