End of Support for Exchange 2016/2019: Migrate to Online or SE Now

On October 14, 2025, support for Exchange Server 2016 and Exchange Server 2019 ends — one month from now — and organizations that delay face escalating operational risk, loss of security updates, and an increasingly narrow set of safe upgrade paths. Microsoft’s Exchange engineering team has issued a final T‑1 month notice urging immediate action: migrate to Exchange Online or move to the newly available Exchange Server Subscription Edition (SE), apply April 2025 hotfix updates, and prepare for hybrid enforcement windows that will begin this month.

Background​

Exchange Server 2016 and Exchange Server 2019 were built for an era when on‑premises messaging dominated enterprise architectures. Over the last decade Microsoft has shifted to cloud‑first operations and a hybrid security posture that reduces shared multi‑tenant trust. That shift is now reflected in lifecycle decisions: both Exchange 2016 and Exchange 2019 are scheduled to reach end of support on October 14, 2025. After that date Microsoft will no longer provide technical support, bug fixes, security updates, or time zone updates for those product versions — a hard cut that affects production safety and compliance. (learn.microsoft.com)
This countdown is not new: Microsoft has been issuing staged reminders since T‑12 months and continues to push migration guidance and tooling to help administrators decide between cloud migration and on‑premises modernization. The Exchange engineering team’s messaging in the latest T‑1 month notice repeats those same recommendations and layers in urgent security‑hardening steps related to hybrid deployments. (techcommunity.microsoft.com)

---

What ends (and what continues to run)​

The technical facts — clear and absolute​

• End of support date: October 14, 2025 (all lifecycle and support channels end as specified). (learn.microsoft.com)
• After that date Microsoft will not provide:
• Technical support for product issues;
• Bug fixes impacting stability or usability;
• Security fixes for new vulnerabilities;
• Time zone updates.

Customer installations will still run after October 14, but running unsupported server software is inherently risky — security and compliance teams must treat that state as a temporary, strictly managed exception only.

Short-term stopgaps Microsoft has offered​

Microsoft announced a one‑time, six‑month Extended Security Update (ESU) program for Exchange Server 2016/2019 that runs from October 14, 2025 through April 14, 2026. The ESU provides only Critical and Important security updates (if any are released) and is a paid, private program delivered to enrolled customers; it is explicitly not an extension of mainstream support. Enrollment via your Microsoft account team began on August 1, 2025. This is a bridge — not a migration plan. (techcommunity.microsoft.com)

---

The timeline admins must internalize​

• Today — immediate: inventory every Exchange server and hybrid integration point; confirm builds and apply April 2025 hotfixes where required. (techcommunity.microsoft.com)
• Short term — September & early October 2025: Microsoft will implement temporary EWS enforcement windows designed to force adoption of a tenant‑scoped dedicated hybrid app. Planned temporary blocks include September 16, 2025 (two days) and October 7, 2025 (three days). Microsoft plans a permanent block of the legacy shared service principal for EWS after October 31, 2025. These measures affect only certain hybrid "rich coexistence" features (Free/Busy lookups, MailTips, profile photos) and only in the direction where on‑premises servers query Exchange Online mailboxes — but the operational impact can be significant. (techcommunity.microsoft.com)
• October 14, 2025: End of support for Exchange 2016 and 2019. (learn.microsoft.com)
• October 14, 2025 → April 14, 2026: ESU window (paid, private delivery, security updates only). (techcommunity.microsoft.com)

Administrators must plan for two tightly coupled migration problems: (1) staying secure and supported through October 14 and (2) ensuring hybrid functionality keeps working during and after the EWS enforcement windows. Both require immediate action.

---

Why this matters now: technical and security drivers​

The enforcement activity and the push to a tenant‑scoped dedicated Exchange hybrid app are driven by security findings and practical risk management. A high‑severity improper authentication vulnerability (CVE details referenced by Microsoft) demonstrated how an attacker with control of an on‑premises Exchange admin could pivot into the connected Exchange Online tenant when hybrid configurations used a shared, multi‑tenant service principal. Moving to a tenant‑specific dedicated app significantly reduces that attack surface and places control squarely inside the customer’s Entra ID. (techcommunity.microsoft.com)
Practical consequences:

• If you don’t create the dedicated Exchange hybrid app and update on‑prem servers to builds that support it, you risk temporary disruptions during the enforcement windows and permanent loss of rich coexistence features after October 31, 2025. (techcommunity.microsoft.com)
• If your on‑prem servers remain unpatched, they may remain vulnerable to known attack patterns; public reports in August 2025 estimated many thousands of unpatched Exchange servers remained exposed. That reinforces the urgency to install April 2025 hotfix updates and configure the dedicated hybrid app. (techradar.com)

