September 2025 Exchange Hotfix Update: Preserves Dedicated Hybrid App Support

Microsoft’s Exchange team published a short but important Hotfix Update (HU) rollup for September 2025 that is aimed at fixing a non‑security issue in earlier updates and, crucially, preserves support for the dedicated Exchange hybrid application workflow introduced earlier in 2025 — the update is available for Exchange Server Subscription Edition (SE) RTM, Exchange Server 2019 (CU14 and CU15) and Exchange Server 2016 (CU23).

Background / Overview​

Microsoft’s September 2025 Hotfix Updates are not a security release; they are routine HUs addressing functionality and compatibility problems introduced by prior updates. The release notes make that explicit while also reminding administrators that the HUs include support for creating the dedicated Exchange hybrid app, originally announced in April 2025 and further explained in Microsoft’s hybrid guidance.
That dedicated‑app transition is part of a larger program to harden hybrid Exchange architectures and to prepare on‑premises Exchange servers to move away from the older shared service principal model. Microsoft’s published guidance and documentation show this is a multi‑stage migration — create the tenant‑owned dedicated hybrid app (April 2025 HU or later), then later shift hybrid traffic to Microsoft Graph permissions (planned before October 2026) — and note a phased enforcement schedule that will include temporary EWS blocks in late 2025, followed by a permanent cutoff after October 31, 2025 for use of the shared service principal in EWS hybrid flows. (techcommunity.microsoft.com, learn.microsoft.com)

---

What Microsoft released in September 2025​

• HUs are available for:
• Exchange Server Subscription Edition (SE) — RTM.
• Exchange Server 2019 — CU14 and CU15.
• Exchange Server 2016 — CU23.
• The September HUs do not contain new Exchange Server security updates; they include at least one non‑security fix and the changes necessary to continue supporting creation of the dedicated Exchange hybrid app.
• HUs remain optional, but Microsoft advises installing them if you need the fixes or the features they enable; all HU/SU content is cumulative (a newer HU/SU includes fixes from older updates).

These are operational facts administrators need to record in their change calendars before proceeding.

---

Why this HU matters now: the security and operational context​

The bigger picture: CVE‑2025‑53786 and the move to dedicated hybrid apps​

In mid‑2025 a high‑severity hybrid Exchange flaw — tracked as CVE‑2025‑53786 — surfaced in Microsoft’s advisory and received urgent attention from federal agencies and security vendors. That vulnerability arises from the historical model where on‑premises Exchange and Exchange Online relied on a shared service principal for hybrid features. If an attacker gains admin access to an on‑premises Exchange server, they could abuse that shared identity to escalate privileges into the connected Exchange Online tenant with limited detectability. Microsoft’s technical guidance and multiple vendor and government advisories lay out the risk and the mitigation steps. (cisa.gov, bleepingcomputer.com)
Microsoft’s mitigation strategy has three interlocking elements:

• Patch on‑premises Exchange with the April 2025 HU (or later cumulative releases).
• Deploy a dedicated Exchange hybrid application in Entra ID (tenant‑owned) and configure on‑prem servers to use it instead of the shared principal.
• Clean up / rotate any certificates or credentials that may remain on the shared service principal to remove lingering attack surface. (learn.microsoft.com, support.microsoft.com)

CISA and other agencies treated this as an urgent operational risk (CISA issued emergency guidance and directed agencies to implement the Microsoft mitigations), reinforcing that the April HU and the dedicated hybrid app transition are not optional for hybrid environments that use “rich coexistence” features. (cisa.gov)

Temporary enforcement windows and the October 31, 2025 cutoff​

Microsoft signaled short, scheduled temporary EWS blocks of the shared service principal across August–October 2025 (the August window was later cancelled and the schedule was adjusted). These temporary blocks are intended to encourage rapid adoption of the dedicated hybrid app and will culminate in a permanent block after October 31, 2025; after that date, the legacy shared principal path will no longer function for rich coexistence flows (Free/Busy, MailTips, profile photos) from on‑prem to cloud. Microsoft’s blog and documentation list the updated enforcement windows (September 16 and October 7 in the revised schedule) and the final enforcement date. (techcommunity.microsoft.com)
Independent reporting and security trackers confirmed the urgency: scans in August 2025 showed tens of thousands of exposed Exchange servers were not yet patched, increasing the practical risk for organizations that delay remediation. (bleepingcomputer.com, helpnetsecurity.com)

---

What administrators should do — a prioritized, practical checklist​

This is an operational imperative for any organization that runs hybrid Exchange and relies on rich coexistence (free/busy/MailTips/profile photos). The following plan is prioritized for risk reduction and minimal service disruption.

