Trending Issue: 503 response on SP2016 servers running on Windows Server 2012 R2 after installing April 2023 CU

In the last couple of days we got several reports from customers which experienced an issue after installing April 2023 CU for SharePoint Server 2016 on servers which are running Windows Server 2012 R2.

Background information
April 2023 CU includes the new AMSI security feature for SharePoint (see here for details). AMSI relies on functionality in the Windows operating system which is available in Windows Server 2016 and later. Earlier Windows versions lack the required functionality to enable AMSI which causes the relevant functionality released with April 2023 CU to fail if the operating system is older than Windows Server 2016.

A fix for this issue has been released with June 2023 CU for SharePoint Server 2016.

Mitigation
To mitigate the issue the affected module needs to be removed from the IIS configuration.
This can be done using the following steps:

Method A – Using the the IIS Management UI:

  1. Open Internet Information Services (IIS) Manager.
  2. Select the server node in the left-hand pane.
  3. In the center pane, double-click on “Modules” under the “IIS” section.
  4. In the right pane, select “Configure Native Modules…”
  5. Select ” SPRequestFilterModule” and click “Remove” button.
  6. Confirm the removal of the module by clicking “Yes” in the pop-up window.
  7. Restart IIS to apply the changes.

Method B – By editing the applicationHost.config file:

  1. Open the applicationhost.config file located in the %windir%\system32\inetsrv\config directory.
  2.  Locate the section of the file.
  3. Find the following entry in the section and remove that entry:
    <add name="SPRequestFilterModule" image="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\isapi\sprequestfilteringmodule.dll" />
  4. Save the changes to the applicationhost.config file
  5. Restart IIS to apply the changes.

Important: Windows Server 2012 R2 will only be supported till October 10th, 2023 – so rougly 6 months from now. Even if SharePoint Server 2016 is supported till July 14th, 2026 this support requires that SharePoint is installed on a supported Operating System. If your SharePoint Server 2016 farm is currentl installed on top of Windows Server 2012 R2, please plan to migrate your SharePoint farm to a newer Operating System – or even better upgrade SharePoint to a newer version – before October 10th, 2023.

Update April 18th, 2023: An official KB article for the issue has been made available this morning:
KB5026765 – HTTP Error 503 after installing April 2023 CU for SP2016 on Windows Server 2012 R2

20 Comments


  1. Will any of the two above mentioned fixes prevent successful CU patches going forward on Server 2012 R2?

    Reply

    1. Hi Ismar, no – but it might be that the mitigation would have to be applied again with the next CU.

      Reply

      1. Perfect, thanks. We chose to comment out that line instead of removing it, and it worked for us.

        Reply

  2. I believe there is some key information missing from Method B.

    Reply

    1. Fixed. I forgot to encode the Xml content inside the html – which made it invisible in the published blog post.

      Reply

  3. Hi, I know that SharePoint 2013 just got out of support but, this feature also affects this version? Does the workaround works for SharePoint 2013 + Windows 2012 R2? Does it affect Windows 2012 too?
    Thanks!

    Reply

    1. No. AMSI support is not included in SP2013 April CU.

      Reply

  4. Thank you publishing this Stefan, this would mean we cannot achieve zero downtime patching for SP2016 with this CU?

    Reply

    1. Hi Kavita,
      you should be able to achieve this. When running PSConfig on a machine the machine needs to be removed from loadbalancing. After finishing this step you need to remove the additional line from the applicationHost.config before adding the machine back into the loadbalancing.
      Cheers,
      Stefan

      Reply

  5. All the apppools in the IIS have stopped and unable to start it after installing the April cu on sp2016 farm ..does this also related to this issue?

    Reply

    1. Yes – this is this issue if the Operating System is Windows Server 2012 R2.

      Reply

  6. Hi Stefan,
    We have installed SharePoint 2016 on Windows Server 2016 Datacenter edition.
    Do we have this 503 issue on this windows version as well since we are planning to install May 2023 CU on our SharePoint Servers.

    Reply

    1. Hi Subhash, the issue only affects Windows Server 2012 R2.

      Reply

  7. We used the steps under Method A in our Sharepoint 2016 environment running on Windows 2012 R2. I am now able to launch the Central Administration console. Thanks for the article!

    Reply

  8. Hi Stefan, I am experiencing this same issue but on a Windows Server 2019 box running SharePoint 2019 after installing the May 2023 CU. Fortunately this box is just for developers to work in so no user impact. I patched the test environment earlier today without any issues (also Windows Server 2019 and SharePoint 2019). We are planning on patching production next week, but now I am concerned since this issue is only supposed to be affecting Windows Server 2012 R2.

    I removed the line from the applicationhost.config file, did an iisreset, and the problem was resolved. I then added the line back in, did an iisreset, and the problem presented again. So this isn’t just a Windows Server 2012 R2 issue…

    Feel free to contact me if you’d like me to gather more info.

    Reply

    1. Hi Derek,
      please open a ticket for this as this needs to have a different root cause.
      Cheers,
      Stefan

      Reply

  9. We encountered the error „Module „SPRequestFilterModule“ could not be found“ upon installing SharePoint 2019 on a new Server and after activating the „SharePoint Server Antimalware Scanning“ feature.
    The line „“ was completely missing in the applicationhost.config file in our newly installed servers.
    What we did:
    1. Installed SharePoint 2019 on a fresh new Windows Server 2022.
    2. Patched with March 2023 CU.
    3. Joined an existing SharePoint Farm
    After manually inserting the line mentioned above in the %windir%\system32\inetsrv\config\applicationhost.config file all worked as expected.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.