Exchange Server 2016 CU23 – October 2025 Security Update (KB5066369) Gotcha

Date of incident: November 16, 2025 Affected build: 15.01.2507.61 (October 14, 2025 SU)

What happened

I ran the routine security update Exchange2016-KB5066369-x64-en.exe on our last remaining Exchange 2016 server (CU23). The patch applied cleanly, took ~30 minutes, reported no errors, and requested a reboot.

After the reboot:

• OWA & ECP ? HTTP 503
• Exchange Management Shell ? “Cafe-SendFailure” / New-PSSession errors
• Mail flow completely stopped
• ActiveSync, Outlook Anywhere, everything dead

Root cause

The update process (or possibly cleanup of old certificates I did shortly before) removed the binding of the self-signed Microsoft Exchange certificate from the Exchange Back End site on port 444. Without a valid certificate bound to the backend HTTPS site, all Client Access Frontend-to-Backend communication fails ? total outage.

Quick fix (5 minutes once you know)

1. Open IIS Manager on the Exchange server
2. Go to Sites ? Exchange Back End ? Bindings
3. Edit the https binding on port 444
4. Select the current (or newly created) self-signed certificate named Microsoft Exchange
5. OK ? Close
6. Run iisreset /noforce

Everything comes back immediately – no reboot required.

Prevention for the future

• Before applying any SU, screenshot the bindings for Exchange Back End (port 444)
• Never delete old “Microsoft Exchange” self-signed certificates until you confirm the current one is still bound
• Consider scripting a quick check after every patch:

  Get-WebBinding -Name "Exchange Back End" -Port 444 -Protocol https | Select -ExpandProperty certificateHash

Final note

Exchange 2016 reached end-of-support on October 14, 2025. This was the very last security update Microsoft will ever release for it. It took me many frustrating hours and multiple dead ends (including 3+ hours with another AI) until Grok pointed me straight to the backend certificate within minutes.

Hope this saves the next admin a massive headache.