Released: March 2017 Quarterly Exchange Updates

With this month’s quarterly release we bid a fond farewell to Exchange Server 2007. Support for Exchange Server 2007 expires on 4/11/2017. Update Rollup 23 for Service Pack 3 will be the last update rollup released for the Exchange Server 2007 product. Today we are also releasing the latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013. These releases include fixes to customer reported issues and updated functionality. Exchange Server 2016 Cumulative Update 5 and Exchange Server 2013 Cumulative Update 16 are available on the Microsoft Download Center. Update Rollup 17 for Exchange Server 2010 Service Pack 3 is also now available.

Exchange Server 2013 and 2016 require .Net 4.6.2

As previously announced, Exchange Server 2013 and Exchange Server 2016 now require  .Net 4.6.2 on all supported operating systems.  Customers who are still running .Net 4.5.2 should deploy Cumulative Update 4 or Cumulative Update 15, upgrade the server to .Net 4.6.2 and then deploy either Cumulative Update 5 or Cumulative Update 16.

Arbitration Mailbox Migration

Recently there have been reports of problems with customers migrating mailboxes to Exchange Server 2016. We wanted to take this opportunity to remind everyone that when multiple versions of Exchange co-exist within the organization, we require that all Arbitration Mailboxes be moved to a database mounted on a server running the latest version of Exchange. For more information, please consult the Exchange Server Deployment Assistance on TechNet.

Update on S/MIME Control

One year ago, we released an updated S/MIME Control for OWA. We have received questions from customers requesting clarification on what this release included. As stated previously, the control itself did not change. This was a packaging change necessary to prevent IE from throwing a certificate warning during installation due to SHA-1 deprecation. The Authenticode algorithm used to code sign the control uses a SHA-1 algorithm. SHA-1 ensures compatibility with Vista/Windows Server 2008 and Windows 7/Windows Server 2008R2 code signing. The Authenticode file hash and delivery package are signed with a SHA-2 certificate. Signing the package with a SHA-2 certificate prevents IE from throwing a certificate warning when the package is installed and provides the necessary protection for the entire package.

Latest time zone updates

All of the packages released today include support for time zone updates published by Microsoft through March 2017.

TLS 1.2 Exchange Support Update coming in Cumulative Update 6

We would like to raise awareness of changes planned for the next quarterly update release. We are working to provide updated guidance and capabilities related to Exchange Server’s use of TLS protocols. The June 2017 release will include improved support for TLS in general and TLS 1.2 specifically. These changes will apply to Exchange Server 2016 Cumulative Update 6 and Exchange Server 2013 Cumulative Update 17.

Late Breaking Issues not resolved in Cumulative Update 5

Cumulative Update 5 includes a couple of issues that could not be resolved prior to the product release. The unresolved items we are aware of include the following:

  • When attempting to enable Birthday Calendars in Outlook for the Web, an error occurs and Birthday Calendars are not enabled.
  • When failing over a public folder mailbox to a different server, public folder hierarchy replication may stop until the Microsoft Exchange Service Host is recycled on the new target server.

Fixes for both issues are planned for Cumulative Update 6.

Release Details

KB articles that describe the fixes in each release are available as follows:

Exchange Server 2016 Cumulative Update 5 does not include new updates to Active Directory Schema. If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current.

Exchange Server 2013 Cumulative Update 16 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 16. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU16, 2016 CU5) or the prior (e.g., 2013 CU15, 2016 CU4) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Team

Comments (51)
  1. SAT says:

    Just migrated 30,000 mailboxes from Exchange 2007 to Exchange 2013 in 8 weeks. Only 60,000 to go!

    #progress #getitdone #ExchangeYoda

    1. DSKyo says:

      Good luck migrating them to Exchange 2016 afterwards. lol

  2. Jonathan Galiacy says:

    Thank you !

    Does this release also correct the “Get-help” bug on Windows Server 2016 ? (See : )

    Also, on the TLS 1.2 support subject : does this mean we will be able (with CU6/CU17) to disable TLS1.0 on Exchange servers ?

    Thanks !

