After reviewing Microsoft’s post related to the security update to mitigate remote code execution vulnerability, it states that the update is applied using Windows automatic update when you have cumulative update 20 or 21. After seeing the vulnerability present even with an Exchange 2016 patches up-to-date on CU20, I decided to update Exchange 2016 from CU20 to CU21 and give it another round of security updates.
After the CU21 was installed, much to my surprise, the security patch still did not install, and there was no error. Ugh.
Get-ExchangeServer showed version 15.1 build 2308.8 which indicates that CU21 was installed successfully but the security patch level was one below what was needed to mitigate the ProxyShell exploit.
Next, I decided to manually install the patch and that failed as well, displaying an error showing that the update program could not write to a specific Exchange directory. No wonder the Windows update did not install the patch!
To fix the issue, I open an elevated command prompt and ran the program using root elevation as follows:
.\Exchange2016-KB5004779-x64-en.msp
With this the program executed successfully.