Released: March 2017 Quarterly Exchange Updates

Published Mar 21 2017 10:00 AM 73.2K Views

With this month’s quarterly release we bid a fond farewell to Exchange Server 2007. Support for Exchange Server 2007 expires on 4/11/2017. Update Rollup 23 for Service Pack 3 will be the last update rollup released for the Exchange Server 2007 product. Today we are also releasing the latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013. These releases include fixes to customer reported issues and updated functionality. Exchange Server 2016 Cumulative Update 5 and Exchange Server 2013 Cumulative Update 16 are available on the Microsoft Download Center. Update Rollup 17 for Exchange Server 2010 Service Pack 3 is also now available.

Exchange Server 2013 and 2016 require .Net 4.6.2

As previously announced, Exchange Server 2013 and Exchange Server 2016 now require  .Net 4.6.2 on all supported operating systems.  Customers who are still running .Net 4.5.2 should deploy Cumulative Update 4 or Cumulative Update 15, upgrade the server to .Net 4.6.2 and then deploy either Cumulative Update 5 or Cumulative Update 16.

Arbitration Mailbox Migration

Recently there have been reports of problems with customers migrating mailboxes to Exchange Server 2016. We wanted to take this opportunity to remind everyone that when multiple versions of Exchange co-exist within the organization, we require that all Arbitration Mailboxes be moved to a database mounted on a server running the latest version of Exchange. For more information, please consult the Exchange Server Deployment Assistance on TechNet.

Update on S/MIME Control

One year ago, we released an updated S/MIME Control for OWA. We have received questions from customers requesting clarification on what this release included. As stated previously, the control itself did not change. This was a packaging change necessary to prevent IE from throwing a certificate warning during installation due to SHA-1 deprecation. The Authenticode algorithm used to code sign the control uses a SHA-1 algorithm. SHA-1 ensures compatibility with Vista/Windows Server 2008 and Windows 7/Windows Server 2008R2 code signing. The Authenticode file hash and delivery package are signed with a SHA-2 certificate. Signing the package with a SHA-2 certificate prevents IE from throwing a certificate warning when the package is installed and provides the necessary protection for the entire package.

Latest time zone updates

All of the packages released today include support for time zone updates published by Microsoft through March 2017.

TLS 1.2 Exchange Support Update coming in Cumulative Update 6

We would like to raise awareness of changes planned for the next quarterly update release. We are working to provide updated guidance and capabilities related to Exchange Server’s use of TLS protocols. The June 2017 release will include improved support for TLS in general and TLS 1.2 specifically. These changes will apply to Exchange Server 2016 Cumulative Update 6 and Exchange Server 2013 Cumulative Update 17.

Late Breaking Issues not resolved in Cumulative Update 5

Cumulative Update 5 includes a couple of issues that could not be resolved prior to the product release. The unresolved items we are aware of include the following:
  • When attempting to enable Birthday Calendars in Outlook for the Web, an error occurs and Birthday Calendars are not enabled.
  • When failing over a public folder mailbox to a different server, public folder hierarchy replication may stop until the Microsoft Exchange Service Host is recycled on the new target server.
Fixes for both issues are planned for Cumulative Update 6.

Release Details

KB articles that describe the fixes in each release are available as follows: Exchange Server 2016 Cumulative Update 5 does not include new updates to Active Directory Schema. If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current. Exchange Server 2013 Cumulative Update 16 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 16. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation. Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings. Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU16, 2016 CU5) or the prior (e.g., 2013 CU15, 2016 CU4) Cumulative Update release. For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post is published.

The Exchange Team
Not applicable
Just migrated 30,000 mailboxes from Exchange 2007 to Exchange 2013 in 8 weeks. Only 60,000 to go!

#progress #getitdone #ExchangeYoda

Not applicable
Good luck migrating them to Exchange 2016 afterwards. lol
Not applicable
Thank you !

