Monday, April 1, 2019

Attempting to upgrade Exchange Server 2016 from CU8 to CU12 fails at Step 2 of 18 Stopping Services with: "fms (1428)" because of the following error: Access is denied


You attempt to upgrade an Exchange Server 2016 environment at CU8 to CU12 but the process fails at Step 2 of 18: Stopping Services with the error:


The following error was generated when "$error.Clear();

& $RoleBinPath\ServiceControl.ps1 -Operation:DisableServices -Roles:($RoleRoles.Replace('Role','').Split(',')) -SetupScriptsDirectory:$RoleBinPath;

& $RoleBinPath\ServiceControl.ps1 -Operation:Stop -Roles:($RoleRoles.Replace('Role','').Split(',')) -IsDatacenter:([bool]$RoleIsDatacenter)

" was run: "Microsoft.PowerShell.Commands.ProcessCommandException: Cannot stop process "fms (1428)" because of the following error: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied

at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)

at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)

at System.Diagnostics.Process.get_HasExited()

at Microsoft.PowerShell.Commands.StopProcessCommand.ProcessRecord()

--- End of inner exception stack trace ---".


This error is typically caused by the account used for running the install does not have Debug programs permission.  To verify this, launch the Local Computer Policy with GPEDIT.msc, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Debug program:

The environment this error was thrown had a group policy that defined accounts with permissions to Debug programs and therefore overwrote the default local computer Administrators group which any administrative account would have been a part of:

A workaround I typically do is simply put the Exchange server computer object in the sub OU of the OU it is currently in and block the group policy inheritance allowing me to temporarily move the Exchange server that is being patched into an OU that reverts back to the default settings as shown in the screenshot below:

Another alternative is to add the user into a group or directly into the GPO that defines the permissions for Debug programs but I prefer the previous workaround as the latter potentially affects many other computer objects. 

You may also notice that the installer may not work properly even after the chances where you’ll see the following Check for Updates page:

Then briefly the Downloading Updates page, which would quickly disappear:

If the installer exhibits this issue then simply use the command line to install the CU12 update:

Setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

No comments: