Exchange Server Edge Support on Windows Server 2016 Update

Published Mar 23 2017 01:31 PM 24.4K Views

Update: for the most up to date requirements for running Exchange 2016 Edge role on Windows Server 2016, see this article. Please note that there is currently a known issue where Edge setup does not run successfully on a server that is a member of a domain (KB3205799). Windows Server 2016 where Edge role is being installed should have Windows Server 2016 December 2017 quality update or later.

Today we are announcing an update to our support policy for Windows Server 2016 and Exchange Server 2016. At this time we do not recommend customers install the Exchange Edge role on Windows Server 2016. We also do not recommend customers enable antispam agents on the Exchange Mailbox role on Windows Server 2016 as outlined in Enable antispam functionality on Mailbox servers.

Why are we making this change?

In our post Deprecating support for SmartScreen in Outlook and Exchange, Microsoft announced we will no longer publish content filter updates for Exchange Server. We believe that Exchange customers will receive a better experience using Exchange Online Protection (EOP) for content filtering. We are also making this recommendation due to a conflict with the SmartScreen Filters shipped for Windows, Microsoft Edge and Internet Explorer browsers. Customers running Exchange Server 2016 on Windows Server 2016 without KB4013429 installed will encounter an Exchange uninstall failure when decommissioning a server. The failure is caused by a collision between the content filters shipped by Exchange and Windows which have conflicting configuration information in the Windows registry. This collision also impacts customers who install KB4013429 on a functional Exchange Server. After the KB is applied, the Exchange Transport Service will crash on startup if the content filter agent is enabled on the Exchange Server. The Edge role enables the filter by default and does not have a supported method to permanently remove the content filter agent. The new behavior introduced by KB4013429, combined with our product direction to discontinue filter updates, is causing us to deprecate this functionality in Exchange Server 2016 more quickly if Windows Server 2016 is in use.

What about other operating systems supported by Exchange Server 2016?

Due to the discontinuance of SmartScreen Filter updates for Exchange server, we encourage all customers to stop relying upon this capability on all supported operating systems. Installing the Exchange Edge role on supported operating systems other than Windows Server 2016 is not changed by today’s announcement. The Edge role will continue to be supported on non-Windows Server 2016 operating systems subject to the operating system lifecycle outlined at

Help! My services are already crashing or I want to proactively avoid this

If you used the Install-AntiSpamAgents.ps1 to install content filtering on the Mailbox role:
  1. Find a suitable replacement for your email hygiene needs such as EOP or other 3rd party solution
  2. Run the Uninstall-AntiSpamAgents.ps1 from the \Scripts folder created by Setup during Exchange installation
If you are running the Edge role on Windows Server 2016:
  1. Delay deploying KB4013429 to your Edge role or uninstall the update if required to restore service
  2. Deploy the Edge role on Windows Server 2012 or Windows Servers 2012R2 (Preferred)
Support services is available for customers who may need further assistance. The Exchange Team
Not applicable
Well, that explains it! I had this problem two days ago and wrote the article, "How to Uninstall Antispam Agents on Exchange Servers".
Not applicable
This is silly.

1) No one installed an edge server and used MS's built in protection. You do an edge server and use a 3rd party spam/antivirus

2) KB4013429 did blow up my edge server and this is the only post I've seen about it and this is over a week after KB4013429 was released. Come on man!

We are still running exchange 2016 edge on windows 2016. KB4013429 was installed before exchange and everything is working fine. EOP requires Enterprise CALs. Very few of my 600 users have Enterprise CALs and the cost would be stunning to add it.

This is clearly a bug and instead of trying to sell Office365 crap fix the problem.

[Rant](WE REALLY DO NOT WANT ANY OF IT! :) It cost more and this stuff isnt' hard to run in house. Also, we've had no major outages in years and MS cloud stuff have massive outages 2 times in the last few weeks!.) [/Rant]

Not applicable
Yeah, this most obvious a bug. Nasty behaviour from MS. It's pure laziness.

Come on! - when are you going to address this BUG?