Does this release also correct the "Get-help" bug on Windows Server 2016 ? (See : )

Also, on the TLS 1.2 support subject : does this mean we will be able (with CU6/CU17) to disable TLS1.0 on Exchange servers ?

Thanks !

Not applicable
We are still looking into the Get-Help issue with Windows Server 2016.

On the matter of disabling TLS 1.0, our goal is for customers who want to remove TLS 1.0 from their environment to be able to do so. However, customers will need to evaluate their own requirements and determine if that is possible.

Not applicable

the Problem with Get-Help (Exception calling "Open" with "0" argument(s): "The following error occurred while loading the extended type data file: Error in TypeData) still exists.

Just tested it with a updated system a few minutes ago.


Not applicable
Thanks for the answers.

Good to hear that you're actively working towards getting rid of TLS 1.0 on Exchange.

I hope you're able to pinpoint the Get-Help issue. While it is not critical (as loading the snapin from a regular powershell prompt will have a working Get-Help), it still puts the doubt on whether 2016 is really production ready for Exchange.

Not applicable
"Hear, hear!” a nearby member shouted.
Not applicable
In the article from last year ( you state that "Users who have installed the control into their browser will need to re-install this onto devices where the previous version was installed."

Do you have to re-install the control or not?

Not applicable
Thanks team! "Outlook for the Web" should be Outlook ON the web. But I assume that this mistake was added deliberately as a silent protest against frequent and unnecessary rebranding of familiar technologies. :)

On a serious note, are there any plans to add support for Exchange 2010 with Server 2016 domain controllers? Some customers are in the process of upgrading their domain controllers first and have scheduled an Exchange upgrade for a later moment. From previous versions I know that more recent domain controllers are unlikely to cause issues with Exchange.

Not applicable
I whole heartedly agree with Jetze on this. If a customer is not on a supported SP and UR with Exchange 2010, once a Windows 2016 DC is present, the customer has essentially painted themselves in a corner with no way to get out--no window, no door, no ladder.

How should this be addressed going forward when the cart is placed before the horse?

Not applicable
We have no plans to add support for Windows Server 2016 Domain Controllers with Exchange Server 2010 at this time. We will continue to watch for customer demand for this scenario and re-evaluate as necessary.
Not applicable
We are interested too in the scenario Ex2010 togethter with Win 2016 AD
Not applicable
In the article from last year (, you state that "Users who have installed the control into their browser will need to re-install this onto devices where the previous version was installed."

Do you have to re-install the control or not?

Not applicable
Sorry for the confusion. When we originally wrote that comment, we were operating under a different assumption of how IE would handle the control. Those plans were since changed and re-installing the control should not be necessary at this time.
Not applicable
Thank you for the concrete statement about the AD Schema update requirement. This really saves a lot of personal investigation time!
Not applicable
Am I right in understanding that, according the KB4012112, Cumulative Update 16 for Exchange Server 2013 fixes just one issue?

KB4013606 Search fails on Exchange Server 2013

I know there are also some Daylight Saving Time and Time Zone changes. But are there any other pressing reasons to schedule the CU16 install?

Not applicable
KB4012112 correctly lists the issues resolved in the Cumulative Update. It does of course also include all fixes released in previous packages as well. In determining whether you should deploy this or not, please keep in mind we will only release security updates for the two most recent Cumulative Update releases.
Not applicable
Hi Brent,

You said below statement:

please keep in mind we will only release security updates for the two most recent Cumulative Update releases.

Then Why you guys released :

for Exchange server 2013 Service pack1 ?

Exchange 2013 Sp1 is not under 2 major cumulative updates.

Correct me, If i'm wrong. You guys stopped releasing Service Packs for exchange instead of that releasing only Cumulative updates? If yes, Instead of releasing security patch for Exchange 2013 Sp1 why don't you suggest to say that be in under 2 major cumulative updates and don't stay in Sp1?

Not applicable
Hi Exchange Team,

Quick question - We are currently on 2016 CU3 with .NET 4.6.1. What is your guidance for upgrading this scenario to CU5 with .NET 4.6.2?

