Released: 2025 H1 Cumulative Update for Exchange Server

Today, we are announcing the availability of the 2025 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU15). This is the last CU we will release for Exchange Server 2019.

CU15 includes new features, fixes for customer reported issues, a security change, and incorporates all previously released Security Updates (SUs).

CU15 contains all the security changes included in the November 2024 SU v2 (re-released package), and also includes a fix for the known time zone issue in the November 2024 SU.

A full list of fixes is contained in the KB article for CU15, but we also want to highlight some important changes in CU15.

Exchange Server Feature Flighting

CU15 introduces the server-side components for a new capability for Mailbox servers called Feature Flighting that is coming in Exchange Server Subscription Edition (SE). Historically, before installing an Exchange update in production, organizations often deploy updates in a test environment to first validate the update before deploying it to their production environment. This is an important task, but it is also time-consuming, and it can slow down the deployment of important updates. Moreover, not all organizations have test environments.

Feature Flighting will provide an additional way for admins to test and roll out select new features across their Exchange Server SE organization. Feature Flighting is an optional cloud-based service for on-premises Exchange servers. It uses the Office Config Service (OCS)—the same endpoint used by the Emergency Mitigation Service and Microsoft Office clients—to check for updates from Microsoft, related to flighted features.

With Feature Flighting, admins can deploy updates immediately and control when a flighted feature is enabled in their environment. Feature Flighting also enables Microsoft to disable a flighted feature in case a significant issue is discovered after the update containing the flighted feature was released.

Feature Flighting won’t apply to all new features and changes in future updates. The Exchange Server engineering team will determine which features will be distributed via Feature Flighting, and a living, detailed list of flighted features will be maintained here.

Using Feature Flighting is optional, but it is enabled by default. You can configure it or disable it by following the steps outlined in the documentation.

Note: There are no features being flighted in CU15, and because of our promise of code equivalence there will be no features being flighted in Exchange Server SE RTM. Feature flighting will apply only to future updates and we will provide more information in the future updates when there are any features flighted.

Optional additional diagnostic data sent to Microsoft

Microsoft collects diagnostic data to keep Exchange Server secure and up to date, find and fix problems, and identify and mitigate threats. When enabled by an administrator, an Exchange 2019 server sends diagnostic data to the OCS.

Starting with the CU15, Exchange Server will collect and send additional diagnostic data to Microsoft, including additional information about flighted features. This additional data will only be collected and sent if diagnostic data is enabled on the server.

Support for Windows Server 2025

We are happy to announce that both CU14 and CU15 include support for running Exchange Server 2019 on Windows Server 2025 and in organizations that use Active Directory servers that run Windows Server 2025. This means you can install either CU14 or CU15 on brand new hardware with Windows Server 2025, and then upgrade in-place to Exchange Server Subscription Edition (SE) to get the maximum supported product lifecycle out of the server. We previously mentioned that this support would come to CU15, but we also validated CU14 for this scenario to ease your migrations to the latest version of Windows Server.

DocParser replaces Oracle Outside In Technology

Starting with CU15, Exchange Server uses DocParser as a replacement for the Oracle Outside In Technology previously used in Exchange Server. DocParser is a Microsoft library designed to parse various file formats. It performs text extraction when processing emails in transport for Data Loss Prevention and Exchange Transport Rules.

Partial TLS 1.3 support

Starting with CU15, Exchange 2019 supports TLS 1.3 on Windows Server 2022 and later for all protocols except SMTP. When CU15 is installed on Windows Server 2022 or later, TLS 1.3 is enabled by default (but note that CU15 does not disable any existing version of TLS).

TLS 1.3 support for SMTP will be added in a future update.

Improvements in Exchange Server AMSI integration

The improved Exchange Server AMSI integration (previously announced in the November 2024 SUs) is also included in CU15.

Certificate management UI is back in the EAC

Some critical certificate management tasks were removed from the EAC in an earlier CU. CU15 reintroduces certificate management in the EAC. See Certificate Procedures for more information.

Coexistence with Exchange Server 2013 is blocked

As previously announced, Exchange Server 2019 CU15 cannot be installed in an organization that has any servers running Exchange 2013. You must decommission and uninstall all Exchange 2013 servers from your organization before you can install CU15. Please note that removing Edge Transport servers requires additional steps as described here.

Reminder: Extended Protection enabled by default

As a reminder to our customers upgrading from older CUs, since Exchange 2019 CU14, Extended Protection is enabled by default after CU is installed. There are scenarios in which Extended Protection is not supported, such as using SSL Offloading. For more information as well as instructions on how to opt out of Extended Protection, please see this blog post. Incorrect Extended Protection configuration can lead to Outlook connectivity issues.

Features delayed to Exchange Server SE CU1

We previously announced that Exchange Server 2019 CU15 would add support for Exchange Server SE product keys. We are delaying this change until Exchange Server SE CU1 to make sure that in-place upgrades from Exchange 2019 to Exchange Server SE RTM are as smooth and simple as possible. Consequently, Exchange Server SE RTM will accept and honor Exchange 2019 product keys, and you won’t need to update your servers to use an Exchange Server SE product key until Exchange Server SE CU1. To further simplify in-place upgrades, we also delayed a few prerequisite and Setup dependency changes (such as moving to a new version of VC++ redistributable).

Supportability

Microsoft has well-established support criteria for Exchange Server based on the configuration of the server, as well as the product’s lifecycle status. For example, as we say at the bottom of every CU release announcement, “Customers in Exchange hybrid deployments and those using Exchange Online Archiving with an on-premises Exchange deployment are required to deploy the latest CU for product support.”

When an Exchange Server product is in Mainstream support, we have an N-1 policy which means you must run the latest CU, or the immediately previous CU, to be supported (e.g., to receive SUs and support from CSS). Exchange Server 2019 is in the Extended Support phase of its product lifecycle (and has been for more than a year). Once an Exchange Server product enters Extended Support, our policy has been to require the latest CU for support (N only). In fact, we enforce this policy for Exchange Server 2016, where all servers must run CU23 to receive support.

Because necessary security work required us to delay the release of CU15, and because we were able to validate CU14 with Windows Server 2025, we will continue to support both CU14 and CU15 until the end of life of Exchange Server 2019 on October 14, 2025. Note that the support policy regarding server configuration takes precedence, so hybrid configurations and customers with cloud archives for on-premises mailboxes must run CU15 to be supported.

With the release of CU15, CU13 is now out of support, and we encourage customers to update their servers as soon as possible.

Path to Exchange Server SE RTM

As we said in our previous Roadmap announcement, to enable rapid adoption, the RTM release of Exchange Server SE will be code equivalent to (e.g., the same exact code as) Exchange Server 2019 CU15, except for the following changes:

• The License agreement, an RTF file shown only in the GUI version of Setup, will be updated.
• The name will change from Microsoft Exchange Server 2019 to Microsoft Exchange Server Subscription Edition.
• The build number will be updated.

We also said that if any updates are released after CU15, then the RTM release of Exchange Server SE will be code equivalent to Exchange 2019 CU15 plus the latest update.

We have a few remaining customer-reported bugs in Exchange Server 2019 that we plan on fixing in the coming months. To deliver those fixes, we will be releasing a Hotfix Update (HU) for Exchange Server 2019 CU15 that will be optional (but recommended for both the fixes and to maintain code parity with the RTM release of Exchange Server SE, as these bug fixes will be in the RTM release). The HU will also be available for Exchange Server 2019 CU14 and Exchange Server 2016 CU23.

Upgrade Paths

The recommended and supported upgrade paths are described below. Please also see our previous Upgrading your organization from current versions to Exchange Server SE blog post.

Upgrading from Exchange Server 2016 CU23

We recommend Exchange Server 2016 customers upgrade to Exchange Server 2019 now and perform an in-place upgrade to Exchange Server SE RTM when available. Performing a legacy upgrade from Exchange Server 2016 CU23 to Exchange Server SE RTM is also supported.

Figure 1 - Recommended and supported upgrade paths for Exchange Server 2016

Upgrading from Exchange Server 2019 CU14/CU15

We recommend performing an in-place upgrade to Exchange Server SE RTM when available; however, legacy upgrades from Exchange Server 2019 to Exchange Server SE are also supported.

Figure 2 - Recommended and supported upgrade paths for Exchange Server 2019

Release Details

The KB article that describes the fixes in this release and product downloads is:

• Exchange Server 2019 Cumulative Update 15 (KB5042461), VLSC, Download

Please ensure that your Exchange server is rebooted before installation of Exchange 2019 CU15, to ensure that all of the Windows Server updates are fully installed before you begin installation of CU15.

After installing a CU, always check for and install any available SUs. The Exchange Server Health Checker will also tell you if any additional steps are needed.

Known issues with this release

Some of our customers who have Hybrid Modern Authentication (HMA) enabled have seen a situation where after installation of CU15, their OWA/ECP login may not work with a HTTP 401 error.

If you are impacted by this, you can use the following workaround:

Use the following commands to disable OAuth:

Get-EcpVirtualDirectory -Server server1 | Set-EcpVirtualDirectory -OAuthAuthentication $false
Get-OwaVirtualDirectory -Server server1 | Set-OwaVirtualDirectory -OAuthAuthentication $false
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

Then re-enable OAuth:

Get-EcpVirtualDirectory -Server server1 | Set-EcpVirtualDirectory -OAuthAuthentication $true
Get-OwaVirtualDirectory -Server server1 | Set-OwaVirtualDirectory -OAuthAuthentication $true
Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

Please note that not all customers using HMA will run into this problem.

Additional information

Microsoft recommends that all customers test the deployment of an update in a lab environment to determine the proper installation process for their production environment.

You can find information on preparing Active Directory here. All Exchange-made schema changes are tracked here.

For installation best practices, see Upgrade Exchange to the latest Cumulative Update. See also the Exchange Update Wizard for detailed installation steps.

If you plan to install the update in unattended mode from PowerShell or a command prompt, make sure you specify either the full path to Setup.exe, or use a “.” in front of the command when running Setup directly from the folder containing the CU. If you do not do either of these, Setup may indicate that it completed successfully when it did not. Read more here.

Customers in Exchange hybrid deployments and those using Exchange Online Archiving with an on-premises Exchange deployment are required to deploy the latest CU for product support.

For the latest information on Exchange Server announcements please see What's New in Exchange Server and the Exchange Server Release Notes.

Documentation may not be fully available at the time this post is published.

The Exchange Server team