Hotfix Updates Exchange 2016-2019 (May2025)

Posted on May 29, 2025 by Michel de Rooij

The Exchange product group released the May 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support added in the April hotfixes.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU15	Download	15.2.1748.26	KB5057651	KB5050672
Exchange 2019 CU14	Download	15.2.1544.27	KB5057652	KB5050673
Exchange 2016 CU23	Download	15.1.2507.57	KB5057653	KB5050674

Changes

Issues addressed in these hotfixes are:

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, a.o.). To make the required changes related to the Graph permissions model you have some more time, as that will become required in October 2026. For more information, please visit this link.

Hotfix Updates Exchange 2016-2019 (Apr2025)

Posted on April 29, 2025 by Michel de Rooij

The Exchange product group released the April 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016. Hotfix updates do not contain security fixes. Instead, this hotfix introduces support for the updated Exchange Hybrid Application model.

Exchange	Download	Build	KB
Exchange 2019 CU15	Download	15.2.1748.24	KB5050672
Exchange 2019 CU14	Download	15.2.1544.25	KB5050673
Exchange 2016 CU23	Download	15.1.2507.55	KB5050674

Dedicated Exchange Hybrid Application

Instead of relying on the default Office 365 Exchange Online application in Entra ID, the new model leverages a dedicated application in Entra ID to support Exchange Hybrid. By creating a new dedicated, unique application ID per tenant, instead of relying on the well-known application identifier 00000002-0000-0ff1-ce00-000000000000, allows organizations to decide when to move from EWS to Graph permissions.

To implement the dedicated Exchange Hybrid Application and configure all related aspects, the product group published a script, ConfigureExchangeHybridApplication.ps1 (part of the hotfix or available here). This script can take care of parts or all of the configuration. An extensive article explaining the steps and script usage is published here, so there is no need to repeat that information.

In addition, as part of the move to Graph from Exchange Web Services, the new Exchange Hybrid application will eventually leverage Graph instead of Exchange Web Services. Since Exchange still lacks functionality in the Graph area, the new app still requires blanket EWS permission full_access_as_app. But consider this a first step in the transition process, and expect permissions to change to Graph API permissions in the future.

Moving away from the common application, which has been around for a while, may impact existing scripts and procedures with hard references to its identifier. You need to anticipate this change by making the reference independent and dynamic. To determine this identifier, check for an Entra application named ExchangeServerApp-<Organization Guid>, provided you used the ConfigureExchangeHybridApplication script to create it.

Co-Existence

Organizations running Exchange Hybrid requiring rich co-existence must implement this April 2025 HU before October 2025 for continued functionality. This includes upcoming changes in Graph permissions (ETA October 2026). This may create an additional task when running Exchange Hybrid as part of a long-term hybrid deployment or when migrating to Exchange Online. Failure to do so may result in unpleasant surprises, such as broken Free/Busy sharing functionality.

Exchange SE

The change in the Exchange Hybrid Application model will propagate to Exchange SE. Exchange SE is the successor to Exchange 2019 and is expected to become available later this year, replacing the soon-to-be-out-of-support Exchange Server 2019 and Exchange Server 2016 versions.

Security Updates Exchange 2016-2019 (Nov2024)

Posted on November 12, 2024 by Michel de Rooij

NOTICE (Nov27): The SUs have been re-released. The v2 adds additional control over the X-MS-Exchange-P2FromRegexMatch header, which is set for messages with a non-RFC5322 compliant P2 FROM header. Install these on your Exchange server, also if you already deployed the v1 SU to benefit from the additional control.

The Exchange product group released November 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

Vulnerability	Category	Severity	Rating
CVE-2024-49040	Spoofing	Important	CVSS:3.1 7.5 / 6.7

The v2 Security Updates for each supported Exchange Server build are linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU14	Download	15.2.1544.14	KB5044062 KB5049233	KB5036401
Exchange 2019 CU13	Download	15.2.1258.39	KB5044062 KB5049233	KB5036402
Exchange 2016 CU23	Download	15.1.2507.44	KB5044062 KB5049233	KB5036386

Added Features

Anti-Malware Scan Interface (AMSI) integration

The ability of products that use the Exchange Server AMSI integration to perform additional tasks on message bodies. The feature is disabled by default. You can enable it on a protocol base like Exchange Web Services or PowerShell. More information on this feature here.

Non-RFC5322 compliant header detection

Similar to the change in Exchange Online mentioned in MC886603, after installing this SU, messages with a non-compliant P2 FROM header (RFC5322) will be detected. Unlike Exchange Online, which will drop these messages, Exchange will add a header that can be used in transport rules as organizations see fit. To be compliant, organizations should ensure messages with multiple From addresses include a Sender header. More information here.

