Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.
The Exchange product group released the December 2025 Security Update for Exchange Server SE. Organizations that enrolled in the Extended Security Update program will also have access to December 2025 security updates for Exchange Server 2019 and Exchange Server 2016. These ESU updates will not be made available publicly.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.
These Security Updates are the SUs for Exchange Server 2016 and 2019 that will be publicly available. Any Extended Security Updates (ESU) that might be released between now and April 2026 for these products need to be acquired by contacting your Microsoft Account Teams.
Auth Certificate Export
Be advised that after deploying the October SU, as a security measure, Export-ExchangeCertificate can no longer be used to export of the Auth Certificate. For more information, see KB5069337.
Notes
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.
The Exchange product group released the September 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.
Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support.
A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, etc.). To make the required changes related to the Graph permissions model, you have some more time, as that will become required in October 2026. For more information, please visit this link.
Do note that Microsoft scheduled some planned disruptions.This is likely in an attempt to nudge those Exchange hybrid customers who have not yet implemented the new dedicated hybrid app. So, if you are running Exchange hybrid with mailboxes on-premises and in Exchange Online, have not deployed the April 2025 SU or later, or did not implement the dedicated Exchange hybrid app, here are some time windows to keep an eye on:
Symptoms: Users with mailboxes on-premises might not be able to see free/busy, MailTips or profile pictures from users with a mailbox in Exchange Online. Only EWS functionality is affected, thus things such as migration jobs and mail flow keep functioning.
For more information, keep an eye on the EHLO blog announcements.
The Exchange product group released the August 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016. The SU for SE comes barely a month after the RTM release of Exchange SE RTM.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
The November SUs for Exchange 2019 and Exchange 2016 introduced AMSI integration. AMSI was disabled by default after deploying this SU. Now, with the August 2025 SUs, AMSI body scanning will be enabled for all protocols. Consult the documentation on how to disable AMSI scanning should you encounter any issues.
Fixed Issues
Apart from security fixes and added features, these Security Updates also correct the following issues:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.
31Jul: Moved MVPs per country to bottom and expanded table.
Another year, another Microsoft MVP award cycle. Always a great moment to have a quick peek at the MVP population. Note that this year, this post took a while longer to get published. This is due to the date of awards being announced, as well as the vacation period, which caused delays in people confirming their renewal agreement.
The numbers below are taken from the public MVP portal on July 30th. Comparing them to July from recent years should give an idea of trends and what award categories (and thus products) have focus.
A few notes:
3.589 public MVP profiles were processed. The overall number went up compared to last year. However, compared to the MVPs of June, the overall number went down by 12%.
The award category Mixed Reality has been closed. Have a look at the Sankey diagram further down this article to see where these people went.
The number of countries represented went down when compared to last year.
The number of MVPs with more than one award category has increased by 13%.
The MVP award category with the most MVPs is still the Developer Technologies.
MVP Awardees per Category
The following chart and table display the awardees per award category from 2021 to 2025, plus change percentages compared to previous years.
Award Category
Jul2021
Jul2022
%
Jul2023
%
Jul2024
%
Jul2025
%
AI Platform
138
128
-7%
105
-18%
269
156%
386
43%
Business Applications
323
351
9%
442
26%
474
7%
483
2%
Cloud and Datacenter Management
219
164
-25%
136
-17%
111
-18%
106
-5%
Data Platform
392
364
-7%
335
-8%
307
-8%
329
7%
Developer Technologies
770
715
-7%
747
4%
761
2%
859
13%
Enterprise Mobility
133
149
12%
100
-33%
0
-100%
0
0%
Internet of Things
0
0
0%
43
0%
43
0%
39
-9%
M365
556
492
-12%
541
10%
643
19%
819
27%
M365 Development
69
59
-14%
70
19%
0
-100%
0
0%
Microsoft Azure
534
546
2%
526
-4%
527
0%
539
2%
Mixed Reality
0
0
0%
45
0%
35
-22%
0
-100%
Security
0
0
0%
171
0%
305
78%
349
14%
Windows and Devices
42
45
7%
61
36%
102
67%
133
30%
Windows Development
120
92
-23%
37
-60%
30
-19%
35
17%
Total Categories
3296
3105
-6%
3359
8%
3607
7%
4077
13%
Total MVPs
3223
3023
-6%
3175
5%
3187
0%
3589
13%
Note: The difference between total categories and total MVPs is caused by MVPs that are awarded in more than one category.
Where did they go?
The Sankey diagram below displays the number of awarded categories moving from last year to now. The move is based on the MVP, the categories they had, and the new categories they have currently been awarded in. New awardees are categorized as “New,” and those who are no longer present on the MVP portal (e.g., no longer MVP) are categorized as “Out.”
MVP Awardees per Country
The following chart and table display the awardees per country, plus change percentages compared to July last year. Countries that show a 0 no longer have any published MVPs. This used to be a condensed table, but I have expanded the table and added fun facts such as MVPs per population and area as well, using apicountries.com as a reference.
EighTwOne (821) 