Flexis July 2019 Patch Review And Recommendations

  • KB4507460 – 2019-07 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4509091 – 2019-07 Servicing Stack Update for Windows Server 2016 for x64-based Systems
  • KB4507448 – 2019-07 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4507449 – 2019-07 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

Impacted Products:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Azure DevOps
  • .NET Framework
  • Azure
  • SQL Server
  • NET
  • Visual Studio
  • Microsoft Exchange Server

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package.

 

Known Issues:

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

Symptoms:

Restart stuck on “Stage 2 of 2” or “Stage 3 of 3”

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

Workaround:

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

 

Note In managed environments, such as by using Windows Server Update Services (WSUS), you can avoid this issue by deploying this update as a standalone update.

 

KB4507434 Applies to: Internet Explorer 11 on Windows Server 2012 R2, Internet Explorer 11 on Windows Server 2012, Internet Explorer 11 on Windows Server 2008 R2 SP1, Internet Explorer 11 on Windows 8.1 Update, Internet Explorer 11 on Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2008 SP2

https://support.microsoft.com/en-us/help/4507434/cumulative-security-update-for-internet-explorer

Symptoms:

This cumulative security update 4507434 for Internet Explorer 10 might be offered for installation through Windows Server Update Services (WSUS) or other update management solutions, even after you install KB4492872 (Internet Explorer 11 for Windows Server 2012 and Windows Embedded 8 Standard) and upgrade to Internet Explorer 11.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Workaround:

Although this cumulative security update for Internet Explorer 10 might be offered for installation, this issue will not affect the functionality of Internet Explorer 11. However, you should also install KB4507434 to apply the security fixes that are resolved this month for Internet Explorer 11.

Status: Microsoft is working on a resolution for this issue and will provide an update in an upcoming release.

 

KB4507435 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4507435/windows-10-update-kb4507435

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

We are working on a resolution and will provide an update in an upcoming release.

 

KB4507448 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4507448/windows-8-1-update-kb4507448

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Also we are presently investigating this issue with McAfee.

 

KB4507449 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4507449/windows-7-update-kb4507449

Symptoms:

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

We are presently investigating this issue with McAfee.

Also we are working on a resolution and will provide an update in an upcoming release.

 

KB4507450 Applies to: Windows 10 version 1703

https://support.microsoft.com/en-us/help/4507450/windows-10-update-kb4507450

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507453 Applies to: Windows 10 version 1903, Windows Server version 1903

https://support.microsoft.com/en-us/help/4507453/windows-10-update-kb4507453

Symptoms:

Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

 

The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

 

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings.

Set the value for the following group policy settings:

  1. Group Policy Path: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry
  2. Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full)

Or set the following registry value:

SubKey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Setting: AllowTelemetry

Type: REG_DWORD

Value: 1, 2 or 3

 

Note If the Remote Access Connection Manager service is not running after setting the Group Policy or registry key, you will need to manually start the service or restart the device.

 

We are working on a resolution and estimate a solution will be available in late July.

 

KB4507455 Applies to: Windows 10 version 1709

https://support.microsoft.com/en-us/help/4507455/windows-10-update-kb4507455

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507457 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4507457/windows-8-1-update-kb4507457

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507458 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4507458/windows-10-update-kb4507458

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507460 Applies to: Windows 10 version 1607, Windows Server 2016 

https://support.microsoft.com/en-us/help/4507460/windows-10-update-kb4507460

Symptoms:

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

 

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

 

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of this update on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Run mofcomp on the following mof files on the affected host:

  • Scvmmswitchportsettings.mof
  • VMMDHCPSvr.mof

Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue “allow-from https://example.com”

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507462 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4507462/windows-server-2012-update-kb4507462

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507464 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4507464/windows-server-2012-update-kb4507464

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507469 Applies to: Windows 10 version 1809, Windows Server version 1809, Windows Server 2019 all versions

https://support.microsoft.com/en-us/help/4507469/windows-10-update-kb4507469

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

 

Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Started under the Reset this PC recovery option.
  3. Select Keep my Files.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4509408 Applies to: Exchange Server 2019

https://support.microsoft.com/en-us/help/4509408/description-of-the-security-update-for-microsoft-exchange-server-2019

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “Normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

 

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, and type cmd.
  2. In the results, right-click Command Prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

 

This issue does not occur when you install the update through Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

KB4509409 Applies to: Exchange Server 2016, Exchange Server 2013

https://support.microsoft.com/en-us/help/4509409/description-of-the-security-update-for-microsoft-exchange-server-2013

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “Normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

 

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, and type cmd.
  2. In the results, right-click Command Prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

 

This issue does not occur when you install the update through Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

KB4509410 Applies to: Exchange Server 2010 Service Pack 3

https://support.microsoft.com/en-us/help/4509410/description-of-the-security-update-for-microsoft-exchange-server-2010

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “Normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

 

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, and type cmd.
  2. In the results, right-click Command Prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

 

This issue does not occur when you install the update through Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.