Not applicable
You will need to upgrade .Net before you will be able to install Cumulative Update 5. The delta between .Net 4.6.1 and 4.6.2 is sufficiently small and Cumulative Update 3 was also validated with .Net 4.6.2. You should upgrade your .Net to 4.6.2, then install Cumulative Update 5.
Not applicable
Thank you very much Brent
Not applicable
Hello Exchange Team

What about Microsoft Security Bulletin MS17-015 - Security Update for Microsoft Exchange Server 2013 and 2016 (4013242) that was just released on Mar 14?

do those CU updates already include this fix or we have to manually install it?

thank you

Not applicable
MS17-015 is included in the CU's released on 3/21. Our CU's always include the most recent security updates available.
Not applicable
thank you
Not applicable
Again, no fix for the Event Log warnings "Performance Counter". Just happens in all of my Exchange 2016 customer setups. Available workarounds are not a solution at all.
Not applicable
I was hoping I would see a fix for our issue with Exchange 2016. External contacts who are members of a distribution list are getting emails rejected because of SPF fail. Exchange 2010 had added to the headers of such emails. Exchange 2016 does not and it's causing a massive problem for us.
Not applicable
Is the logoff string change available again after this CU update?

Current: /owa/logoff.owa

The new string: /owa/auth/signout.aspx

Since update CU4 it doesnt work anymore and also not available in the (Local Drive)\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\web.config.

We use loadbalancers for recognizing logoff, but since CU4 it was broken.

Not applicable
@ David - the change to use signout.aspx was reversed, so you should still be looking for /owa/logoff.owa - which is still there. If your LB isn't spotting that, did something change at the LB? Check the traffic when logging out of OWA using something like Fiddler, you'll see it's still there.
Not applicable
What is the process to upgrade if running Ex2016 CU2 or CU3 and dot net 4.6.1? Guidance was initially posted, but seems to have been pulled.
Not applicable
I just replied to a customer running Cumulative Update 3 and .Net 4.6.1. Upgrading that server to .Net 4.6.2 then upgrading to Cumulative Update 5 shouldn't be a problem as we did validate this scenario. Unfortunately, we did not validate Cumulative Update 2 with .Net 4.6.2. Our official stance would be you need to upgrade to Cumulative Update 3 or Cumulative Update 4, then upgrade to .Net 4.6.2.
Not applicable
Is Exchange 2013 supported with 2016 DCs and 2016 Forest and Domain functional levels?


Not applicable
Is it supported to use Exchange 2013 with the latest CU with Server 2016 domain controllers and Server 2016 forest and domain functional levels? Thanks.
Not applicable
We have not validated Windows Server 2016 Domain Controllers with Exchange Server 2013 at this time. We understand customers running Exchange Server 2010 and 2013 are interested in this scenario but have not completed validating this combination at this time.
Not applicable
If so, please correct this article:
Not applicable

After installing this update the Exchange Toolbox will no longer launch. Crashes with a

Deserialization fails: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Exchange.Data.Directory, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

File name: 'Microsoft.Exchange.Data.Directory, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35'

at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)

at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)

at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean forIntrospection)

at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)

at System.Reflection.Assembly.Load(String assemblyString)

at System.UnitySerializationHolder.GetRealObject(StreamingContext context)

at System.Runtime.Serialization.ObjectManager.ResolveObjectReference(ObjectHolder holder)

at System.Runtime.Serialization.ObjectManager.DoFixups()

at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)

at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)

at Microsoft.Exchange.Data.SerializationTypeConverter.DeserializeObject(Object sourceValue, Type destinationType)

WRN: Assembly binding logging is turned OFF.

To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.

Note: There is some performance penalty associated with assembly bind failure logging.

To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

Not applicable

The CU 2 fixed the following OWA issue for Windows 2012R2

We have the same issue but for Windows 2016, is it fixed in CU5 ?



