If your organisation is still running Exchange Server 2016 or 2019, Microsoft has announced one final extension of security coverage. On April 15, 2026, Microsoft officially announced the Period 2 Extended Security Update (ESU) program for Exchange Server 2016 and 2019, extending critical security coverage through October 2026.
Reading our article? Try our product:
What Is the ESU Program?
Exchange Server 2016 and 2019 officially reached end-of-support in October 2025, meaning Microsoft stopped providing regular security patches, bug fixes, and technical support for those versions. To help organizations that hadn’t yet completed their migrations to Exchange Subscription Edition (SE), Microsoft launched an optional, paid Period 1 ESU program, running from October 2025 through April 2026 — delivering only Critical and Important security updates to enrolled customers.
Now, with Period 1 winding down, Microsoft has announced Period 2 to give those organizations up to six more months to wrap up their migrations.
What’s New in Period 2?
Period 2 runs from May 1, 2026 through October 31, 2026 — a final six-month window.
- Not an automatic renewal — Even if your organisation was enrolled in Period 1, you must re-purchase the ESU contract separately for Period 2 coverage.
- Purchases from April 15, 2026 onwards are automatically considered Period 2 and will be valid from May–October 2026.
- Covered versions include Exchange Server 2016 CU23 and Exchange Server 2019 CU14/CU15.
- Updates are privately delivered — Security updates will NOT be available via the public Download Center or Windows Update; only enrolled customers receive them.
- No fixed release schedule — Microsoft will only release updates as needed, based on the severity of security risks identified by the Microsoft Security Response Center (MSRC).
- This is the final extension. Microsoft has explicitly stated: “There will be no further extensions of this program after that.”
Who Should Enroll?
This program is targeted at a very specific audience. If your organisation meets the following criteria, Period 2 may be a valid short-term safety net:
- You are still running Exchange 2016 CU23 or Exchange 2019 CU14/CU15 in production.
- Your migration to Exchange SE is actively underway but cannot be completed before May 2026.
- You need continued coverage for Critical and Important security vulnerabilities during that transition window.
If you haven’t started migration at all, the ESU program is not a long-term solution. Make upgrading to Exchange Server Subscription Edition (SE) a priority.
What the ESU Does Not Cover
It’s equally important to understand the limitations:
- No regular technical support — You cannot raise standard support cases unless they relate directly to an ESU security update.
- No feature updates or bug fixes — Only Critical and Important security patches are included.
- No guarantee of monthly patches — Updates are only released when a qualifying security event occurs.
The Time to Migrate is Now
This is the absolute final runway for legacy Exchange deployments. With Period 2 ending in October 2026 and no further ESU extensions planned, organizations still on Exchange 2016 or 2019 need to be actively planning and executing their migration to Exchange Server Subscription Edition (SE).
Running an unsupported email server after October 2026 without security patches is not just a technical risk, it’s a compliance and business continuity risk. Legacy Exchange servers are high-value targets for attackers, and the absence of patches makes them increasingly vulnerable over time.
Key Dates at a Glance
| Milestone | Date |
|---|---|
| Exchange 2016 & 2019 End of Support | October 14, 2025 |
| Period 1 ESU Start | October 2025 |
| Period 1 ESU End | April 2026 |
| Period 2 ESU Start | May 1, 2026 |
| Period 2 ESU End | October 31, 2026 |
| No further ESU extensions after | October 2026 |
Bottom Line
The Period 2 ESU program is a valuable, if costly, safety net for organizations genuinely mid-migration. If you qualify, enroll promptly especially since any ESU purchase from April 15, 2026 is automatically treated as Period 2. But don’t treat it as a reason to slow your migration efforts. October 2026 is a hard stop, and Microsoft has made it unambiguously clear that the era of Exchange 2016 and 2019 is truly coming to an end.
Fortify Your Server with Messageware Security
Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.
Server Threat Guard (STG) for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. No need to research complicated deployments and no learning curve to install and manage.
EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.