Hotfix Updates Exchange 2016-SE (Sep2025)

Posted on September 8, 2025 by Michel de Rooij

The Exchange product group released the September 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support.

Exchange	SU/HU	Download	Build	KB	Supersedes
Exchange SE	2	Download	15.2.2562.27	KB5066373
Exchange 2019 CU15	4	Download	15.2.1748.37	KB5066372	KB5057651
Exchange 2019 CU14	7	Download	15.2.1544.34	KB5066371	KB5057652
Exchange 2016 CU23	18	Download	15.1.2507.59	KB5066370	KB5057653

Changes

The issue addressed in these hotfixes is:

Online archiving fails for on-premises users in hybrid environment

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, etc.). To make the required changes related to the Graph permissions model, you have some more time, as that will become required in October 2026. For more information, please visit this link.

Do note that Microsoft scheduled some planned disruptions.This is likely in an attempt to nudge those Exchange hybrid customers who have not yet implemented the new dedicated hybrid app. So, if you are running Exchange hybrid with mailboxes on-premises and in Exchange Online, have not deployed the April 2025 SU or later, or did not implement the dedicated Exchange hybrid app, here are some time windows to keep an eye on:

Sep16-18 (7am-7am). Affected regions: WW, GCC, GCC-H, DoD, 21Vianet
Oct7-9 (7am-7am).

Symptoms: Users with mailboxes on-premises might not be able to see free/busy, MailTips or profile pictures from users with a mailbox in Exchange Online. Only EWS functionality is affected, thus things such as migration jobs and mail flow keep functioning.

For more information, keep an eye on the EHLO blog announcements.

Hotfix Updates Exchange 2016-2019 (May2025)

Posted on May 29, 2025 by Michel de Rooij

The Exchange product group released the May 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support added in the April hotfixes.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU15	Download	15.2.1748.26	KB5057651	KB5050672
Exchange 2019 CU14	Download	15.2.1544.27	KB5057652	KB5050673
Exchange 2016 CU23	Download	15.1.2507.57	KB5057653	KB5050674

Changes

Issues addressed in these hotfixes are:

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, a.o.). To make the required changes related to the Graph permissions model you have some more time, as that will become required in October 2026. For more information, please visit this link.

Hotfix Updates Exchange 2016-2019 (Apr2025)

Posted on April 29, 2025 by Michel de Rooij

The Exchange product group released the April 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016. Hotfix updates do not contain security fixes. Instead, this hotfix introduces support for the updated Exchange Hybrid Application model.

Exchange	Download	Build	KB
Exchange 2019 CU15	Download	15.2.1748.24	KB5050672
Exchange 2019 CU14	Download	15.2.1544.25	KB5050673
Exchange 2016 CU23	Download	15.1.2507.55	KB5050674

Dedicated Exchange Hybrid Application

Instead of relying on the default Office 365 Exchange Online application in Entra ID, the new model leverages a dedicated application in Entra ID to support Exchange Hybrid. By creating a new dedicated, unique application ID per tenant, instead of relying on the well-known application identifier 00000002-0000-0ff1-ce00-000000000000, allows organizations to decide when to move from EWS to Graph permissions.

To implement the dedicated Exchange Hybrid Application and configure all related aspects, the product group published a script, ConfigureExchangeHybridApplication.ps1 (part of the hotfix or available here). This script can take care of parts or all of the configuration. An extensive article explaining the steps and script usage is published here, so there is no need to repeat that information.

In addition, as part of the move to Graph from Exchange Web Services, the new Exchange Hybrid application will eventually leverage Graph instead of Exchange Web Services. Since Exchange still lacks functionality in the Graph area, the new app still requires blanket EWS permission full_access_as_app. But consider this a first step in the transition process, and expect permissions to change to Graph API permissions in the future.

