Exchange 2016 CU22 upgrade Broke ECP

Hi,

have you verified that the web site "Exchange Back End" and its certificate are operational in IIS?

Administration and ECP options are based on this site.

First step please follow steps in this articles. If the issue persists please let us know.
Blank-Page-Screen-In-OWA-EAC-Exchange-2013-2016-2019-Server
This-page-can't-be-displayed-Exchange-OWA-ECP

yes this is all confirmed and OWA works perfectly fine, its just ECP that gives
Service Unavailable

HTTP Error 503. The service is unavailable.

really any help would be appriciated i tried everything even recreating the ECP folder. all servers in the organization even 2 servers without the Updates have the ECP broken now

to explan a little more.
i can acess the ECP page for login its when i login that i get this HTTP Error 503. The service is unavailable. message

Did you reset IIS and check?

yes sir. i have multiple times.

Please try updating cas
C:\Program Files\Microsoft\Exchange Server\V15\Bin>.\UpdateCas.ps1

did that too sir.
no effect

I'm not sure if this sounds right. but how can ECP get broken even on servers that hasnt been patched? we have two 2019 servers in the organization they are not internet facing basically internal work only on a secured Vlan. even these two i cant reach the ECP on them. any idea how can something like that happen?

Is it only for the administrator that /ECP is broken ?

The admin access can be broken (on all servers) when the administrator has no mailbox and/or when "arbitration accounts" cannot be accessed.

Can you verify that you still have all arbitration mailboxes alive ?

get-mailbox -arbitration

Their databases are mounted?

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
SystemMailbox{1f05a927... SystemMailbox{1f0... exhdb01          Unlimited
SystemMailbox{bb558c35... SystemMailbox{bb5... exhdb01          Unlimited
SystemMailbox{e0dc1c29... SystemMailbox{e0d... exhdb01          Unlimited
Migration.8f3e7716-201... Migration.8f3e771... exhdb01          300 MB (314,572,800 bytes)
FederatedEmail.4c1f4d8... FederatedEmail.4c... exhdb01          1 MB (1,048,576 bytes)
SystemMailbox{D0E409A0... SystemMailbox{D0E... exhdb01          Unlimited
SystemMailbox{2CE34405... SystemMailbox{2CE... exhdb01          Unlimited

and actually ECP is broken for everybody, whenever u try to access ECP from whichever the account it just doesnt work

may be its worth mentioning  one of the exchange 2016 was compromised with a 0 day attack and i ended up running the microsoft mitigation scripts on all servers after which i installed CU22 and then the last security fix.
can that be a contributing reason? as nothing else has changed?

Seems to me cu update got corrupted. You might need to rebuild the server with recovery switch. Or open case with Microsoft.

Agree with Amit your next option to recover the server with Setup.exe /Mode:RecoverServer  switch.
disaster-recovery/recover-exchange-servers?view=exchserver-

so the update corrupted each and every server? its happening on all my servers.

the Exchange 2019 that arent patched at all these are internal test servers also cant access the ECP! how can this all be reconciled?

Did you try updating Windows along with Exchange Oct/Nov security update?
https://support.microsoft.com/help/5007409
Security-update-for-microsoft-exchange-server-2019-and-2016

i think this has somethign to do with it.

ECP Application Pool Mitigation

Applies To: CVE-2021-27065 & CVE-2021-26858
Description: This mitigation will disable the Exchange Control Panel (ECP) Virtual Directory. Microsoft Exchange Managed Availability services are also disabled to prevent mitigation regression.
Impact: The Exchange Control Panel will no longer be available. All Exchange Administration can be done via Remote PowerShell while the Exchange Control Panel is disabled. The advanced monitoring capabilities of Exchange are also disabled, due to disabling Microsoft Exchange Managed Availability services.

so yes i have installed these updates and everything is fully patched now. how do i renable it then?

will this command do anything usefull?
Set-ECPVirtualDirectory -Identity "srv\ecp (default web site)" -AdminEnabled $true

Set-ECPVirtualDirectory -Identity "srv\ecp (default web site)" -AdminEnabled $true tried that and didnt help.
the ECP is somehow disabled!

As your server were effected with zero day attack Chances of corruption are very high. All my clients who got impacted I installed new servers and moved mailboxes and decom all effected servers.

well this is becoming a more likely option to be honest, so just new servers and move mailboxes? however i have 2 unaffected servrers the 2019 ones they are untouched by any attack and they are suffering this issue too

I would advise you to open case with Microsoft, before you try anything.