    1. Hi,

      the Problem with Get-Help (Exception calling “Open” with “0” argument(s): “The following error occurred while loading the extended type data file: Error in TypeData) still exists.
      Just tested it with a updated system a few minutes ago.


    2. We are still looking into the Get-Help issue with Windows Server 2016.

      On the matter of disabling TLS 1.0, our goal is for customers who want to remove TLS 1.0 from their environment to be able to do so. However, customers will need to evaluate their own requirements and determine if that is possible.

      1. Jonathan Galiacy says:

        Thanks for the answers.

        Good to hear that you’re actively working towards getting rid of TLS 1.0 on Exchange.

        I hope you’re able to pinpoint the Get-Help issue. While it is not critical (as loading the snapin from a regular powershell prompt will have a working Get-Help), it still puts the doubt on whether 2016 is really production ready for Exchange.

        1. Joshua Bines says:

          “Hear, hear!” a nearby member shouted.

  3. RS says:

    In the article from last year ( you state that “Users who have installed the control into their browser will need to re-install this onto devices where the previous version was installed.”

    Do you have to re-install the control or not?

  4. Thanks team! “Outlook for the Web” should be Outlook ON the web. But I assume that this mistake was added deliberately as a silent protest against frequent and unnecessary rebranding of familiar technologies. :)

    On a serious note, are there any plans to add support for Exchange 2010 with Server 2016 domain controllers? Some customers are in the process of upgrading their domain controllers first and have scheduled an Exchange upgrade for a later moment. From previous versions I know that more recent domain controllers are unlikely to cause issues with Exchange.

    1. We have no plans to add support for Windows Server 2016 Domain Controllers with Exchange Server 2010 at this time. We will continue to watch for customer demand for this scenario and re-evaluate as necessary.

      1. Karsten says:

        We are interested too in the scenario Ex2010 togethter with Win 2016 AD

    2. I whole heartedly agree with Jetze on this. If a customer is not on a supported SP and UR with Exchange 2010, once a Windows 2016 DC is present, the customer has essentially painted themselves in a corner with no way to get out–no window, no door, no ladder.

      How should this be addressed going forward when the cart is placed before the horse?

  5. jag_inte_du says:

    In the article from last year (, you state that “Users who have installed the control into their browser will need to re-install this onto devices where the previous version was installed.”

    Do you have to re-install the control or not?

    1. Sorry for the confusion. When we originally wrote that comment, we were operating under a different assumption of how IE would handle the control. Those plans were since changed and re-installing the control should not be necessary at this time.

  6. Thank you for the concrete statement about the AD Schema update requirement. This really saves a lot of personal investigation time!

  7. StephenKCEE says:

    Am I right in understanding that, according the KB4012112, Cumulative Update 16 for Exchange Server 2013 fixes just one issue?
    KB4013606 Search fails on Exchange Server 2013
    I know there are also some Daylight Saving Time and Time Zone changes. But are there any other pressing reasons to schedule the CU16 install?

    1. KB4012112 correctly lists the issues resolved in the Cumulative Update. It does of course also include all fixes released in previous packages as well. In determining whether you should deploy this or not, please keep in mind we will only release security updates for the two most recent Cumulative Update releases.

      1. Purushothama says:

        Hi Brent,

        You said below statement:
        please keep in mind we will only release security updates for the two most recent Cumulative Update releases.

        Then Why you guys released :
        for Exchange server 2013 Service pack1 ?

        Exchange 2013 Sp1 is not under 2 major cumulative updates.
        Correct me, If i’m wrong. You guys stopped releasing Service Packs for exchange instead of that releasing only Cumulative updates? If yes, Instead of releasing security patch for Exchange 2013 Sp1 why don’t you suggest to say that be in under 2 major cumulative updates and don’t stay in Sp1?

  8. Darth Adonis says:

    Hi Exchange Team,

    Quick question – We are currently on 2016 CU3 with .NET 4.6.1. What is your guidance for upgrading this scenario to CU5 with .NET 4.6.2?

    1. You will need to upgrade .Net before you will be able to install Cumulative Update 5. The delta between .Net 4.6.1 and 4.6.2 is sufficiently small and Cumulative Update 3 was also validated with .Net 4.6.2. You should upgrade your .Net to 4.6.2, then install Cumulative Update 5.

