Exchange Server 2016 & 2019 End of Life:
every deadline Microsoft gave you has passed
Exchange Server 2016 and Exchange Server 2019 both reached the end of Microsoft extended support on October 14, 2025, under Microsoft's Fixed Lifecycle Policy. That alone would make this old news by now — except Microsoft then did something it doesn't always do: it opened a paid Extended Security Update (ESU) bridge, then extended that bridge a second time when customers said they weren't ready. Both periods of that bridge are now closed. As of today, there is no official Microsoft patching path left for Exchange Server 2016 or 2019, at any price, through any channel.
What Ended, and When
Per Microsoft's published lifecycle pages, both versions hit their fixed end-of-support dates on the same day:
| Version | Mainstream support ended | Extended support ended |
|---|---|---|
| Exchange Server 2016 | Oct 13, 2020 | Oct 14, 2025 |
| Exchange Server 2019 | Jan 9, 2024 | Oct 14, 2025 |
Both dates come directly from Microsoft's official lifecycle documentation. Since October 14, 2025, Microsoft has not shipped free security updates for either version outside the paid ESU program described below, will not open a general support case for an unenrolled instance, and every subsequent Patch Tuesday has added disclosed vulnerabilities that go permanently unpatched on any Exchange 2016 or 2019 server not covered by ESU.
The ESU Bridge: Period 1 and Period 2
Unlike most Microsoft server products, Exchange 2016 and 2019 got a formal paid Extended Security Update program — but it was narrower and shorter than the multi-year ESU bridges Microsoft has offered for products like SQL Server. It shipped in two consecutive, time-boxed windows:
Microsoft's own framing of Period 2 was unusually blunt: the company said its preference was that customers "finalize their migrations instead," and that it would "be happy to not sell Period 2 Exchange ESU to anyone." That is not the language of a vendor planning a Period 3. Skype for Business Server 2015/2019 got the same two-period treatment on the same timeline, for what it's worth — this pattern wasn't Exchange-specific.
Still Running Exchange 2016 or 2019?
If you're reading this and still have an on-prem Exchange 2016 or 2019 mailbox server in production, the honest framing is simple: every deadline Microsoft published for this product — mainstream support, extended support, ESU Period 1, and ESU Period 2 — has a date attached, and by October 15, 2026 all four of those dates are in the past. There is no fifth deadline coming. The instance is either covered by an active ESU Period 2 subscription today, or it has been receiving zero vendor security patches since whichever of those dates it fell out of coverage on.
This is a different situation from most EOL software, where "still running it" mostly means accumulating quiet risk. With Exchange specifically, "still running it, unpatched" means running one of the most consistently and severely attacked pieces of enterprise software in existence, described in the next section, with no vendor patch coming for whatever gets disclosed next.
Why On-Prem Exchange Stays a Top Attack Target
On-premises Exchange has an unusually bad security track record relative to most enterprise software, for structural reasons: it's internet-facing by design (Outlook Web Access, Autodiscover, ActiveSync), it sits at the center of an organization's identity and communications, and a single remote-code-execution flaw in it has historically been enough to compromise an entire mail environment. That track record isn't hypothetical — it shows up directly in CISA's Known Exploited Vulnerabilities (KEV) catalog, the U.S. government's list of CVEs with confirmed active exploitation.
As one concrete, verifiable example: CVE-2023-21529, a Microsoft Exchange Server deserialization vulnerability allowing authenticated remote code execution, was added to the CISA KEV catalog on April 13, 2026 — years after the CVE was originally published — specifically because it was observed being actively exploited in the wild at that later date. That pattern, old Exchange CVEs getting re-weaponized long after disclosure, is exactly the risk that ESU coverage exists to close, and exactly the risk that has no fix once ESU coverage ends.
Exchange Server Subscription Edition — the On-Prem Successor
For organizations that need to keep Exchange on-premises rather than move to the cloud, Microsoft does have a current, supported answer: Exchange Server Subscription Edition (SE), generally available since July 1, 2025. It replaces the old fixed-lifecycle versioning model (2016, 2019, and so on) with a rolling, subscription-based servicing model — there is no discrete "Exchange SE 2028 EOL date" to plan around the way there was with 2016 and 2019.