Moving away from the common application, which has been around for a while, may impact existing scripts and procedures with hard references to its identifier. You need to anticipate this change by making the reference independent and dynamic. To determine this identifier, check for an Entra application named ExchangeServerApp-<Organization Guid>, provided you used the ConfigureExchangeHybridApplication script to create it.

Co-Existence

Organizations running Exchange Hybrid requiring rich co-existence must implement this April 2025 HU before October 2025 for continued functionality. This includes upcoming changes in Graph permissions (ETA October 2026). This may create an additional task when running Exchange Hybrid as part of a long-term hybrid deployment or when migrating to Exchange Online. Failure to do so may result in unpleasant surprises, such as broken Free/Busy sharing functionality.

Exchange SE

The change in the Exchange Hybrid Application model will propagate to Exchange SE. Exchange SE is the successor to Exchange 2019 and is expected to become available later this year, replacing the soon-to-be-out-of-support Exchange Server 2019 and Exchange Server 2016 versions.

Exchange 2019 CU15 (2025 H1)

Posted on February 11, 2025 by Michel de Rooij

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2025, or CU15, almost one year after CU14. CU15 will also be the last CU for Exchange 2019, which will become end-of-life in October this year. Customers staying on-premises are recommended to use the remaining time this year to upgrade to this CU level to have a smooth transition to Exchange Server Subscription Edition (SE) later this year. The official announcement can be found here.

Features
Apart from fixes and updates, including those from the security update of November (e.g. AMSI changes), this Cumulative Update for Exchange 2019 introduces some feature changes:

Exchange 2019 CU15 and CU14 are now supported on Windows Server 2025. This includes environments running domain controllers running Windows Server 2025. This allows organizations to consider using Windows Server 2025, not having to look at migrations because of the underlying operating system when Exchange SE. Note that Windows Server 2025 is not currently a supported Forest Functional Level.
As announced in the roadmap article, the CU15 setup contains an Exchange 2013 coexistence block, preventing it from being deployed in organizations running Exchange 2013. The consequence is that when you are still on Exchange 2013, you might need to migrate to CU14 first (it can be on WS2025). After that, you can upgrade those CU14 servers to CU15 after decommissioning Exchange 2013 servers.
Certificate Management has returned to the Exchange Admin Center.
Partial TLS 1.3 support on Windows Server 2022 and later. TLS 1.3 is supported for all protocols except SMTP; SMTP support is expected in a future update. Deploying CU15 on Windows Server 2022 or later will enable TLS 1.3 by default; disable it when needed per these instructions.
DocParser replaces Oracle Outside In Technology (OIT). This library extracts text from emails during transport for purposes of Data Loss Prevention and Exchange Transport Rules.
Feature Flighting is a server-side component allowing selected changes to be deployed and managed through deployment rings. This resembles how updates can be managed for other products, such as Microsoft Office or Windows. Note that CU15 just introduced the Feature Flighting engine with a PING feature for testing purposes. No features are being flighted until after Exchange SE, which aligns with the promise of Exchange 2019 CU15 running the same code as Exchange SE. Feature Flighting is optional and can be disabled when needed. When diagnostics data collection is enabled, additional data related to Feature Flighting will be included.
Exchange SE will support Exchange 2019 product keys. Previously, it was announced that CU15 would accept SE product keys. This dependency order was changed to ease the migration path. New keys are now only required per Exchange SE CU1.

Download
Below is the link to the update. The columns Schema and AD indicate whether the CU contains changes to Schema (/PrepareSchema) and Active Directory (PrepareAD) compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information.