Not applicable
I just lost a complete day on this! New installation and I was aware of this bug, but didn't worry too much as it was installed by our WSUS selection. Later I noticed that this KB was replaced by KB4015438 and that one is replaced by KB4016635. My Transport service is crashing until I uninstall the KB4016635! The bug is still there in that KB. What is even worst is that nothing is mentioned about it in the "Known issues section" of either of the KBs. I do strongly agree that Microsoft WAS a company that was trustworthy, but isn't any longer with too much focus on the cloud and total ignorance of customers and partners.
Not applicable
I like Exchange Server from 2000 versions. I use Exchange Server in all our customers servers because they do not want external services. But beginning deprecating features with Exchange Server 2013, like EMC, and now with this, there are no reason to continue using Exchange Server. Never use Exchange Online Protection (EOP) because they do not want external services, also never pay for a subcription, only pay one time for a license.

Every day i have less trust in the cloud and more less trust in Microsoft.

I have plans to migrate in this year all Windows Server 2008 R2 with Exchange Server 2010 to Windows Server 2016 and Exchange Server 2016, but without filtering and antispam i cancel the update. Also seeing a lot of telemetry services, 2 xbox live services, Onedrive, Phone, Contacts, Maps, Mobile devices, Geolocation, Camera, Radios (Phone,Airplane mode) and Wallet services installed by default in Windows Server 2016 with no option to uninstall it, is the best reason to stick with Windows Server 2008 R2 and Exchange Server 2010.

Now searching to a good Linux server and a good email server program (not service).

Not applicable
Hello, so this article (Enable antispam functionality on Mailbox servers 2016) is now basically lie? If I do it on Windows Server 2016, my Transport Service will crash ?
Not applicable
If you are not using Windows Server 2016, this article still applies. We are recommending that you not do this on Windows Server 2016 due to a known incompatibility that could lead to a transport crash. The crash will not happen in all cases. The Exchange and Windows teams are working together to resolve the incompatibility. At this time there is not a complete resolution to the issue which can be provided.
Not applicable
Wow!! Thanks guys, that explains a lot. I thought I was being smart moving everything to 2016 everything because MS was deprecating previous versions of everything in favour of Azure. I guess "Hybrid" is a misnomer. I guess the search is on to deprecate MS Exchange. Too many Open Source alternatives without the aggravation of MAPI/RPC/ActiveSync blah, blah, blah.
Not applicable
Be good if you actually put this in the Known Issues part of the update KB: - No wonder my EX16 box crashed. Great work guys!

KB4016635 is much newer and has no mention of any fixes for this. Can we assume it's still not fixed in this KB?

Not applicable
It is time to look for alternatives.... unfortunately...
Not applicable

I am sad about this article, because I just installed my new edge Servers and no I have to get rid of them and re-think my security concept.

I like to use the EOP only in addition to my third party transport scanner.

EOP is a good product, but is not able to fulfil all our requirements of today's attacks.

1. We can not scan for malicious links in mails and check them against WEB reputation databases.

2. Quarantine time of 7 days ? In Austria, we like to go on vacation for more than one week....

3. It is taking up to 3 hours before changes of EOP config are applied. i.E. block senders list

So, please tell me why I should use EOP anymore, if I could buy an other solution which is fulfilling all these requirements?

regards Oliver

Not applicable
FYI, the problem patch for April is KB4015217
Not applicable
Patch KB4015217 didn't do any good for my EDGE Server and Transport service. I had to uninstall KB4013429 first and then my Windows Server 2016 went back to version 14393.0 - now after a few back and forth I updated manually to version 14393.693 - this worked by patching with KB3213986.

Exchange 2016 is CU5 by the way.

Now the system is unpatched since March...

Not applicable
Thanks for sharing :)
Not applicable
I had this problem after patching the Exchange Edge role running on Server 2016. Symptom was that no e-mail from external source were stopped due to a time out issue in the SMTP communication. I have spam agent running only for black list check of sending servers.

After removing KB4015217 everything is working again.

I do not like this behavior on a MS Security update. There should be a lot of warnings if you decide to decommission parts of a MS Product running on another MS Product.

Thanks all for the help finding the cause of this issue.


Not applicable
I meant: All e-mail from external source were stopped.
New Contributor

Stumbled on this post while planning a migration from 2010 to 2016. So with the update added above does this mean we can install Edge on Server 2016? It looks like you need December 2017 update or higher on Windows Server - which I have updated to Dec 2019. Thanks!

Version history
Last update:
‎Jul 01 2019 04:30 PM
Updated by: