EOL Watch — Exchange Server Deep Dive

Exchange Server 2016 & 2019 End of Life:
every deadline Microsoft gave you has passed

Published July 13, 2026 · endoflife.ai · 9 min read · Email / Microsoft Stack
1
Days since extended support ended — October 14, 2025 Exchange Server 2016 and Exchange Server 2019 reached the end of Microsoft extended support on October 14, 2025. Microsoft then ran a paid Extended Security Update bridge in two back-to-back periods, and has stated in writing there will be no further extensions after the second one closes October 14, 2026. If you're on 2016 or 2019 today, you are past every official deadline Microsoft has given for this product.

Exchange Server 2016 and Exchange Server 2019 both reached the end of Microsoft extended support on October 14, 2025, under Microsoft's Fixed Lifecycle Policy. That alone would make this old news by now — except Microsoft then did something it doesn't always do: it opened a paid Extended Security Update (ESU) bridge, then extended that bridge a second time when customers said they weren't ready. Both periods of that bridge are now closed. As of today, there is no official Microsoft patching path left for Exchange Server 2016 or 2019, at any price, through any channel.

What Ended, and When

Per Microsoft's published lifecycle pages, both versions hit their fixed end-of-support dates on the same day:

Version Mainstream support ended Extended support ended
Exchange Server 2016 Oct 13, 2020 Oct 14, 2025
Exchange Server 2019 Jan 9, 2024 Oct 14, 2025

Both dates come directly from Microsoft's official lifecycle documentation. Since October 14, 2025, Microsoft has not shipped free security updates for either version outside the paid ESU program described below, will not open a general support case for an unenrolled instance, and every subsequent Patch Tuesday has added disclosed vulnerabilities that go permanently unpatched on any Exchange 2016 or 2019 server not covered by ESU.

Still running Exchange 2016 or 2019?
Extended-support vendors and migration specialists can help close the gap once Microsoft's own patching path is closed. We match you with the right provider for your stack — free, no obligation.
Get Exchange Server Support Options →

The ESU Bridge: Period 1 and Period 2

Unlike most Microsoft server products, Exchange 2016 and 2019 got a formal paid Extended Security Update program — but it was narrower and shorter than the multi-year ESU bridges Microsoft has offered for products like SQL Server. It shipped in two consecutive, time-boxed windows:

Period 1
Oct 14, 2025 – Apr 14, 2026
Announced in mid-2025, enrollment opened August 1, 2025. Six months of paid Critical/Important security updates for customers with an active Microsoft Enterprise Agreement, on Exchange 2016 CU23 or Exchange 2019 CU14/CU15.
Period 2
May 2026 – Oct 14, 2026
Announced April 15, 2026 after customers reported unfinished migrations. Required a fresh ESU purchase even for Period 1 subscribers — enrollment did not carry over automatically.
After Period 2
No further extensions
Microsoft stated explicitly in the Period 2 announcement that this is final. As of October 15, 2026, there is no ESU purchase option of any kind for Exchange 2016 or 2019.

Microsoft's own framing of Period 2 was unusually blunt: the company said its preference was that customers "finalize their migrations instead," and that it would "be happy to not sell Period 2 Exchange ESU to anyone." That is not the language of a vendor planning a Period 3. Skype for Business Server 2015/2019 got the same two-period treatment on the same timeline, for what it's worth — this pattern wasn't Exchange-specific.

The math, if you're reading this in or after July 2026 Extended support ended October 14, 2025. ESU Period 1 closed April 14, 2026. ESU Period 2 runs only through October 14, 2026, and only for Enterprise Agreement customers who separately purchased it. If none of those windows currently cover your instance, it has been unpatched by Microsoft for months — or will be again the moment Period 2 closes.

Still Running Exchange 2016 or 2019?

If you're reading this and still have an on-prem Exchange 2016 or 2019 mailbox server in production, the honest framing is simple: every deadline Microsoft published for this product — mainstream support, extended support, ESU Period 1, and ESU Period 2 — has a date attached, and by October 15, 2026 all four of those dates are in the past. There is no fifth deadline coming. The instance is either covered by an active ESU Period 2 subscription today, or it has been receiving zero vendor security patches since whichever of those dates it fell out of coverage on.

This is a different situation from most EOL software, where "still running it" mostly means accumulating quiet risk. With Exchange specifically, "still running it, unpatched" means running one of the most consistently and severely attacked pieces of enterprise software in existence, described in the next section, with no vendor patch coming for whatever gets disclosed next.

