Released: September 2016 Quarterly Exchange Updates

Published Sep 20 2016 10:00 AM 52.7K Views

Today we are announcing the latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013. These releases include fixes to customer reported issues and updated functionality. Exchange Server 2016 Cumulative Update 3 and Exchange Server 2013 Cumulative Update 14 are available on the Microsoft Download Center.

Windows Server 2016 Support

Windows Server 2016 support is now available with Exchange Server 2016 Cumulative Update 3. Customers looking to deploy Windows Server 2016 in their Exchange environments require Exchange Server 2016 Cumulative Update 3 or later. Domain Controllers running Windows Server 2016 are supported provided Forest Functional Level is Windows Server 2008R2 or later (Edit 10/27/2016: Please see this blog post for more information related to Forest Functional Level). Exchange does not currently support any new functionality provided by the updated operating system except for improved restart support in the Windows Installer. Installing Exchange on Windows Server 2016 provides a seamless installation experience including prerequisites. Exchange Server 2013 will not be supported on Windows Server 2016. Windows Defender is on by default in Windows Server 2016. Attention to malware settings is particularly important with Exchange to avoid long processing times during installation and upgrade, as well as unexpected performance issues. The Exchange team recommends the Exchange installation and setup log folders be excluded from scanning in Windows Defender and other Anti-Virus software. Exchange noderunner processes should also be excluded from Windows Defender.

.Net 4.6.2 Support

.Net 4.6.2 is included with Windows Server 2016. Customers deploying Exchange on Windows Server 2016 must use .Net 4.6.2 and Cumulative Update 3 or later. We plan to add support for .Net 4.6.2 on Windows Server 2012 or Windows Server 2012R2 in our December releases of Exchange Server 2016 and 2013. .Net 4.6.2 will be required for Exchange Server 2016 and 2013 on all supported operating systems in March 2017. We advise customers to start evaluating requirements to move to .Net 4.6.2 now.

High Availability Improvements

One of the challenging areas in some on-premises environment is the amount of data replicated with each database copy. In Exchange Server 2016 Cumulative Update 3, network bandwidth requirements between the active copy and passive HA copies are reduced. The Exchange Server Role Requirements Calculator has been updated to reflect these improvements. The local search instance reads data from a database copy on the local server, also known as “Read from Passive”. As a result of this change, passive HA copy search instances no longer need to coordinate with their active counterparts in order to perform index updates. Lagged database copies still coordinate with their active counterparts to perform index updates. This change also reduces database failover times when compared to Exchange Server 2013.

Installing from a Mounted .ISO using Local Languages

.ISO’s mounted on localized versions of the operating system function correctly with Cumulative Update 3. Support for local language setup experience is limited to the 11 server languages supported by Exchange Server 2016.

Pre-Requisite Installation Behavior Updated

In previous releases of Exchange Server 2016 and 2013, servers were placed into server-wide off-line monitoring states during pre-requisite analysis and pre-requisite installation. This behavior is changed in the September cumulative update releases. Setup will now place a server in off-line monitoring mode when installation of new Exchange binaries begins. This change allows customers who are using the GUI upgrade experience to delay changing the monitoring state until after pre-requisite analysis confirms the server is ready for installation. The monitoring state will be configured when the user selects to proceed to the binary installation step. For customers using command line setup, placing the server into the off-line monitoring state is also delayed until pre-requisite analysis is completed and all pre-requisites are met. Once pre-requisites are confirmed, command line setup will change the monitoring status and proceed without a delay into the actual binary upgrade process.

Latest Time Zone and Security Updates

Exchange Server 2016 Cumulative Update 3 and Exchange Server 2013 Cumulative Update 14 include the security updates released in MS16-108. All of the September Exchange releases include support for Time Zone updates released through the month of August. Update Rollup 21 for Exchange Server 2007 and Update Rollup 15 for Exchange Server 2010, part of our September releases, were released as security bulletin MS16-108.

Refreshed People Experience in Outlook on the web

Exchange Server 2016 Cumulative Update 3 includes an updated view of Contact information and Skype for Business presence information. These changes mirror the current experience of Office365.

Countdown to Exchange Server 2007 End of Life (EOL)

We are now only seven months away from Exchange Server 2007 going out of support (Exchange Server 2007 T-1 year and counting). Customers still running Exchange Server 2007 should be implementing plans to move to Exchange Server 2013 or Office 365 to ensure uninterrupted access to support and product fixes.