Exchange Server 2019 instances running the latest cumulative update can perform an in-place upgrade directly to Exchange SE, which is the path Microsoft has been steering Exchange 2016/2019 customers toward throughout the ESU announcements above. Exchange 2016 does not support a direct in-place upgrade to SE — Microsoft's own lifecycle notes advise moving to the latest Exchange 2019 CU first, as a stepping stone, before the SE upgrade.
Migration Paths
- Migrate to Microsoft 365 / Exchange Online Removes the on-prem lifecycle problem permanently — no more version end-of-support dates to track for mail. The most common destination for organizations exiting Exchange 2016/2019, and the path Microsoft has actively promoted throughout this EOL cycle.
- In-place upgrade to Exchange Server SE For organizations that must keep mail on-premises. Direct from Exchange 2019 on the latest CU; via an intermediate Exchange 2019 CU step for Exchange 2016.
- Hybrid deployment Exchange SE also serves as the supported on-prem component for hybrid configurations with Exchange Online, for organizations not ready for a full cloud move.
Your Action Checklist
- Inventory every on-prem Exchange 2016/2019 serverConfirm exact version, cumulative update level, and internet exposure (OWA, Autodiscover, ActiveSync endpoints) for each.
- Check ESU Period 2 enrollment status nowIf you have an active Enterprise Agreement and are enrolled, confirm the October 14, 2026 end date is on your calendar with a hard deadline attached. If you're not enrolled, Microsoft is not patching that server today.
- Do not wait for a Period 3Microsoft has stated in writing there will be no further extensions after Period 2. Plan as if that is final, because Microsoft says it is.
- Choose a destination: Exchange Online or Exchange SEDecide per environment whether the target is Microsoft 365, an in-place Exchange SE upgrade, or hybrid — and start the technical assessment now rather than after the next incident.
- Apply compensating controls to anything still exposedRestrict OWA/Autodiscover exposure, tighten monitoring, and segment unpatched instances while migration is in progress.
- Log the finding in your risk registerAn EOL, unpatched mail server is a standard finding under SOC 2, PCI DSS, ISO 27001, and HIPAA assessments — document the migration plan and dates before an auditor documents the gap.
- Check for a SharePoint connectionSharePoint Server 2016 and 2019 hit the same July 14, 2026 end-of-support date with no ESU option at all — if your environment runs both, treat them as parallel, equally urgent migrations.
Frequently Asked Questions
When did Exchange Server 2016 and 2019 reach end of life?
Both reached the end of extended support on October 14, 2025. Exchange 2016 mainstream support ended October 13, 2020; Exchange 2019 mainstream support ended January 9, 2024.
Is there still a way to get security updates for Exchange 2016 or 2019?
Microsoft ran a paid Extended Security Update program in two periods: Period 1 (October 14, 2025 – April 14, 2026) and Period 2 (May 2026 – October 14, 2026), available only with an active Enterprise Agreement. Microsoft stated there would be no further extensions after Period 2 — once it closes, there is no official patching path left.
What is Exchange Server Subscription Edition?
Exchange Server SE is Microsoft's on-premises successor to Exchange 2019, generally available since July 1, 2025, using a rolling subscription servicing model rather than a fixed multi-year lifecycle. Exchange 2019 on the latest CU can upgrade in place; Exchange 2016 needs an intermediate step through Exchange 2019 first.
Why is unpatched on-prem Exchange considered high risk?
It's internet-facing, sits at the center of organizational identity and communications, and has a long history of severe, actively exploited flaws. CISA added CVE-2023-21529, a Microsoft Exchange Server RCE flaw, to its Known Exploited Vulnerabilities catalog on April 13, 2026 — evidence that old Exchange bugs keep getting weaponized long after disclosure.
What should I do if I'm still running Exchange 2016 or 2019?
Inventory every instance, confirm current ESU Period 2 coverage if applicable, and start migrating now toward Microsoft 365/Exchange Online or an in-place Exchange SE upgrade. There is no remaining official runway to wait out.
Check your full stack for EOL exposure
Exchange is one line in a busy Microsoft lifecycle calendar. Run your full stack through the EOL checker and see your Risk Scores.
Scan your stack Check a version How Risk Scores work