• Inventory and assess
• Run the Exchange Health Checker script to list Exchange builds and identify servers that are behind on CUs or HUs (the Health Checker is Microsoft’s supported inventory tool and will flag build numbers and required actions). (microsoft.github.io, techcommunity.microsoft.com)
• Confirm which hybrid features your organization uses and which servers participate in those flows.
• Patch to supported builds
• Install the latest CU that’s appropriate for your environment and then apply the latest available HU/SU for that CU (remember updates are cumulative — you can apply the newest update and skip intermediate ones).
• Microsoft’s minimum builds for dedicated hybrid app support (published in Learn/Docs) correspond to the April 2025 HU and later builds; verify your build numbers against Microsoft’s list before proceeding. (learn.microsoft.com, support.microsoft.com)
• Create the dedicated hybrid app
• Use the ConfigureExchangeHybridApplication.ps1 script or the updated Hybrid Configuration Wizard (HCW) to create and configure the tenant‑owned dedicated hybrid app. HCW was updated to simplify the flow, but the script is the recommended direct path in many scenarios. (techcommunity.microsoft.com, learn.microsoft.com)
• Clean up legacy certificates / rotate keys
• After you confirm the dedicated app is working and all on‑prem servers are updated, run the Service Principal Clean‑Up Mode (or use the script’s cleanup path) to remove certificates from the shared service principal. Do not remove keyCredentials from the shared principal until every server is updated and validated — doing so prematurely can cause service interruption. (learn.microsoft.com)
• Re‑run tools and validate
• Re-run the Exchange Health Checker to ensure no additional manual steps are flagged.
• Test Free/Busy, MailTips and profile photo flows in both pilot and production rings during a maintenance window.
• Monitor and prepare for enforcement windows
• Treat the temporary enforcement windows (September 16 and October 7) and the permanent cutoff after October 31 as hard deadlines for hybrid configurations that require rich coexistence. Plan for short disruptions during the temporary blocks if you are still on the legacy shared principal. (techcommunity.microsoft.com)

---

How to install the September HU (practical notes)​

• Inventory first: run the Health Checker to identify which servers require updates and which CU/HU applies. The Health Checker web page and GitHub repo include run instructions and examples. (microsoft.github.io, techcommunity.microsoft.com)
• Use the Exchange Update Wizard if you need a guided path from your current CU to your target CU/HU; the Update Wizard helps generate the correct steps for in‑place upgrades and required pre/post actions. Microsoft lists this tool in its update guidance.
• If setup fails or you see post‑install problems, Microsoft’s Troubleshooting article “Fix failed Exchange Server updates” is the canonical reference — it covers common post‑update issues and explicitly recommends SetupAssist.ps1 for certain rollback and repair scenarios. Keep the troubleshooting KB handy during maintenance. (learn.microsoft.com)
• Windows Update / Microsoft Update: the HU is available via Windows / Microsoft Update and will follow your organization’s Windows Update deployment policy if that is the mechanism used in your environment. HUs can also be uninstalled if necessary.

---

Known issues and operational caveats​

• Edge Transport restart issue: some HUs (including earlier April releases) documented a known issue where the EdgeTransport.exe service can stop responding and restart after certain SUs/HUs; review Microsoft’s known issues and workarounds before wide rollout. (support.microsoft.com)
• HCW behavior and certificate re‑uploads: the Hybrid Configuration Wizard, when re‑run with certain options checked, can re‑upload the auth certificate to the shared service principal even if your environment is configured to use the dedicated app. If you cleaned up the shared principal’s keyCredentials, re‑running HCW may cause the certificate to be reuploaded and require another cleanup pass. Microsoft documents this behavior and the appropriate sequence. Plan to run HCW and cleanup operations carefully and document each step. (learn.microsoft.com)
• Don’t remove shared principal credentials too soon: Microsoft warns repeatedly not to remove keyCredentials from the shared principal until every on‑prem server has been updated and validated to use the dedicated app. Premature cleanup will cause service disruptions. (learn.microsoft.com)
• Test before mass rollout: because HUs modify hybrid authentication configuration, validate the change in a pilot group and maintain frequent backups and snapshots for server rollback scenarios.

---

Frequently asked operational questions — clarified and verified​

• The timing is strange — is this urgent?
• Hotfix Updates (HUs) are not tied to Patch Tuesday; they are released as needed. In this case Microsoft released the April HU earlier in 2025 and has continued to surface targeted HUs to address functional problems and to ensure the infrastructure required for the dedicated hybrid app is available. The September HU was issued to address specific issues and to ensure parity for SE RTM and certain CU builds; while not a security update in itself, its presence supports the security posture the company is enforcing via the April HU and the enforcement timeline.
• If we installed the last Security Update, do we also need the HU?
• HUs are optional, but they may include fixes or capabilities you need — for example, support for the dedicated hybrid app. Because updates are cumulative, installing a newer HU/SU will also include prior fixes. If your hybrid security posture requires the dedicated app or you’re affected by the specific non‑security issue the HU corrects, install it.
• Do I need to install the older SU before the newer HU?
• No — Exchange updates are cumulative. A current HU/SU contains changes included in prior updates, so you can apply the most recent available update. Microsoft’s documentation repeats this behavior frequently.
• Will Windows Update automatically deploy the HU?
• The HU is published through Windows / Microsoft Update; whether it is installed automatically depends on your organization’s Windows Update deployment policy. Test it in your deployment rings first.
• Can HUs be uninstalled?
• Yes — Hotfix Updates and Security Updates can be uninstalled if required, but treat rollbacks carefully and test the rollback path before using it in production.

---

Critical analysis — strengths, risks and recommended mitigations​

Strengths​

• Microsoft moved quickly to provide an architectural mitigation for a high‑impact hybrid trust problem by shipping the dedicated Exchange hybrid app workflow and updating tools (HCW and a dedicated PowerShell script). This is the right direction technically: tenant‑owned service principals reduce the blast radius of on‑premises compromise and enable tenant‑level auditing and credential rotation. The vendor guidance and support materials are detailed and prescriptive. (learn.microsoft.com, techcommunity.microsoft.com)
• The cumulative update model simplifies recovery: because HUs and SUs are cumulative, once the current update is applied you inherit prior fixes and mitigations, reducing sequencing complexity during remediation.

Risks and operational challenges​

• Timing and scale: the enforcement windows and the final cutoff are aggressive for organizations with large, distributed Exchange footprints. Temporary EWS blocks will intentionally create brief disruptions to prompt action, and organizations that delay risk production impact during the September/October windows and permanent loss of the legacy path after October 31, 2025. (techcommunity.microsoft.com)
• Visibility and detection gaps: the very exploit scenario underlying CVE‑2025‑53786 is stealthy — activity originating from compromised on‑prem servers may not generate obvious cloud audit logs. This makes detection difficult and increases the importance of proactive patching, credential rotation, and configuration hardening. External scans in August 2025 found many unpatched servers, creating an environment attractive to opportunistic attackers. (bleepingcomputer.com)
• Operational complexity: HCW behavior (re‑uploading auth certs) and the need to coordinate certificate cleanup across all tenant servers creates sequences that must be followed precisely. Removing keyCredentials prematurely can cause outages; rollback scenarios are non‑trivial. Follow Microsoft’s exact sequencing and verify each step in a pilot before broad rollout. (learn.microsoft.com)

Practical mitigations and priorities​

• Treat the April HU and subsequent HUs as required for hybrid security posture if your environment uses free/busy, MailTips or profile photo sharing across the hybrid boundary. Prioritize a pilot, then staged rollouts across production rings.
• Use the Exchange Health Checker as your first action and include the SetupAssist.ps1 tool in your troubleshooting playbook for any deployment problems. (microsoft.github.io, learn.microsoft.com)
• Maintain a tight rollout schedule: pilot → core services → bulk production; keep a freeze day around Microsoft’s temporary enforcement windows.
• Consider isolating or taking vulnerable, internet‑facing EOL Exchange servers offline as recommended by CISA if you cannot patch them quickly. (cisa.gov)

---

Implementation checklist (concise)​

• [ ] Run Exchange Health Checker on all Exchange servers and collect reports. (microsoft.github.io)
• [ ] Confirm which servers require HU/SU and whether they host hybrid flows.
• [ ] Apply latest CU/HU for the server build (test in pilot).
• [ ] Create dedicated Exchange hybrid app via script or updated HCW (test). (learn.microsoft.com)
• [ ] Validate hybrid features (free/busy, MailTips, photos) in both directions.
• [ ] Run Service Principal Clean‑Up Mode and rotate credentials only after all servers are confirmed migrated. (learn.microsoft.com)
• [ ] Re-run Health Checker and monitor logs for anomalies. (microsoft.github.io)

---

Final takeaways and recommended next steps​

Microsoft’s September 2025 Hotfix Updates are small in content but large in context: they are the maintenance pieces that keep Exchange Server builds aligned with the dedicated hybrid app migration — a migration that Microsoft and federal cybersecurity bodies have established as the practical mitigation for the dangerous hybrid trust model exposed in CVE‑2025‑53786. Administrators who run hybrid Exchange environments must treat this as an operational priority: inventory, patch, configure the dedicated Exchange hybrid app, and only then clean up legacy credentials.
Key actions for every admin team this week:

• Run the Exchange Health Checker and summarize results. (microsoft.github.io)
• Put a short remediation plan in place that delivers a pilot update and dedicated‑app configuration before the next temporary enforcement window.
• Document the sequence you will follow for certificate cleanup and HCW runs, and rehearse rollback steps using test systems. (learn.microsoft.com)

The technical fix is available and documented — the remaining challenge is disciplined, prioritized execution in production. The September HU and Microsoft’s enforcement schedule make that execution time‑sensitive for hybrid environments that need rich coexistence features.
Conclusion
The September 2025 Hotfix Updates for Exchange Server are small‑footprint releases with an outsized operational impact because they preserve the path to the dedicated Exchange hybrid app and ensure administratively controlled hybrid identity is available across supported builds. Given the severity of CVE‑2025‑53786 and CISA’s guidance, organizations running hybrid Exchange must inventory, patch, and migrate to the dedicated hybrid app now — plan carefully, pilot broadly, and avoid the risk of being caught by the temporary enforcement windows or the permanent cutoff after October 31, 2025. (cisa.gov)

---

Source: Microsoft Exchange Team Blog Released: September 2025 Exchange Server Hotfix Updates | Microsoft Community Hub