Not applicable

Cumulative Update for Windows Server 2016 for x64-based Systems (KB4016635)-Mar22-2017 already contains .Net 4.6.2 binaries, as trying to install standalone NDP462-KB3151800-x86-x64-AllOS-ENU.exe on Windows 2016 server that has KB4016635 installed displays the following message: .NET Framework 4.6.2 or later is already installed on this computer. Was Exchange 2016 validated to work with this latest Windows Server 2016 CU update?

Thank you

Not applicable
In our announcement,, we acknowledged that Windows Server 2016 includes .Net 4.6.2 and that this was fully supported. Applying the latest Windows Cumulative Update does not change that statement at this time. We do validate Exchange Server 2016 on the latest Windows Cumulative Updates.
Not applicable
Been waiting since Fall of last year for the issue to be fixed where Free/Busy doesn't properly show for all users in a Exchange 2013 hybrid environment if OAUTH was enabled on-premises. We've had OAUTH disabled since then as many posts show that MS was claiming it would be fixed in next release (this was 2 releases ago).
Not applicable
I applied Rollup 23 on Exchange 2007 SP3 on Friday.

We are not experiencing Exchange VSS Writer issues:

Event ID 9617: Exchange VSS Writer (instance ce51c5b6-5b95-4ef9-9490-12b1c6a05926:57) failed with error code 1295 when processing the backup completion event.

Event ID 9702: Exchange VSS Writer (instance 15b1ad3a-f66d-4dcd-8d04-c646c730618d:58) failed with error code 1295 when processing the post-snapshot event.

Not applicable
Any reason why Exchange Server 2010 Service Pack 3 Update Rollup 17 (KB4011326), and RU 16 haven't been published on WSUS?
Not applicable
Want to exchange the current version i.e Exchange 2013 CU10.

I Have 8500 mailbox and 3 server(2physical and 1 virtual), 4 Mail server

and i want to upgrade it with 45000 user capacity.

please advise

Not applicable

Another question, concerning this KB :

What is the current status of support for CNG keys on SSL certificates ?

Thank you.

Not applicable
Hi,Feature request! and Office 365 has the ability to share calendars inside your organization. If you accept those invitations in OWA they will be accessible in your iPhone via ActiveSync. Is this feature coming to Exchange 2016 in the next CU?

Not applicable
Please be aware that there is an issue with Exchange 2016 CU5 and email address policies containing extended ASCII characters in the email address field (such as å, ä & ö). In our case it was used for replacing these characters in the Exchange recipients email address with an ASCII alternative.

The upgrade terminates without any visible error messages or warning and the Exchange setup log just ends with information about the email address polices being validated. The termination happens in the final stage of the Mailbox role: mailbox service stage (in our case at ~95%).

Temporarilly removing or modifying the email address policies during the upgrade process, to not include those characters, resolved the issue for us.

Remember to be careful while modifying email address policies in a production environment. It might be a good idea to export a list of all of the email addresses assigned to your mail-enabled objects prior of doing this. Also remember to export the settings for the email address policies, if you decide to remove them during the upgrade.

Not applicable
is there a way to choose a language pack? Im installing Cu5 for 2016 but its stalling on the language step. in the logs its saying its trying to install all packs. Is there a way to choose?
Not applicable
When will Microsoft put "Update Rollup 16 For Exchange 2010 SP3 " into the Microsoft Update Catalog:

Microsoft has released Update Rollup 16 For Exchange 2010 SP3 (KB3184730) a while ago,, I am wondering when Microsoft will put this patch into the Microsoft Update Catalog, it has been over 3 months since Microsoft released it,, thanks.

Not applicable
Dear Team

Exchange 2016 - Outlook Web interface no longer offers categories in Public folder calendars. Wil this be corrected ?

Also the organizer property is no longer available on appointments in a public folder calendars. Will this be corrected?

Not applicable
Not applicable
Check this issue after installing CU5...:
Version history
Last update:
‎Jul 01 2019 04:30 PM
Updated by: