The Exchange product group released the May 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016.
Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support added in the April hotfixes.
A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, a.o.). To make the required changes related to the Graph permissions model you have some more time, as that will become required in October 2026. For more information, please visit this link.
The Exchange product group released the April 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016. Hotfix updates do not contain security fixes. Instead, this hotfix introduces support for the updated Exchange Hybrid Application model.
Instead of relying on the default Office 365 Exchange Online application in Entra ID, the new model leverages a dedicated application in Entra ID to support Exchange Hybrid. By creating a new dedicated, unique application ID per tenant, instead of relying on the well-known application identifier 00000002-0000-0ff1-ce00-000000000000, allows organizations to decide when to move from EWS to Graph permissions.
To implement the dedicated Exchange Hybrid Application and configure all related aspects, the product group published a script, ConfigureExchangeHybridApplication.ps1 (part of the hotfix or available here). This script can take care of parts or all of the configuration. An extensive article explaining the steps and script usage is published here, so there is no need to repeat that information.
In addition, as part of the move to Graph from Exchange Web Services, the new Exchange Hybrid application will eventually leverage Graph instead of Exchange Web Services. Since Exchange still lacks functionality in the Graph area, the new app still requires blanket EWS permission full_access_as_app. But consider this a first step in the transition process, and expect permissions to change to Graph API permissions in the future.
Moving away from the common application, which has been around for a while, may impact existing scripts and procedures with hard references to its identifier. You need to anticipate this change by making the reference independent and dynamic. To determine this identifier, check for an Entra application named ExchangeServerApp-<Organization Guid>, provided you used the ConfigureExchangeHybridApplication script to create it.
Co-Existence
Organizations running Exchange Hybrid requiring rich co-existence must implement this April 2025 HU before October 2025 for continued functionality. This includes upcoming changes in Graph permissions (ETA October 2026). This may create an additional task when running Exchange Hybrid as part of a long-term hybrid deployment or when migrating to Exchange Online. Failure to do so may result in unpleasant surprises, such as broken Free/Busy sharing functionality.
Exchange SE
The change in the Exchange Hybrid Application model will propagate to Exchange SE. Exchange SE is the successor to Exchange 2019 and is expected to become available later this year, replacing the soon-to-be-out-of-support Exchange Server 2019 and Exchange Server 2016 versions.
Today, Microsoft released a hotfix for Exchange Server 2016 and 2016 that will not only fix some issues but, importantly, also add a much-welcomed functionality change: Hybrid Modern Authentication support OWA and ECP. You can deploy the hotfix directly on the Cumulative Update, similar to Security Updates. There is no need to deploy the March 2024 Security Update first.
The Hotfix for each supported Exchange Server build is linked below:
This hotfix adds support for OWA and ECP when used in Hybrid Modern Authentication (HMA). This removes the need to deploy Azure Web Application Proxy for OWA and ECP when you want to deploy HMA. If you already deployed an Azure WebApp Proxy configuration for this purpose, you can choose to remove it after deploying the hotfix and configuring HMA on OWA/ECP. More information on enabling OWA and ECP for HMA support is here.
Caution: if you do not synchronize the identities of (Exchange) administrators to Entra, they will be unable to authenticate against Entra Identity and thus unable to manage Exchange on-premises using ECP. In those cases, they have the option to use Exchange Management Shell or synchronize their identities. Since Entra will be performing the authentication, you can add additional controls, such as location conditions or MFA, for those accounts.
ECC Certificate Support
The hotfix adds support for ECC certificates to Exchange, except for scenarios where Active Directory Federation Services (AD FS) is utilized. More information here.
Fixed Issues
The hotfix addresses the following issues, some of which were introduced after deploying the March 2024 SU:
The hotfix is Exchange build level specific. You cannot apply the hotfix for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name, and I would suggest tagging the file name with the Exchange version and CU when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
On a final note, as with any patch or update, it is recommended to apply this update in a test environment first, prior to implementing it in production.
The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.
The vulnerability addressed in these Security Updates for Exchange Server is:
Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.
Other Issues Apart from security fixes, these SUs also fix the following:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.
Other Issues Apart from security fixes, these SUs also fix the following:
Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.
[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.
Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:
Restart IIS and the Windows Activation Proces on each server Restart-Service -Name W3SVC, WAS -Force
Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.
EighTwOne (821) 