      1. Darth Adonis says:

        Thank you very much Brent

  9. robk says:

    Hello Exchange Team

    What about Microsoft Security Bulletin MS17-015 – Security Update for Microsoft Exchange Server 2013 and 2016 (4013242) that was just released on Mar 14?

    do those CU updates already include this fix or we have to manually install it?

    thank you

    1. MS17-015 is included in the CU’s released on 3/21. Our CU’s always include the most recent security updates available.

      1. robk says:

        thank you

  10. PatrickA says:

    Again, no fix for the Event Log warnings “Performance Counter”. Just happens in all of my Exchange 2016 customer setups. Available workarounds are not a solution at all.

  11. Cornelius Thiart says:

    I was hoping I would see a fix for our issue with Exchange 2016. External contacts who are members of a distribution list are getting emails rejected because of SPF fail. Exchange 2010 had added to the headers of such emails. Exchange 2016 does not and it’s causing a massive problem for us.

  12. David says:

    Is the logoff string change available again after this CU update?

    Current: /owa/logoff.owa
    The new string: /owa/auth/signout.aspx

    Since update CU4 it doesnt work anymore and also not available in the (Local Drive)\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\web.config.

    We use loadbalancers for recognizing logoff, but since CU4 it was broken.

    1. @ David – the change to use signout.aspx was reversed, so you should still be looking for /owa/logoff.owa – which is still there. If your LB isn’t spotting that, did something change at the LB? Check the traffic when logging out of OWA using something like Fiddler, you’ll see it’s still there.

  13. TylerT says:

    What is the process to upgrade if running Ex2016 CU2 or CU3 and dot net 4.6.1? Guidance was initially posted, but seems to have been pulled.

    1. I just replied to a customer running Cumulative Update 3 and .Net 4.6.1. Upgrading that server to .Net 4.6.2 then upgrading to Cumulative Update 5 shouldn’t be a problem as we did validate this scenario. Unfortunately, we did not validate Cumulative Update 2 with .Net 4.6.2. Our official stance would be you need to upgrade to Cumulative Update 3 or Cumulative Update 4, then upgrade to .Net 4.6.2.

  14. Shawn says:

    Is Exchange 2013 supported with 2016 DCs and 2016 Forest and Domain functional levels?

  15. Shawn Martin says:

    Is it supported to use Exchange 2013 with the latest CU with Server 2016 domain controllers and Server 2016 forest and domain functional levels? Thanks.

    1. We have not validated Windows Server 2016 Domain Controllers with Exchange Server 2013 at this time. We understand customers running Exchange Server 2010 and 2013 are interested in this scenario but have not completed validating this combination at this time.

  16. Kirk Frankovich says:


    After installing this update the Exchange Toolbox will no longer launch. Crashes with a

    Deserialization fails: System.IO.FileLoadException: Could not load file or assembly ‘Microsoft.Exchange.Data.Directory, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
    File name: ‘Microsoft.Exchange.Data.Directory, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35’
    at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
    at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
    at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean forIntrospection)
    at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
    at System.Reflection.Assembly.Load(String assemblyString)
    at System.UnitySerializationHolder.GetRealObject(StreamingContext context)
    at System.Runtime.Serialization.ObjectManager.ResolveObjectReference(ObjectHolder holder)
    at System.Runtime.Serialization.ObjectManager.DoFixups()
    at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
    at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
    at Microsoft.Exchange.Data.SerializationTypeConverter.DeserializeObject(Object sourceValue, Type destinationType)

    WRN: Assembly binding logging is turned OFF.
    To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
    Note: There is some performance penalty associated with assembly bind failure logging.
    To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

  17. Cedric says:


    The CU 2 fixed the following OWA issue for Windows 2012R2

    We have the same issue but for Windows 2016, is it fixed in CU5 ?



  18. robk says:


    Cumulative Update for Windows Server 2016 for x64-based Systems (KB4016635)-Mar22-2017 already contains .Net 4.6.2 binaries, as trying to install standalone NDP462-KB3151800-x86-x64-AllOS-ENU.exe on Windows 2016 server that has KB4016635 installed displays the following message: .NET Framework 4.6.2 or later is already installed on this computer. Was Exchange 2016 validated to work with this latest Windows Server 2016 CU update?