Release Details

KB articles which contain greater depth on what each release includes are available as follows: Exchange Server 2016 Cumulative Update 3 does include updates to Active Directory Schema. These updates will apply automatically during setup if the permissions and AD requirements are met during installation. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin needs to execute SETUP /PrepareSchema before installing Cumulative Update 3 on the first Exchange server. The Exchange Administrator should also execute SETUP /PrepareAD to ensure RBAC roles are updated correctly. Exchange Server 2013 Cumulative Update 14 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 14. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation. Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings. Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU14, 2016 CU3) or the prior (e.g., 2013 CU13, 2016 CU2) Cumulative Update release. For the latest information on Exchange Server and product announcements please see What's New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post was published.

The Exchange Team
Not applicable
Great to see Read from Passive released. It should provide some very useful network savings.
Not applicable
Am I too soon or is the correct .exe?

Cumulative Update 14 for Exchange Server 2013 (KB3177670)




File Name:


Date Published:


File Size:

1.6 GB

KB Articles: KB3177670

Not applicable
What is the procedure to block installation of .NET 4.6.2 on Windows Server 2012 or Windows Server 2012 R2 until the December Exchange updates support .NET 4.6.2 ?
Not applicable
What is the procedure to block installation of .NET 4.6.2 on Windows Server 2012 or Windows Server 2012 R2 until the December Exchange rollups are available?
Not applicable
I'm no official channel, but unliked 461 - which could be blocked using a registry key - there seems to be no such thing for 462.
Not applicable
Congratulations! Happy to see RfP finally here.
Not applicable
The download link for Exchange 2013 CU 14 results in a "We are sorry, the page you requested cannot be found. " error page.
Not applicable
@Josh Davis, @John M - We experienced a publishing problem this morning with the Cumulative Update 13 package. The package contents were correct, but the name of the package was wrong. This was corrected and the download center should be functioning normally.
Not applicable
Gotcha! Thanks!
Not applicable
Hi DevTeam,

Support for Windows Server 2016 is great, good job. This also means that Exchange Server 2016 CU3 supports the Windows Management Framework 5.x -- Haven't tested yet but that probably means that issues with PS Remoting have been fixed ? Will WMF5 be supported with Windows Server 2012 R2 too ? That'd be a great to ensure that we can leverage killer DSC features that exist in WMF5 without (us, or customers) being forced to use Win2016. Thanks.

Not applicable
@Benoit - Sorry to disappoint, but we are not planning to add support for newer WMF packages on older OS'es. We only plan to support the WMF version which ships with the OS not as an add-on. We have confirmed that PS remoting works correctly between newer and older WMF versions that ship with the OS. We have not confirmed compatibility with any other updates for WMF on older OS'es.
Not applicable
For the records, Ex2016 CU3 still has PS Remoting issues with Win2016 TP5. So no luck here. I hope RTM will fix that.

Error is: New-PSSession : Cannot find path '' because it does not exist.

This problem exists since the very first times of WMF5 on Windows Server 2012 R2, and Win2016 preview builds. Now, let's hope that Win2016 RTM and WMF 5.1 (which should also be RTM'd too) will not have the same problem.

Not applicable
I wonder why?
Not applicable
Yes, this is disappointing in some extent. Many people would like to leverage new WMF5 features and not everyone can move to Win2016 in short time. People tend to take an observation round before deploying the latest Server OS + it takes time to integrate in an existing information system. Anyway, I played around WMF5 on Win2012 R2 with Ex2016 CU3 and still get the same PS Remoting issues as before. I'll try Win2016 TP5 for fun, but Win2016 RTM will be available soon enough... :p
Not applicable
@Benoit - Yes, we discovered problems with TP5 in our own testing. These were resolved in a post TP5 build. We do not support the TP5 build of Windows Server 2016 with Exchange Server 2016. You must wait for the GA release of Windows Server 2016
Not applicable
HI Brent, good to know. No worries, it was only for testing purposes (and develop my Dsc v5 factory :D).
Not applicable
Hello, it look like the Exchange 2016 CU3 ISO file is corrupted. I tried downloading it twice with always the same result when attempting to mount it with Windows Server 2012 R2: error mounting, image may be corrupt. Same thing when trying to mount the ISO in a Hyper-V VM. Looks like my Win10 can actually mount it but I wonder about completeness of the content. Also, using 7-Zip to unzip seems to work but also wonder about completeness of the content. Note: the CU3 ISO file is approx 700 MB smaller than the CU2's... suspicious... :)

More files and folders in extracted CU3 but smaller in overall size (a bit more than 700 MB too).

Not applicable
No, image is ok. I already updated one production server to CU3. Bug with blocked options of receive connectors (Hub transport\Frontend transport) in ECP - not fixed (as I remember, was promised to fix in CU3). New round photos in OWA looks uglier than old square...
Not applicable
@Benoit - Thanks for your report. We will investigate this. The .ISO was confirmed against 2012, 2012R2 and 2016 prior to shipping.
Not applicable

For the records, it happens that the .ISO file was flagged as a "Spare File". When this flag is set (it's a NTFS feature), this prevents files such as ISO, VHD(x) to be mounted. Also happens with removable medias.

That said, the ISO was flagged as Sparse because (I assume) my download manager provisioned a zero-based file when starting the download. It also happened with Chrome.

After removing the Sparse attribute (e.g. moving file to another location or using fsutil), the ISO could mount without any issue.

Not applicable
Thanks Brent. I may have hit a bad mirror or my download manager has issue. I'll try again later and without download manager this time. Anyway, I could deploy a 4-node DAG in my lab without any specific other issue.
Not applicable
I don't see any reference of the "Read from Passive Copy" being enabled in KB3152589. Is this enabled by default once the CU is installed? As a feature that has been in demand for years and finally released, I feel like this is a little glossed over. Is there going to be another topic to go over this in more detail?
Not applicable
This is on by default. There is no KB because this is a new feature not a customer reported issue. The feature has no configuration options so there's not really much more to say about it.
Not applicable
Hey Exchange-Team,

it looks to us that an old 2013 CU2 bug is back again.

Since we have installed the 2016 CU3 we have on all our test servers the following error:

Failed to create the log directory: D:\TransportRoles\Logs\Mailbox\SyncDelivery\Error because of the error ...

But we have no D: drive.

Did you really hard coded the log path in the source code? If yes, how can we fix it?

Not applicable
Same here too but only after installing one of the following:

November, 2016 Preview of Monthly Quality Rollup for Windows Server 2012 R2 (KB3197875)

November, 2016 Preview of Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1 on Windows 8.1 and Windows Server 2012 R2 for x64 (KB3196684)

November, 2016 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB3197874)

November, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3197873)

October, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3192392)

Security Update for Adobe Flash Player for Windows Server 2012 R2 (KB3202790)

Update for Windows Server 2012 R2 (KB3192321)

Windows Malicious Software Removal Tool for Windows 8, 8.1, 10 and Windows Server 2012, 2012 R2, 2016 x64 Edition - November 2016 (KB890830)

I'll try and figure out which...

Not applicable
We got the same error.

Is there a fix?

Not applicable
Hello Microsoft,

What is the procedure to block installation of .NET 4.6.2 on Windows Server 2012 or Windows Server 2012 R2 until the December Exchange rollups are available?

Not applicable
I don't see KB8135883 (MS16-108) listed in the fixes. I assume that means it did NOT make it into the CUs (Exchange2013 specifically for me).

Questions that I and others will be interested in:

1 If the KB was installed prior to CU14 does it REQUIRE removal before upgrading?

2 Does it need to be re-applied after upgrading to CU14?

3 Has it been tested against CU14?



Not applicable
@Tom: Exchange Server 2016 Cumulative Update 3 and Exchange Server 2013 Cumulative Update 14 include the security updates released in MS16-108.

This is written in the "Latest Time Zone and Security Updates" paragraph.

Not applicable
@Benoit Boudeville, Thanks!

I only see it posted on the blog page, not on the CU14 page.... Its only hinted at under Notes on the Cumulative Update 14 for Exchange Server 2013 page. (

Perhaps it would be a good idea to have it there as well - not everyone will see the blog post and read it



Not applicable
Hello Microsoft,

When I run setup /PrepareSchema from the 2016 CU3 media it completes successfully. However I note that the resultant Forest (rangeUpper) value is still "15325" i.e. the rangeUpper value for CU2.

Why is that ?