Elliptic Curve Cryptography (ECC) certificate support

ECC certificates can now be used on Edge Transport servers and bound to the POP and IMAP services. Note that unlike the previous implementation, which required enabling using New-SettingOverride, they are now configured through a registry key, i.e.

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics" -Name "EnableEccCertificateSupport" -Value 1 -Type String

More information here.

Microsoft Information Protection Client (MSIPC)

MSIPC will now ne enabled by default, replacing Microsoft Digital Rights Management (MSDRM) for information rights management.

Fixed Issues

Apart from security fixes and added features, these Security Updates also correct the following issues:

Issue Fixed	Exchange 2016	Exchange 2019
Journal report decryption doesn’t decrypt attachment in journal mailbox	Yes	Yes
Error after adding support for AES256-CBC–encrypted content in August 2023 SU	Yes	Yes
Exchange can’t decrypt IRM messages	Yes
Server with PowerShell_ISE doesn’t serialize when connecting to EMS	Yes	Yes
Email sent through Pickup folder displays admin version	Yes	Yes
CSR created by Exchange are signed with outdated Encryption algorithm	Yes	Yes
OWA displays incorrect time zone for Amman	Yes	Yes
Kazakhstan changes to single time zone in 2024	Yes	Yes
Moderated messages are marked as expired after they are approved or rejected		Yes
Exchange Transport Rules and Data Loss Prevention rules don’t work after installing November 2024 SU V1	Yes	Yes

Notes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU14-KBXXXXXX-x64-en.msp.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management, it is recommended that you apply the Security Update. Be aware of a few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings indicate the level of urgency.

Hotfix for Exchange 2016 and 2019 (Apr2024)

Posted on April 23, 2024 by Michel de Rooij

Today, Microsoft released a hotfix for Exchange Server 2016 and 2016 that will not only fix some issues but, importantly, also add a much-welcomed functionality change: Hybrid Modern Authentication support OWA and ECP. You can deploy the hotfix directly on the Cumulative Update, similar to Security Updates. There is no need to deploy the March 2024 Security Update first.

The Hotfix for each supported Exchange Server build is linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU14 HU2	Download	15.2.1258.34	KB5037224	KB5036402
Exchange 2019 CU13 HU6	Download	15.2.1544.11	KB5037224	KB5036402
Exchange 2016 CU23 HU13	Download	15.1.2507.39	KB5037224	KB5036386

HMA support for OWA/ECP

This hotfix adds support for OWA and ECP when used in Hybrid Modern Authentication (HMA). This removes the need to deploy Azure Web Application Proxy for OWA and ECP when you want to deploy HMA. If you already deployed an Azure WebApp Proxy configuration for this purpose, you can choose to remove it after deploying the hotfix and configuring HMA on OWA/ECP. More information on enabling OWA and ECP for HMA support is here.

Caution: if you do not synchronize the identities of (Exchange) administrators to Entra, they will be unable to authenticate against Entra Identity and thus unable to manage Exchange on-premises using ECP. In those cases, they have the option to use Exchange Management Shell or synchronize their identities. Since Entra will be performing the authentication, you can add additional controls, such as location conditions or MFA, for those accounts.

ECC Certificate Support

The hotfix adds support for ECC certificates to Exchange, except for scenarios where Active Directory Federation Services (AD FS) is utilized. More information here.

Fixed Issues

The hotfix addresses the following issues, some of which were introduced after deploying the March 2024 SU:

Issue	Exchange 2016	Exchange 2019
Download domains not working after installing the March 2024 SU	Yes	Yes
Search error in Outlook cached mode after installing March 2024 SU	Yes	Yes
OwaDeepTestProbe and EacBackEndLogonProbe fail after installing March 2024 SU	Yes	Yes
Edit permissions option in the ECP can’t be edited	Yes	Yes
Outlook doesn’t display unread message icon after installing Exchange Server March 2024 SU	Yes	Yes
My Templates add-in isn’t working after installing Microsoft Exchange Server March 2024 SU	Yes	Yes

Notes

The hotfix is Exchange build level specific. You cannot apply the hotfix for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name, and I would suggest tagging the file name with the Exchange version and CU when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.

On a final note, as with any patch or update, it is recommended to apply this update in a test environment first, prior to implementing it in production.

Security Updates Exchange 2016-2019 (Mar2024)

Posted on March 13, 2024 by Michel de Rooij

The Exchange product group released March 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

Vulnerability	Category	Severity	Rating
CVE-2024-26198	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU14	Download	15.2.1544.9	KB5036401	KB5032146
Exchange 2019 CU13	Download	15.2.1258.32	KB5036402	KB5032146
Exchange 2016 CU23	Download	15.1.2507.37	KB5036386	KB5032147

OutsideInModule

Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue Fixed	Exchange 2016	Exchange 2019
EWS search request displays inaccurate results	Yes	Yes

Notes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.