Today, Microsoft released a hotfix for Exchange Server 2016 and 2016 that will not only fix some issues but, importantly, also add a much-welcomed functionality change: Hybrid Modern Authentication support OWA and ECP. You can deploy the hotfix directly on the Cumulative Update, similar to Security Updates. There is no need to deploy the March 2024 Security Update first.

The Hotfix for each supported Exchange Server build is linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU14 HU2	Download	15.2.1258.34	KB5037224	KB5036402
Exchange 2019 CU13 HU6	Download	15.2.1544.11	KB5037224	KB5036402
Exchange 2016 CU23 HU13	Download	15.1.2507.39	KB5037224	KB5036386

HMA support for OWA/ECP

This hotfix adds support for OWA and ECP when used in Hybrid Modern Authentication (HMA). This removes the need to deploy Azure Web Application Proxy for OWA and ECP when you want to deploy HMA. If you already deployed an Azure WebApp Proxy configuration for this purpose, you can choose to remove it after deploying the hotfix and configuring HMA on OWA/ECP. More information on enabling OWA and ECP for HMA support is here.

Caution: if you do not synchronize the identities of (Exchange) administrators to Entra, they will be unable to authenticate against Entra Identity and thus unable to manage Exchange on-premises using ECP. In those cases, they have the option to use Exchange Management Shell or synchronize their identities. Since Entra will be performing the authentication, you can add additional controls, such as location conditions or MFA, for those accounts.

ECC Certificate Support

The hotfix adds support for ECC certificates to Exchange, except for scenarios where Active Directory Federation Services (AD FS) is utilized. More information here.

Fixed Issues

The hotfix addresses the following issues, some of which were introduced after deploying the March 2024 SU:

Issue	Exchange 2016	Exchange 2019
Download domains not working after installing the March 2024 SU	Yes	Yes
Search error in Outlook cached mode after installing March 2024 SU	Yes	Yes
OwaDeepTestProbe and EacBackEndLogonProbe fail after installing March 2024 SU	Yes	Yes
Edit permissions option in the ECP can’t be edited	Yes	Yes
Outlook doesn’t display unread message icon after installing Exchange Server March 2024 SU	Yes	Yes
My Templates add-in isn’t working after installing Microsoft Exchange Server March 2024 SU	Yes	Yes

Notes

• The hotfix is Exchange build level specific. You cannot apply the hotfix for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name, and I would suggest tagging the file name with the Exchange version and CU when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.

On a final note, as with any patch or update, it is recommended to apply this update in a test environment first, prior to implementing it in production.