Exchange 2013 CU12 failed to install error 1619

This has got to be the dumbest thing I've ever come across when dealing with Microsoft products.
When installing CU12 for Exchange 2013 last night, the setup failed and was presented with this error:

Configuring Microsoft Exchange Server

Language Files COMPLETED

Restoring Services COMPLETED

Language Configuration COMPLETED

Mailbox role: Transport service COMPLETED

Client Access role: Front End Transport service COMPLETED

Mailbox role: Client Access service COMPLETED

Mailbox role: Unified Messaging service COMPLETED

Mailbox role: Mailbox service FAILED

The following error was generated when "$error.Clear();

Install-MsiPackage `

-PackagePath ([System.IO.Path]::Combine($RoleLanguagePacksPath, "Setup\ServerRoles\UnifiedMessaging\MSSpeech

_SR_TELE.ca-ES.msi")) `

-PropertyValues ("ARPSYSTEMCOMPONENT=1 ALLUSERS=1") `

-LogFile ([System.IO.Path]::Combine($RoleSetupLoggingPath, "InstallSpeech-ca-ES.msilog"))

" was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: Couldn't open package 'C:\Program Files\Microsoft\Exchange Server\V15\bin\Setup\ServerRoles\UnifiedMessaging\MSSpeech_SR_TELE.ca-ES.msi'. This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package. Error code is 1619. ---> System.ComponentModel.Win32Exception: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package

--- End of inner exception stack trace ---

at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target,Boolean reThrow, String helpUrl)at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)at Microsoft.Exchange.Management.Deployment.InstallMsi.InternalBeginProcessing()at Microsoft.Exchange.Configuration.Tasks.Task.<BeginProcessing>b__5()at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located in the

<SystemDrive>:\ExchangeSetupLogs folder.

PS D:\Install\CU12>

I started the install with extracting the setup files to D:\Install\CU12, then ran the following command:

.\setup /mode:upgrade /iacceptexchangeserverlicenseterms

Looking in the exchangesetuplog file I saw that setup was looking for the missing file in this folder:

C:\Program Files\Microsoft\Exchange Server\V15\bin\Setup\ServerRoles\UnifiedMessaging\

Strange, because thats not where I extracted the setup files.

So copied the setup folder from the extracted folder:D:\Install\CU12 to C:\Program Files\Microsoft\Exchange Server\V15\bin\ to make sure the setup folder with install files where there, then started the install again from the D:\Install\CU12 folder and the everything went fine and without a glitch, I even think that it was a little bit faster. But maybe that's just wishful thinking because it was at 01:30 in the night....

According to this post from Peter de Tender I'm not the first to witness this, and sure as hell won't be the last.

Installing Cumulative Updates for Exchange 2013 in production environments in combination with TrendMicro ScanMail

Installing Cumulative Updates for Exchange 2013 in production environments in combination with TrendMicro ScanMail:

1. Put the server in maintenance mode with the script on D:\Scripts\Start-ExchangeServerMaintenanceMode v1.8.ps1

- In an elevated PowerShell console : Start-ExchangeServerMaintenanceMode.ps1 -Server Servername -TargetServerFQDN servername.domain.lan
(-Server is the server that will be put in maintenance mode, -TargetServerFQDN is the server where all connections, queues etc. will be move to)

2. Stop the TrendMicro Services in the following order:

- ScanMail for Microsoft Exchange System Watcher
- ScanMail for Microsoft Exchange Remote Configuration Server
- ScanMail for Microsoft Exchange Master Service

3. Change the Startup type for the Trendmicro Services to “Disabled”

4. Check the status for the Exchange components in the Exchange PowerShell console:
- Get-ServerComponentState –Identity Servername

5. Reboot server

6. Stop the TrendMicro Service in the Task Manager under the tab "services" in the following order:
- ScanMail_RemoteConfig
- ScanMail_SystemWatcher
- Scanmail_Master

7. In an elevated PowerShell console;
- Go to the folder where the extracted CU files are, in that folder type:
- .\setup /mode:upgrade /iacceptexchangeserverlicenseterms (Attention -  make sure .\ is in front of setup)

8. After successful installation of the CU reboot the server

9. Change the startup type for the TrendMicro services “Automatic” (Except ScanMail EUQ Monitor)

10. Reboot the server

11. Stop Maintenance mode with the script on D:\Scripts\Stop-ExchangeServerMaintenanceMode v1.8.ps1

- In an elevated PowerShell console : Stop-ExchangeServerMaintenanceMode.ps1 -Server Servername