Not applicable
That being said, I did misread your question. After preparing Schema in my various environments they're all at version 15326. So, looks like you missed something...

schema version in Setup\ServerRoles\Common\Setup\Data\SchemaVersion.ldf

org version in [Microsoft.Exchange.Data.Directory.SystemConfiguration.Organization]::OrgConfigurationVersion

domain version in [Microsoft.Exchange.Data.Directory.SystemConfiguration.MesoContainer]::DomainPrepVersion

Not applicable
@sime3000 - this simply means that there were no update to org-based settings which would require a version upgrade. Org version is not dependent of the Schema version, neither both always change at every CU.
Not applicable
Benoit. You're a Microsoft employee ?
Not applicable
Not quite, but partially... :D

Now if you can't accept a community response, then fine, ignore it. But if you do then consider you might never get an answer from MSFT. Now take a look around, you'll find out that the Org's objectVersion isn't always updated.

If you still have doubts, check it out here:

Not applicable
Hello Benoit,

No one said anything about the objectVersion value. The value I questioned was the Forest (rangeUpper) value which was 15325 in Exchange 2016 CU2 and should be 15326 in Exchange 2016 CU3. Sounds like you're not that familiar with Microsoft Exchange. Rather than post a silly link to a google search, here some good information that you may want to review to help you understand the difference between the objectVersion and Forest (rangeUpper) values. .

If you need any further assistance with Exchange I'll be happy to help. I've been assured that Microsoft really does care but I also note that they usually can't be bothered responding to questions of substance in this forum (take a look at the comments below and other blog entries). It took them two years to respond to one of my questions here - isn't that rather sad ?

Not applicable
In a hybrid scenario with Exchange 2013, are you supposed to re-run the HCW after installing a cumulative update?Thanks.
Not applicable
@Josh - It is not required to re-rerun the Hybrid Configuration Wizard after installing a cumulative update. The Hybrid Configuration Wizard is refreshed frequently to resolve known issues and/or provide additional functionality. Customers are encouraged to use the latest version to ensure their connectivity to Office 365 works as expected.
Not applicable
Hello Team,

Currently testing Ex2016 on Windows Server 2016. Found an issue when uninstalling Exchange. Looks like at some point we get an Access Denied error when unregistering one or more DLLs. Uninstallation is done remotely using DSC and running with proper credentials. Issue doesn't occur when using Windows Server 2012 R2.

Also tried uninstalling from an interactive session, same issue. Of course, I have proper privileges on the server.

[09/28/2016 13:43:32.0145] [2] Active Directory session settings for 'Start-SetupProcess' are: View Entire Forest: 'True', Configuration Domain Controller: '', Preferred Global Catalog: '', Preferred Domain Controllers: '{ }'

[09/28/2016 13:43:32.0145] [2] User specified parameters: -Name:'C:\Windows\system32\regsvr32.exe' -Args:'/s /u "C:\Exchange\bin\ExSMIME.dll"' -Timeout:'120000'

[09/28/2016 13:43:32.0145] [2] Beginning processing start-SetupProcess

[09/28/2016 13:43:32.0146] [2] Starting: C:\Windows\system32\regsvr32.exe with arguments: /s /u "C:\Exchange\bin\ExSMIME.dll"

[09/28/2016 13:43:32.0492] [2] Process standard output:

[09/28/2016 13:43:32.0492] [2] Process standard error:

[09/28/2016 13:43:32.0492] [2] [ERROR] Process execution failed with exit code 5.

[09/28/2016 13:43:32.0493] [2] [ERROR] Process execution failed with exit code 5.

[09/28/2016 13:43:32.0494] [2] Ending processing start-SetupProcess

[09/28/2016 13:43:32.0495] [1] The following 1 error(s) occurred during task execution:

[09/28/2016 13:43:32.0495] [1] 0. ErrorRecord: Process execution failed with exit code 5.

[09/28/2016 13:43:32.0495] [1] 0. ErrorRecord: Microsoft.Exchange.Configuration.Tasks.TaskException: Process execution failed with exit code 5.

at Microsoft.Exchange.Management.Tasks.RunProcessBase.InternalProcessRecord()

at Microsoft.Exchange.Configuration.Tasks.Task.b__b()

at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)

[09/28/2016 13:43:32.0509] [1] [ERROR] The following error was generated when "$error.Clear();

$dllFile = join-path $RoleInstallPath "bin\ExSMIME.dll";

$regsvr = join-path (join-path $env:SystemRoot system32) regsvr32.exe;

start-SetupProcess -Name:"$regsvr" -Args:"/s /u `"$dllFile`"" -Timeout:120000;

" was run: "Microsoft.Exchange.Configuration.Tasks.TaskException: Process execution failed with exit code 5.

at Microsoft.Exchange.Management.Tasks.RunProcessBase.InternalProcessRecord()

at Microsoft.Exchange.Configuration.Tasks.Task.b__b()

at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

[09/28/2016 13:43:32.0509] [1] [ERROR] Process execution failed with exit code 5.

Not applicable
A workaround with "bin\ExSMIME.dll" uninstall Exchange 2016 cu3 problem. Fortunately folder C:\Program Files\Microsoft\Exchange Server\V15\bin\contains exmime.dll file. That file does regsvr32.exe /u without any error. To solve this uninstall interruption: move original ExSMIME.dll in different location and rename copy exmime.dll as ExSMIME.dll. Than run again Setup.exe /mode:Uninstall /IAcceptExchangeServerLicense to finish uninstall Exchange.
Not applicable
I am experiencing the same issue, is there a fix for this?
Not applicable
To solve this uninstall interruption: move original exSmime.dll (Microsoft S/MIME Interface) in different location and rename copy exmime.dll (Microsoft Exchange Mime Interface) as exSmime.dll. Than run again Setup.exe /mode:Uninstall /IAcceptExchangeServerLicense to finish uninstall Exchange.
Not applicable
Any word on whether auto distribution of new mailboxes is working on this release? Cu2 had a bug where all mailboxes were placed in a single DB.
Not applicable
Does this include a fix for AutoProvisioning? Since we upgraded to CU2, Exchange 2016 has been assigning mailboxes to a single DB when no database is specified.

Not applicable
@Benoit - We are already aware of this issue. We are working on a fix.
Not applicable
hi Brent, any word on the fix for the ExSMIME.dll issue? Thanks
Not applicable
Thank Brent.

Is the DevTeam currently aware of a CPU congestion issue when using Windows Server 2016 ? I have three servers with the same symptoms: setup goes fine but at some point IIS worker processes start going grazy and consume all CPU. It's a lab/non-production environment where there is no user load. Restarting IIS (or the server) has no effect (problem starts again when the AppPools start). Strangely, all IIS worker processes seem to be impacted, so I would suspect an issue related to the .NET 4.6.2 framework or IIS itself. Using Win2016 RTM (Eval) and all available patches installed.

Technet ( doesn't ask for any mandatory hotfix for .NET 4.6.2, neither request that some framework "hack" should be implemented.

Any hint? Thanks.

Not applicable
@Benoit - We have not seen this behavior. You would need to reach out to support services and have them assist you in determining what is happening.
Not applicable
Right, it's just a development lab. However I am able to reproduce the problem every time I install new servers. Symptoms are always the same. Server runs fine, then with no apparent reason, IIS AppPools start crashing with a System.NullReference exception. Managed Availabilty probes create a loop: AppPools are restarted, then crash again when probes activity occur. Stopping and disabling the MSExchangeHM and MSExchangeHMRecovery stopped the crashes. Strangely, RemotePS was affected too. While ti was working fine initially, I suddenly could no longer use the RPS web service, however proxying (using the TargetServer Uri param) through another (unaffected) server worked fine. This leads to think that only the CAFE is affected. With MSExchangeHM disabled, and after a couple restarts, RemotePS was back. No idea why this is happening, Servers are running in Hyper-V 2012 R2 and are largely under-sized (again it's a dev lab). However I have others servers of the same size (and same host/disks/etc) on Win 2012 R2 and they run normally.


PS: I'm not asking for any kind of support here, only passing out some info... :)

Not applicable
I also wanted to ask could this possibly be caused by the health mailboxes being in the database that is part of the dag? i was thinking maybe i should create a local MB database that does not participate in the DAG and have all of the health/audit/sys mailboxes stay on the host. I thought perhaps the server couldnt bring itself back up because it didnt have access to those mailbox dbs at a time of failure..I looked online and it seems having those mailboxes as part of a DAG is generally ok though.
Version history
Last update:
‎Jul 01 2019 04:28 PM
Updated by: