Exchange 2016 CU3 Released

Exchange 2016 CU3 has been released to the Microsoft download centre!  Exchange 2016 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously.    CUs are a complete installation of Exchange 2016 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 has the same servicing methodology.

Update 4-11-2016 An advisory was added to the Windows Server 2016 Release Notes to advise postponing deployments of Exchange 2016 CU3 onto Windows Server 2016 at this time.    The content states:

If you attempt to run Microsoft Exchange 2016 CU3 on Windows Server 2016, you will experience errors in the IIS host process W3WP.exe. There is no workaround at this time. You should postpone deployment of Exchange 2016 CU3 on Windows Server 2016 until a supported fix is available.

Update 13-12-2016 Update KB 3206632 has been released by the Windows team to address the issue with Exchange 2016.  This is required on Windows Server 2016 machines with Exchange 2016.  For more details see the Exchange 2016 CU4 post.

Download Exchange 2016 CU3

This is build 15.01.0544.027 of Exchange 2016 and the update is helpfully named ExchangeServer2016-x64-CU3.iso which allows us to easily identify the update.  Details for the release are contained in KB 3152589.


Updates Of Particular Note

Exchange 2016 CU3 adds support for Windows Server 2016.

Exchange 2016 CU3 contains the security fix for MS16-108- Security update for Microsoft Exchange.

In addition the latest time zone updates are also included with CU3.

CU3 contains AD DS schema changes.  Plan accordingly.

Read from Passive is included in CU3.

To align with the Office 365 user experience, CU3 has an updated view of Contact information and Skype for Business presence information.

Using the setup wizard to upgrade an Exchange Server to a newer Cumulative Update causes an Exchange server to be marked offline in Exchange Active Monitoring during prerequisite analysis and prerequisite installation. If the setup wizard isn't advanced to continue the upgrade process, the server will remain in an offline state until the setup is allowed to proceed. Also, if any of the setup /Prepare* switches are used to update Active Directory on a functional Exchange Server, the server is marked offline in Exchange Active Monitoring.

Exchange 2016 on Windows Server 2016 must use .NET framework 4.6.2, however customers running Exchange 2016 on Windows 2012/2012 R2 must continue to use .NET framework 4.6.1 until support for a newer .NET framework has been announced.

Issues Resolved

KB 3154387 The DFS health set is listed as "Unhealthy" in an Exchange Server 2016 environment

KB 3175080 Cannot log on to OWA when FIPS is enabled in an Exchange Server 2016 environment

KB 3176377 Links to access Exchange items in SharePoint eDiscovery search result fail with an HTTP error 500 in Exchange Server

KB 3161916 Data loss may occur during public folder migration to Exchange 2013, Exchange 2016, or Exchange Online

KB 3176540 OWA error reporting responds with a HTTP error 500 in OwaSerializationException

KB 3190887 Upgrading Exchange Server causes the server to go offline unexpectedly

KB 3191075 You can't install Cumulative Update 2 for Exchange Server 2016 on a Russian version operating system


Some Items For Consideration

Exchange 2016 follows the same servicing paradigm for Exchange 2013 which was previously discussed on the blog.  The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2016 installation to this CU.  Cumulative Updates are well, cumulative.  What else can I say…

  • After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange 2016. If you uninstall this cumulative update package, Exchange 2016 is removed from the server.
  • Place the server into maintenance mode prior to installing, confirm the install then take the server out of maintenance mode
  • Restart the server after installing the CU
  • Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment.  This includes archive, backup, mobility and management services.
  • Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application.  FIM and 3rd party user provisioning solutions are examples of the latter.
  • Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  See KB981474.
  • Disable file system antivirus prior to installing.
  • Once server has been restarted, re-enable file system antivirus.
  • Note that customised configuration files are overwritten on installation.  Make sure you have any changes fully documented!
  • CU3 contains AD Schema updates for your organisation – please test and plan accordingly!

Please enjoy the update responsibly!

What do I mean by that?  Well, you need to ensure that you are fully informed about the caveats with the CU  and are aware of all of the changes that it will make within your environment.  Additionally you will need to test the CU your lab which is representative of your production environment.




Comments (11)
  1. RobK says:

    Hi Rhoderick

    i did deploy exchange 2016 CU3 on Windows 2016. So far everything is working well. When using exchange powershell commands like get-mailbox, is the switch -verbose suppose to do anything or has this switch been deprecated? it worked like a charm in previous versions of Exchange. it really is a helpful thing to be able more output on the screen when running certain commands to see what Exchange is doing at the time.


  2. Hi Rob,

    What was your previous version of Exchange? 2010 running on Windows Server 2008 R2?

    I recall a similar issue when Exchange 2013 was installed onto Windows Server 2012 R2.


    1. RobK says:

      I have exchange 2010 and exchange 2013 both running on windows 2008R2. As long as the OS is Windows 2008R2 the -verbose switch seems to work, once you switch the OS to anything higher ie 2012 or 2012R2 the switch stops working


      1. Thought that might have been the case. Its been the same for me when installed onto Windows Server 2012 R2


        1. RobK says:

          So now what? no more -verbose switch? I’m surprised that no one is talking about. Maybe you could use you influence and ask around if this is ever going to be fixed or simply why the switch is no longer functioning despite being able to select it when running powershell.

          Thank you for your imput

          1. I’ve followed up, though this may not be an Exchange issue since this is happening only on Windows Server 2012 R2


          2. RobK says:

            By all means please keep me posted. I really would like to know why this stopped working and if its the OS that’s causing the problem or Exchange, but like you said this maybe related to the newer OS
            thank you again

  3. RobK says:

    Hello again.
    looking at the ExchangeSetup.log i found this
    [10/20/2016 21:36:43.0445] [1] Executing:
    $keyPathRoot = “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”;
    $keyPath = $keyPathRoot + “\SSL 2.0\Server”;
    if (!(Test-Path $keyPath))
    New-Item -path $keyPathRoot”\SSL 2.0″ -ItemType key -Name “Server” -Force;
    Set-ItemProperty -path $keyPath -name “Enabled” -value 0x0 -Type DWORD -Force;

    $keyPath = $keyPathRoot + “\SSL 3.0\Server”;
    if (!(Test-Path $keyPath))
    New-Item -path $keyPathRoot”\SSL 3.0″ -ItemType key -Name “Server” -Force;
    Set-ItemProperty -path $keyPath -name “Enabled” -value 0x0 -Type DWORD -Force;

    $keyPath = $keyPathRoot + “\TLS 1.0\Server”;
    if (!(Test-Path $keyPath))
    New-Item -path $keyPathRoot”\TLS 1.0″ -ItemType key -Name “Server” -Force;
    Set-ItemProperty -path $keyPath -name “Enabled” -value 0x1 -Type DWORD -Force;

    $keyPath = $keyPathRoot + “\TLS 1.1\Server”;
    if (!(Test-Path $keyPath))
    New-Item -path $keyPathRoot”\TLS 1.1″ -ItemType key -Name “Server” -Force;
    Set-ItemProperty -path $keyPath -name “Enabled” -value 0x1 -Type DWORD -Force;
    Set-ItemProperty -path $keyPath -name “DisabledByDefault” -value 0x0 -Type DWORD -Force;

    $keyPath = $keyPathRoot + “\TLS 1.2\Server”;
    if (!(Test-Path $keyPath))
    New-Item -path $keyPathRoot”\TLS 1.2″ -ItemType key -Name “Server” -Force;
    Set-ItemProperty -path $keyPath -name “Enabled” -value 0x1 -Type DWORD -Force;
    Set-ItemProperty -path $keyPath -name “DisabledByDefault” -value 0x0 -Type DWORD -Force;

    $keypath = “HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002”;
    if (!(Test-Path $keyPath)) { New-Item $keyPath -Force }

    looks like Microsoft is helping customers secure their server without mentioning it anywhere.

    1. Please take a look at this Patrick:

      Microsoft Exchange

      If you attempt to run Microsoft Exchange 2016 CU3 on Windows Server 2016, you will experience errors in the IIS host process W3WP.exe. There is no workaround at this time. You should postpone deployment of Exchange 2016 CU3 on Windows Server 2016 until a supported fix is available.


  4. Mircea Sandu says:

    Hello all,

    I had two Exchange 2016 servers in my infrastructure and I started to upgrade them to Exchange 2016 CU3.
    One of the servers has been updated successfully, but the second one ran into a problem at ‘Client Access Front End service’ stage.
    You can see the CMD output below.

    F:\>Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

    Welcome to Microsoft Exchange Server 2016 Cumulative Update 3 Unattended Setup

    Copying Files…
    File copy complete. Setup will now collect additional information needed for installation.

    Management tools
    Mailbox role: Transport service
    Mailbox role: Client Access service
    Mailbox role: Unified Messaging service
    Mailbox role: Mailbox service
    Mailbox role: Front End Transport service
    Mailbox role: Client Access Front End service

    Performing Microsoft Exchange Server Prerequisite Check

    Configuring Prerequisites COMPLETED
    Prerequisite Analysis COMPLETED

    Configuring Microsoft Exchange Server

    Language Files COMPLETED
    Restoring Services COMPLETED
    Language Configuration COMPLETED
    Exchange Management Tools COMPLETED
    Mailbox role: Transport service COMPLETED
    Mailbox role: Client Access service COMPLETED
    Mailbox role: Unified Messaging service COMPLETED
    Mailbox role: Mailbox service COMPLETED
    Mailbox role: Front End Transport service COMPLETED
    Mailbox role: Client Access Front End service FAILED

    The following error was generated when “$error.Clear();
    “$RoleInstallPath\Scripts\Update-AppPoolManagedFrameworkVersion.ps1″ -AppPoolName:”MSExchangeServicesAppPool”
    get-WebServicesVirtualDirectory -server $RoleFqdnOrName | set-WebServicesVirtualDirectory
    -windowsAuthentication:$true -WSSecurityAuthentication:$true -OAuthAuthentication:$true
    ” was run:
    “System.Runtime.InteropServices.COMException (0x800700B7): Filename: \\?\C:\Program Files\Microsoft\Exchange
    Line number: 8
    Error: Cannot add duplicate collection entry of type
    ‘add’ with unique key attribute ‘key’ set to ‘HttpProxy.ProtocolType’

    Microsoft.Web.Administration.Interop.IAppHostAdminManager.GetAdminSection(String bstrSectionName, String bstrPath)
    Microsoft.Web.Administration.Configuration.GetSectionInternal(ConfigurationSection section, String sectionPath, String
    configuration, String endpointName, Boolean enableEndpoint)
    task, EndpointProtocol protocol, Boolean enableWSSecurity, ExchangeVirtualDirectory adVirtualDirectory)
    Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean
    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessTaskStage(TaskStage taskStage,
    Action initFunc, Action mainFunc, Action completeFunc)
    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()

    at System.Management.Automation.CommandProcessor.ProcessRecord()”.

    The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the
    :\ExchangeSetupLogs folder.


    At this stage I cannot do anything with the server, and /owa is not working anymore. It seems that I have a corrupt installation.
    Do you have any ideas how can I solve the error and ran the installation task again?


Comments are closed.

Skip to main content