Exchange 2016 & 2019 ESU

Posted on by
Reply

In a somewhat surprising move yesterday, Microsoft announced there will be an Extended Security Update program for Exchange Server 2016 and Exchange Server 2019. The ESU is to cater to organizations that indicate they need some more time to move away from Exchange 2016/2019. I will not comment on the fact that these organizations had a few years to get current on Exchange 2019, which would lead them to having a smooth upgrade path now to Exchange SE, or even move to Exchange Online.

Extended Security Update

You might already be familiar with ESU programs, which are common for Windows clients and Windows Server, a.o. That said, Exchange also had its share of post-lifecycle (out-of-band) updates, such as the Hafnium security updates for Exchange 2013 and even Exchange 2010. These updates were developed and made available without any obligation as some of the updates applied to products that were past their end-of-support date.

Now, the ESU program for Exchange 2016/2019 is an official extension to keep receiving published security updates for Exchange 2016/2019. To receive these, organizations can purchase a 6-month ESU for their Exchange servers. For this, they need to contact their Microsoft account manager starting August 1st, 2025. Do note that there is no guarantee that, within this period, security updates will get published, as this is entirely driven by circumstances and urgency, of course.

To make it clear: The ESU program is not an extension of support. You cannot contact support for any incident with Exchange 2016/2019 in the ESU period. That is, unless it relates to an SU that gets published during the ESU period. Thus, ESU is more for peace of mind when it comes to security, when you can live without expecting support.

The ESU period ends April 14th, 2026, 6 months after Exchange 2016 and Exchange 2019 go out of support. It is possible to get ESU after August 1st and during the 6-month ESU window. This flexibility may lead to organizations taking a gamble, waiting for SU to appear, only to get ESU when the first SU arrives. Given that corporate purchasing processes might take some time and CUs usually come with some urgency to implement, this is not something I would recommend.

I would also not recommend seeing this ESU window as an opportunity to take it easy. The support date stands, which is what most organizations find most important. So, keep migrating, whether to Exchange SE directly or via Exchange 2019 CU15, or to Exchange Online.

Skype for Business

Skype for Business is iņ the same boat regarding lifecycle, and also has a similar ESU program. For more information, click here.

Exchange Server SE (RTM)

Posted on by
Reply

The day has finally arrived: The Exchange Team released Exchange Server Subscription Edition, or SE for short. The official announcement can be found here. Customers keeping Exchange on-premises or who are running Exchange hybrid deployments are recommended to use the remaining time this year to upgrade to SE before their current supported Exchange server, being Exchange 2016 or 2019, goes out of support in October.

Exchange Server SE has feature parity with Exchange Server 2019 CU15, meaning it contains no changes in features or security posture. Significant change Exchange SE introduces is a change of servicing and (new) lifecycle period, also known as Modern Lifecycle Policy. In essence, products have no end-of-life date provided that customers keep their products updated. Contrary to earlier Exchange versions, this means the product must be kept current, and the n-2 rule, meaning organizations could be trailing one update, will no longer apply.

ExchangeDownloadBuildKBSupersedes
Exchange SEDownload15.2.2562.17KB5047155

Co-existence

In a nutshell, Exchange SE RTM can be installed in organizations running Exchange 2016 or Exchange 2019. Servers running Exchange 2019 CU14+ can be in-place upgraded to Exchange SE by installing SE over the current build, as if it were a Cumulative Update. It does not require any schema or Active Directory changes; it just changes the product name, license agreement (modern lifecycle policy), and build numbers. SE also incorporates the May 2025 hotfix. An additional benefit is that it does not temporarily require twice the resources to move, unlike Exchange 2016, which basically consists of a classic mailbox migration. Lastly, More on the upgrade path here.

Post-RTM

When support for Exchange 2016 and Exchange 2019 ends in October this year, Exchange Server SE will be the only Exchange on-premises product that is supported. While these old Exchange versions will not suddenly stop functioning, Exchange SE CU2 will block co-existence with Exchange 2016 and Exchange 2019. This means you only have from now until the arrival of Exchange SE CU2 to upgrade. Future Exchange SE CUs will introduce new features and may start requiring Exchange SE keys when hosting mailboxes.

Hotfix Updates Exchange 2016-2019 (May2025)

Posted on by
Reply

The Exchange product group released the May 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support added in the April hotfixes.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU15Download15.2.1748.26KB5057651KB5050672
Exchange 2019 CU14Download15.2.1544.27KB5057652KB5050673
Exchange 2016 CU23Download15.1.2507.57KB5057653KB5050674

Changes

Issues addressed in these hotfixes are:

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, a.o.). To make the required changes related to the Graph permissions model you have some more time, as that will become required in October 2026. For more information, please visit this link.

Hotfix Updates Exchange 2016-2019 (Apr2025)

Posted on by
Reply

The Exchange product group released the April 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016. Hotfix updates do not contain security fixes. Instead, this hotfix introduces support for the updated Exchange Hybrid Application model.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU15Download15.2.1748.24KB5050672
Exchange 2019 CU14Download15.2.1544.25KB5050673
Exchange 2016 CU23Download15.1.2507.55KB5050674

Dedicated Exchange Hybrid Application

Instead of relying on the default Office 365 Exchange Online application in Entra ID, the new model leverages a dedicated application in Entra ID to support Exchange Hybrid. By creating a new dedicated, unique application ID per tenant, instead of relying on the well-known application identifier 00000002-0000-0ff1-ce00-000000000000, allows organizations to decide when to move from EWS to Graph permissions.

