Microsoft has confirmed that no security patches will be released for any version of Exchange Server in January 2026, including Exchange Server Subscription Edition (SE) and the Extended Security Update (ESU) versions of Exchange 2016 and 2019.
Understanding the Extended Security Update Program
Organizations running Exchange 2016 and 2019 after their October 14, 2025 end-of-support date can purchase a six-month Extended Security Update (ESU) program that runs through April 14, 2026. Microsoft has stated this ESU period will not be extended beyond April 2026, making this a firm deadline for organizations still running legacy Exchange versions.
The ESU program provides only critical and important security patches during this transition period—no general support or feature updates are included. Microsoft is making explicit monthly announcements during the ESU period, even when no updates are released, to maintain transparency with customers who have purchased ESU coverage.
Migration to Exchange SE Required
With Exchange 2016 and 2019 reaching end-of-support in October 2025, Exchange Server Subscription Edition became the only supported on-premises Exchange version. Exchange SE operates under Microsoft’s Modern Lifecycle Policy, providing continuous support with no fixed end date as long as organizations maintain current configurations. The platform receives two cumulative updates annually, with security and hotfix updates released as needed.
Organizations that delay migration past April 2026 will face significant security risks, as servers will no longer receive protection against newly discovered vulnerabilities. Microsoft strongly encourages immediate planning for migration to either Exchange SE or Exchange Online to avoid exposure to threats.
Fortify Your Server with Messageware Security
Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.
Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.
EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.