12. Check the status for the Exchange components in the Exchange PowerShell console:
- Get-ServerComponentState –Identity Servername

13. Now the server is active and will be accepting connections and the database copies will be updated

Exchange 2013 Default IIS Settings

These are the default IIS settings for the Front End Website and the Exchange Back End Website, taken from a fresh installed Exchange 2013 CU12 server:

Default Web Site (Front End)

Virtual directory	Default IIS Authentication methods	SSL settings	Default authentication methods Exchange Admin Center (EAC)	AuthenticationMethods Exchange Management Shell (EMS)
Sites \ Default Web Site	As shown in Internet Information Services (IIS) Manager		Available through EAC	Internal	External
Autodiscover	• Anonymous authentication • Basic authentication • Windows authentication	• SSL required	• Integrated Windows authentication • Basic authentication	Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth	Basic, Ntlm, WindowsIntegrated, WSSecurity, OAuth
ECP (Exchange Control Panel)	• Anonymous authentication • Basic authentication	• SSL required	• Use-forms-based authentication	Basic, Fba	Fba
EWS (Exchange Web Services)	• Anonymous authentication • Basic authentication	• SSL required	• Integrated Windows authentication	Ntlm, WindowsIntegrated, WSSecurity, OAuth	Ntlm, WindowsIntegrated, WSSecurity, OAuth
Mapi	• Windows authentication	• SSL required	Not available in EAC	Ntlm, OAuth, Negotiate	Not configured
Microsoft-Server-Active-Sync	• Basic authentication	• SSL required	• Basic authentication • Ignore client certificate	Not set * All methods can be used.	Not set * All methods can be used.
OAB (Offline Address Book)	• Windows authentication		None available	WindowsIntegrated, OAuth	WindowsIntegrated, OAuth
OWA (Outlook Web App)	• Basic authentication	• SSL required	• Use-forms-based authentication • Domain\user name	Basic, Fba	Basic, Fba
OWA\Calendar	• Anonymous authentication	• Ignore client certificates	None available
OWA\Integrated	• Windows authentication	• SSL required • Ignore client certificates	None available
OWA\oma (Outlook Mobile Access)	• Basic authentication	• Ignore client certificates	None available
PowerShell	• Windows authentication	• Not Required	None set	{}	{}
* The InternalAuthenticationMethods/ExternalAuthenticationMethods  parameter specifies the authentication methods supported by the server that contains the virtual directory when access is requested from inside the network firewall. If this parameter isn’t set, all authentication methods can be used.

Aside from the above listed Virtual Directories, which you can find in the EAC, you also have the following directories to manage through IIS or EMS:

Virtual directory	Authentication method	SSL settings	Management method
Default Website	• Anonymous authentication	• SSL required	IIS Management Console* This virtual directory can’t be configured by the user*
aspnet_client	• Anonymous authentication	• SSL required	IIS management console
Rpc	• Basic authentication • Windows authentication	• SSL required	Exchange Management Shell (EMS)
* Indicates difference between multirole and Mailbox role server. You can’t configure this if the server only has the Mailbox role

Exchange Back End Website

Virtual directory	IIS Default Authentication methods	IIS SSL settings
Exchange Back End	• Anonymous authentication	• SSL required • Ignore client certificates
Autodiscover	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates
ecp	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates
EWS	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates
Exchange		• SSL required • Ignore client certificates
Exchweb		• SSL required • Ignore client certificates
mapi	• Anonymous authentication	• SSL required • Ignore client certificates
Microsoft-Server-ActiveSync	• Basic authentication	• SSL required • Ignore client certificates
OAB	• Windows authentication	• SSL required • Ignore client certificates
owa	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates
owa\Calender	• Anonymous authentication	• Ignore client certificates
PopImap	• Anonymous authentication	• SSL required • Ignore client certificates
PowerShell	• Windows authentication	• SSL required • Accept client certificates
PowerShell-Proxy		• SSL required • Ignore client certificates
Public		• SSL required • Ignore client certificates
PushNotifications	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates
Quarantine	• Anonymous authentication	• SSL required • Ignore client certificates
ReportingWebService	• Anonymous authentication	• SSL required • Ignore client certificates
Reports	• Anonymous authentication	• SSL required • Ignore client certificates
Rpc	• Windows authentication	• Ignore client certificates
RpcProxy	• Anonymous authentication	• SSL required • Ignore client certificates
RpcWithCert	• Windows authentication	• Ignore client certificates
Sync		• SSL required • Ignore client certificates
Ucc	• Anonymous authentication	• SSL required • Ignore client certificates