Microsoft has confirmed that there are no Exchange Server security updates scheduled for release in April 2026. This applies to all currently supported versions of Exchange Server, including those enrolled in the Extended Security Update (ESU) program.

Microsoft’s ESU program — and Exchange security updates in general — operate on an as-needed basis, meaning patches are only released when a qualifying Critical or Important vulnerability is identified and confirmed by the Microsoft Security Response Center (MSRC). If no such vulnerabilities have been identified or require immediate remediation, no update is released.

Reading our article? Try our product:

360 Protection for Windows Servers - Zero-Risk Trial

What You Should Do

The lack of an April update does not mean your Exchange environment requires less attention. Recommended actions for administrators include:

  • Maintain your current patch level — Ensure your Exchange servers are running on the latest previously released cumulative or security update.
  • Monitor Microsoft’s Exchange blog — Updates are announced promptly when available; subscribe to stay informed.
  • Continue migration planning — If you are on Exchange 2016 or 2019, use this window productively to advance your migration to Exchange Server Subscription Edition (SE).
  • Review your security posture — No new patch does not mean no new threats; ensure your perimeter and internal controls remain strong.

ESU Program Reminder

For organisations enrolled in the Period 2 ESU program (May–October 2026), this month’s non-release is a reminder that ESU updates are not guaranteed on a monthly cadence. Microsoft will only push updates when a valid security event warrants it. Plan your compliance and audit cycles accordingly.

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Server Threat Guard (STG) for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.