To implement the dedicated Exchange Hybrid Application and configure all related aspects, the product group published a script, ConfigureExchangeHybridApplication.ps1 (part of the hotfix or available here). This script can take care of parts or all of the configuration. An extensive article explaining the steps and script usage is published here, so there is no need to repeat that information.

In addition, as part of the move to Graph from Exchange Web Services, the new Exchange Hybrid application will eventually leverage Graph instead of Exchange Web Services. Since Exchange still lacks functionality in the Graph area, the new app still requires blanket EWS permission full_access_as_app. But consider this a first step in the transition process, and expect permissions to change to Graph API permissions in the future.

Moving away from the common application, which has been around for a while, may impact existing scripts and procedures with hard references to its identifier. You need to anticipate this change by making the reference independent and dynamic. To determine this identifier, check for an Entra application named ExchangeServerApp-<Organization Guid>, provided you used the ConfigureExchangeHybridApplication script to create it.

Co-Existence

Organizations running Exchange Hybrid requiring rich co-existence must implement this April 2025 HU before October 2025 for continued functionality. This includes upcoming changes in Graph permissions (ETA October 2026). This may create an additional task when running Exchange Hybrid as part of a long-term hybrid deployment or when migrating to Exchange Online. Failure to do so may result in unpleasant surprises, such as broken Free/Busy sharing functionality.

Exchange SE

The change in the Exchange Hybrid Application model will propagate to Exchange SE. Exchange SE is the successor to Exchange 2019 and is expected to become available later this year, replacing the soon-to-be-out-of-support Exchange Server 2019 and Exchange Server 2016 versions.

Exchange 2019 CU15 (2025 H1)

Posted on by
Reply

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2025, or CU15, almost one year after CU14. CU15 will also be the last CU for Exchange 2019, which will become end-of-life in October this year. Customers staying on-premises are recommended to use the remaining time this year to upgrade to this CU level to have a smooth transition to Exchange Server Subscription Edition (SE) later this year. The official announcement can be found here.

Features
Apart from fixes and updates, including those from the security update of November (e.g. AMSI changes), this Cumulative Update for Exchange 2019 introduces some feature changes:

  • Exchange 2019 CU15 and CU14 are now supported on Windows Server 2025. This includes environments running domain controllers running Windows Server 2025. This allows organizations to consider using Windows Server 2025, not having to look at migrations because of the underlying operating system when Exchange SE. Note that Windows Server 2025 is not currently a supported Forest Functional Level.
  • As announced in the roadmap article, the CU15 setup contains an Exchange 2013 coexistence block, preventing it from being deployed in organizations running Exchange 2013. The consequence is that when you are still on Exchange 2013, you might need to migrate to CU14 first (it can be on WS2025). After that, you can upgrade those CU14 servers to CU15 after decommissioning Exchange 2013 servers.
  • Certificate Management has returned to the Exchange Admin Center.
  • Partial TLS 1.3 support on Windows Server 2022 and later. TLS 1.3 is supported for all protocols except SMTP; SMTP support is expected in a future update. Deploying CU15 on Windows Server 2022 or later will enable TLS 1.3 by default; disable it when needed per these instructions.
  • DocParser replaces Oracle Outside In Technology (OIT). This library extracts text from emails during transport for purposes of Data Loss Prevention and Exchange Transport Rules.
  • Feature Flighting is a server-side component allowing selected changes to be deployed and managed through deployment rings. This resembles how updates can be managed for other products, such as Microsoft Office or Windows. Note that CU15 just introduced the Feature Flighting engine with a PING feature for testing purposes. No features are being flighted until after Exchange SE, which aligns with the promise of Exchange 2019 CU15 running the same code as Exchange SE. Feature Flighting is optional and can be disabled when needed. When diagnostics data collection is enabled, additional data related to Feature Flighting will be included.
  • Exchange SE will support Exchange 2019 product keys. Previously, it was announced that CU15 would accept SE product keys. This dependency order was changed to ease the migration path. New keys are now only required per Exchange SE CU1.


Download
Below is the link to the update. The columns Schema and AD indicate whether the CU contains changes to Schema (/PrepareSchema) and Active Directory (PrepareAD) compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

VersionBuildKBDownloadSchemaAD
Exchange 2019 CU1515.2.1748.10KB5042461DownloadNY

Fixes

  • 5047359 Clean up old Exchange OWA files automatically to free up disk space
  • 5047361 Inline images and text attachments are not visible in OWA
  • 5047402 Online Archiving bypasses the InternetWebProxy setting in Exchange 2019
  • 5047995 MFNs are not sent to remote domains
  • 5047997 Wrong server version displayed in POP and IMAP logoff strings
  • 5048017 RecoverServer operation fails in Exchange Server 2019
  • 5048019 “NullReferenceException” error and Managed Store stops responding
  • 5048020 Calendar print doesn’t work in OWA from Exchange 2019 CU14 onwards
  • 5048021 HTML message is corrupted if <&quote;> is included
  • 5048072 “Enabled Extended Protection” message when you run setup with prepare*​​​​​​​ command
  • 5047994 German umlauts in the Subject are replaced by a question mark
  • 5047358 Group Metrics generation doesn’t finish in multidomain environment

Notes

  • If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Remember to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
  • To speed up the system update process without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM before installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution
As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.