Why On-Prem Exchange Stays a Top Attack Target

On-premises Exchange has an unusually bad security track record relative to most enterprise software, for structural reasons: it's internet-facing by design (Outlook Web Access, Autodiscover, ActiveSync), it sits at the center of an organization's identity and communications, and a single remote-code-execution flaw in it has historically been enough to compromise an entire mail environment. That track record isn't hypothetical — it shows up directly in CISA's Known Exploited Vulnerabilities (KEV) catalog, the U.S. government's list of CVEs with confirmed active exploitation.

As one concrete, verifiable example: CVE-2023-21529, a Microsoft Exchange Server deserialization vulnerability allowing authenticated remote code execution, was added to the CISA KEV catalog on April 13, 2026 — years after the CVE was originally published — specifically because it was observed being actively exploited in the wild at that later date. That pattern, old Exchange CVEs getting re-weaponized long after disclosure, is exactly the risk that ESU coverage exists to close, and exactly the risk that has no fix once ESU coverage ends.

Unpatched does not mean untargeted Attackers scan for exposed Exchange servers continuously; they don't need you to be a high-value target specifically. An unpatched, internet-facing Exchange server is treated by opportunistic scanners the same way any other unpatched, internet-facing service is: as an open door.

Exchange Server Subscription Edition — the On-Prem Successor

For organizations that need to keep Exchange on-premises rather than move to the cloud, Microsoft does have a current, supported answer: Exchange Server Subscription Edition (SE), generally available since July 1, 2025. It replaces the old fixed-lifecycle versioning model (2016, 2019, and so on) with a rolling, subscription-based servicing model — there is no discrete "Exchange SE 2028 EOL date" to plan around the way there was with 2016 and 2019.

Exchange Server 2019 instances running the latest cumulative update can perform an in-place upgrade directly to Exchange SE, which is the path Microsoft has been steering Exchange 2016/2019 customers toward throughout the ESU announcements above. Exchange 2016 does not support a direct in-place upgrade to SE — Microsoft's own lifecycle notes advise moving to the latest Exchange 2019 CU first, as a stepping stone, before the SE upgrade.

Migration Paths

Exchange 2016 / 2019Support ended Oct 14, 2025
Exchange Server SECurrent on-prem, rolling support
Exchange 2016 / 2019Support ended Oct 14, 2025
Microsoft 365 / Exchange OnlineManaged, always-patched

Your Action Checklist

Frequently Asked Questions

When did Exchange Server 2016 and 2019 reach end of life?

Both reached the end of extended support on October 14, 2025. Exchange 2016 mainstream support ended October 13, 2020; Exchange 2019 mainstream support ended January 9, 2024.

Is there still a way to get security updates for Exchange 2016 or 2019?

Microsoft ran a paid Extended Security Update program in two periods: Period 1 (October 14, 2025 – April 14, 2026) and Period 2 (May 2026 – October 14, 2026), available only with an active Enterprise Agreement. Microsoft stated there would be no further extensions after Period 2 — once it closes, there is no official patching path left.

What is Exchange Server Subscription Edition?

Exchange Server SE is Microsoft's on-premises successor to Exchange 2019, generally available since July 1, 2025, using a rolling subscription servicing model rather than a fixed multi-year lifecycle. Exchange 2019 on the latest CU can upgrade in place; Exchange 2016 needs an intermediate step through Exchange 2019 first.

Why is unpatched on-prem Exchange considered high risk?

It's internet-facing, sits at the center of organizational identity and communications, and has a long history of severe, actively exploited flaws. CISA added CVE-2023-21529, a Microsoft Exchange Server RCE flaw, to its Known Exploited Vulnerabilities catalog on April 13, 2026 — evidence that old Exchange bugs keep getting weaponized long after disclosure.

What should I do if I'm still running Exchange 2016 or 2019?

Inventory every instance, confirm current ESU Period 2 coverage if applicable, and start migrating now toward Microsoft 365/Exchange Online or an in-place Exchange SE upgrade. There is no remaining official runway to wait out.

Check your full stack for EOL exposure

Exchange is one line in a busy Microsoft lifecycle calendar. Run your full stack through the EOL checker and see your Risk Scores.

Scan your stack Check a version How Risk Scores work

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.