Version	Build	KB	Download	Schema	AD
Exchange 2019 CU15	15.2.1748.10	KB5042461	Download	N	Y

Fixes

5047359 Clean up old Exchange OWA files automatically to free up disk space
5047361 Inline images and text attachments are not visible in OWA
5047402 Online Archiving bypasses the InternetWebProxy setting in Exchange 2019
5047995 MFNs are not sent to remote domains
5047997 Wrong server version displayed in POP and IMAP logoff strings
5048017 RecoverServer operation fails in Exchange Server 2019
5048019 “NullReferenceException” error and Managed Store stops responding
5048020 Calendar print doesn’t work in OWA from Exchange 2019 CU14 onwards
5048021 HTML message is corrupted if <&quote;> is included
5048072 “Enabled Extended Protection” message when you run setup with prepare* command
5047994 German umlauts in the Subject are replaced by a question mark
5047358 Group Metrics generation doesn’t finish in multidomain environment

Notes

If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
When upgrading from an n-2 or earlier version of Exchange or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Remember to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
To speed up the system update process without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM before installing Cumulative Updates.
Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution
As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange Updates – December 2019

Posted on December 17, 2019 by Michel de Rooij

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. One significant change with these updates is the requirement for .NET Framework 4.8, as announced earlier. Also, Exchange 2019 CU4 comes with an updated Exchange calculator. Links to the updates as well as a description of changes and fixes are described below.

Version	Build	KB	Download	UMLP	Schema
Exchange 2019 CU4	15.2.529.5	KB4522149	VLSC		N
Exchange 2016 CU15	15.1.1913.5	KB4522150	Download	UMLP	N

Exchange 2019 CU4 fixes:

4528696 Exchange PowerShell cmdlets take longer time to run in Exchange Server 2019
4528695 Event ID 4009 when using SubjectOrBodyMatchesPatterns on Edge server in Exchange Server 2019
4528694 Can’t open .ics file in Outlook on the web in Exchange Server 2019
4528692 “A parameter was specified that isn’t valid” error when creating transport rule in Exchange Server 2019
4523519 Set-SendConnector doesn’t work for Exchange Server in hybrid scenarios with Edge Server installed
4528688 Only one recipient shows when saving draft by using Exchange ActiveSync version 16.0 in Exchange Server 2019
4528693 Get-CalendarDiagnosticLog is proxied for queries within the same forest in Exchange Server 2019
4528687 NotificationClient logs aren’t purged and consume lots of disk in Exchange Server 2019
4528689 Outlook on the web shows MailTip when recipients equal the large audience size in Exchange Server 2019
4528690 Can’t move or delete folder in Outlook online mode if the destination has a folder with the same name in Exchange Server 2019
4532744 System.ArgumentNullException when you use Set-user to assign block legacy auth policy in Exchange Server 2019
4532747 Address list separation not working for a user without a mailbox in Exchange Server 2019
4523171 Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 12, 2019

Exchange 2016 CU15 fixes:

4515256 “The function cannot be performed…” error when you send a message that’s open for a long time in Exchange Server 2016
4528693 Get-CalendarDiagnosticLog is proxied for queries within the same forest in Exchange Server 2016
4523519 Set-SendConnector doesn’t work for Exchange Server in hybrid scenarios with Edge Server installed
4528690 Can’t move or delete folder in Outlook online mode if the destination has a folder with the same name in Exchange Server 2016
4528687 NotificationClient logs aren’t purged and consume lots of disk in Exchange Server 2016
4528689 Outlook on the web shows MailTip when recipients equal the large audience size in Exchange Server 2016
4528688 Only one recipient shows when saving draft by using Exchange ActiveSync version 16.0 in Exchange Server 2016
4528695 Event ID 4009 when using SubjectOrBodyMatchesPatterns on Edge server in Exchange Server 2016
4528694 Can’t open .ics file in Outlook on the web in Exchange Server 2016
4528692 “A parameter was specified that isn’t valid” error when creating transport rule in Exchange Server 2016
4515257 Hash mismatch is reported for Exchange DLLs in the bin directory of Exchange Server 2016
4528696 Exchange PowerShell cmdlets take longer time to run in Exchange Server 2016
4532747 Address list separation not working for a user without a mailbox in Exchange Server 2016
4523171 Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 12, 2019

Notes:

These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.