    Thank you

    1. In our announcement,, we acknowledged that Windows Server 2016 includes .Net 4.6.2 and that this was fully supported. Applying the latest Windows Cumulative Update does not change that statement at this time. We do validate Exchange Server 2016 on the latest Windows Cumulative Updates.

  19. DavidR1 says:

    Been waiting since Fall of last year for the issue to be fixed where Free/Busy doesn’t properly show for all users in a Exchange 2013 hybrid environment if OAUTH was enabled on-premises. We’ve had OAUTH disabled since then as many posts show that MS was claiming it would be fixed in next release (this was 2 releases ago).

  20. I applied Rollup 23 on Exchange 2007 SP3 on Friday.

    We are not experiencing Exchange VSS Writer issues:

    Event ID 9617: Exchange VSS Writer (instance ce51c5b6-5b95-4ef9-9490-12b1c6a05926:57) failed with error code 1295 when processing the backup completion event.

    Event ID 9702: Exchange VSS Writer (instance 15b1ad3a-f66d-4dcd-8d04-c646c730618d:58) failed with error code 1295 when processing the post-snapshot event.

  21. John Panicci says:

    Any reason why Exchange Server 2010 Service Pack 3 Update Rollup 17 (KB4011326), and RU 16 haven’t been published on WSUS?

  22. akash kumar says:

    Want to exchange the current version i.e Exchange 2013 CU10.
    I Have 8500 mailbox and 3 server(2physical and 1 virtual), 4 Mail server
    and i want to upgrade it with 45000 user capacity.
    please advise

  23. Jonathan Galiacy says:


    Another question, concerning this KB :

    What is the current status of support for CNG keys on SSL certificates ?

    Thank you.

  24. Jesper says:

    Hi,Feature request! and Office 365 has the ability to share calendars inside your organization. If you accept those invitations in OWA they will be accessible in your iPhone via ActiveSync. Is this feature coming to Exchange 2016 in the next CU?

  25. Mikael Jonsson says:

    Please be aware that there is an issue with Exchange 2016 CU5 and email address policies containing extended ASCII characters in the email address field (such as å, ä & ö). In our case it was used for replacing these characters in the Exchange recipients email address with an ASCII alternative.

    The upgrade terminates without any visible error messages or warning and the Exchange setup log just ends with information about the email address polices being validated. The termination happens in the final stage of the Mailbox role: mailbox service stage (in our case at ~95%).

    Temporarilly removing or modifying the email address policies during the upgrade process, to not include those characters, resolved the issue for us.

    Remember to be careful while modifying email address policies in a production environment. It might be a good idea to export a list of all of the email addresses assigned to your mail-enabled objects prior of doing this. Also remember to export the settings for the email address policies, if you decide to remove them during the upgrade.

  26. john kenny says:

    is there a way to choose a language pack? Im installing Cu5 for 2016 but its stalling on the language step. in the logs its saying its trying to install all packs. Is there a way to choose?

  27. Steven Ng says:

    When will Microsoft put “Update Rollup 16 For Exchange 2010 SP3 ” into the Microsoft Update Catalog:

    Microsoft has released Update Rollup 16 For Exchange 2010 SP3 (KB3184730) a while ago,, I am wondering when Microsoft will put this patch into the Microsoft Update Catalog, it has been over 3 months since Microsoft released it,, thanks.

  28. John says:

    Dear Team
    Exchange 2016 – Outlook Web interface no longer offers categories in Public folder calendars. Wil this be corrected ?
    Also the organizer property is no longer available on appointments in a public folder calendars. Will this be corrected?

  29. Mike says:


  30. David Reade says:

    Our Exchange 2013 server has TLS 1.0 enabled and as a result we’re failing our PCI Compliance. I’ve read reports that even to this day disabling TLS 1.0 causes Exchange 2013 to fall over. Will the CU17 update fix this and allow us to safely disable TLS 1.0?

Comments are closed.

Skip to main content