---

Validation: what to check in your environment (practical checklist)​

• Inventory and Discovery
• Run Exchange Health Checker and catalog every Exchange server, including any legacy or internet‑facing systems. Identify hybrid links and where Free/Busy, MailTips, or profile photos are used cross‑boundary.
• Verify builds and patch level
• Ensure the servers that participate in hybrid functionality are on the minimum April 2025 HU builds:
• Exchange Server 2016 CU23 — build 15.1.2507.55 or higher.
• Exchange Server 2019 CU14 — build 15.2.1544.25 or higher.
• Exchange Server 2019 CU15 — build 15.2.1748.24 or higher.
• Exchange Server SE RTM — build 15.2.2562.17 or higher. (techcommunity.microsoft.com)
• Create the dedicated Exchange hybrid app
• Run Microsoft’s ConfigureExchangeHybridApplication.ps1 (or re‑run the updated Hybrid Configuration Wizard) to create a tenant‑scoped dedicated Exchange hybrid application in Entra ID. After creation, run the Service Principal Clean‑Up Mode to remove legacy keyCredentials from the shared service principal. (techcommunity.microsoft.com)
• Validate hybrid behavior
• Test Free/Busy lookups, MailTips, and profile picture sharing across on‑prem → cloud directions before and after the next scheduled temporary block windows.
• Consider ESU enrollment only if migration cannot be completed by October 14, 2025
• Contact your Microsoft account team (ESU enrollment began Aug 1, 2025). Understand ESU limits: private delivery, paid per‑server, security updates only, and no guarantee that Microsoft will release updates during the ESU period. (techcommunity.microsoft.com)

---

Migration options: cloud, SE, and hybrid — what to choose​

Option A — Migrate to Exchange Online / Microsoft 365 (recommended for most)​

Microsoft’s guidance consistently favors migrating mailboxes to Exchange Online as the best path to reduce operational overhead and gain new features (including cloud-only generative AI and advanced compliance/security services). Migration eliminates the need to manage server lifecycles and removes the EoS risk entirely. Microsoft offers FastTrack assistance for eligible customers, which can provide engineering support for planning and migrating mailboxes. This is the simplest long‑term route for many organizations. (techcommunity.microsoft.com)
Benefits:

• Continuous security and feature updates;
• Reduced on‑premises patching and identity complexity;
• Access to cloud‑native security, compliance, and advanced AI features.

Tradeoffs:

• Cloud migrations can require licensing changes, network and identity adjustments, and change management for users. They can also surface legacy integrations that need redesign.

Option B — Upgrade to Exchange Server Subscription Edition (SE)​

For organizations that must remain on‑premises, Microsoft released Exchange Server Subscription Edition (SE) to modernize on‑prem deployments under a Modern Lifecycle Policy. SE reached general availability in July 2025 and is installable as a CU on Exchange Server 2019 CU14/CU15 or joined into existing Exchange organizations. Microsoft recommends:

• In‑place upgrade from Exchange 2019 to Exchange SE when possible (low risk).
• Side‑by‑side (legacy) upgrade for Exchange 2016 customers; then perform in‑place upgrade to SE when available. (support.microsoft.com)

Benefits:

• Evergreen servicing model with no fixed end date as long as you stay current;
• Keeps messaging entirely on‑premises for regulatory or operational reasons.

Tradeoffs:

• SE adoption still requires lifecycle management and patching discipline;
• Some organizations may require hardware or OS refresh to meet new prerequisites.

Option C — Temporary ESU (not a migration substitute)​

Microsoft’s six‑month ESU is a stopgap for customers who cannot complete migration before October 14, 2025. It is paid, private, and provides only Critical and Important security updates if Microsoft deems them necessary. ESU is explicitly not an extension of support and will not permit open support cases outside of issues tied directly to provided security updates. Use ESU only as a controlled bridge while executing an immediate migration plan. (techcommunity.microsoft.com)

---

Hybrid specifics: what breaks and how to avoid disruption​

The enforcement action targets Exchange Web Services (EWS) access that uses Microsoft’s shared first‑party Exchange Online service principal. Microsoft’s published scope is intentionally narrow: temporary blocks will disrupt only three rich coexistence features when the legacy shared principal is used and on‑prem servers attempt to query cloud mailboxes:

• Free/Busy calendar availability lookups (on‑prem → cloud);
• MailTips for cloud mailboxes shown to on‑prem users;
• Profile photo sharing across the boundary. (techcommunity.microsoft.com)

Everything else — mail flow, SMTP relay, mailbox moves, and recipient management — is not part of the temporary enforcement windows. However, the loss of Free/Busy and MailTips can materially impair end‑user productivity, meeting scheduling, and other collaboration workflows. The fix is straightforward but must be implemented before the temporary windows or the permanent cutoff: install the April 2025 HU (or newer CU that includes its changes) and create the dedicated hybrid app in Entra ID. (techcommunity.microsoft.com)

---

Minimum builds and hotfix guidance (technical specifics)​

• April 2025 Hotfix Updates were released for Exchange Server 2016 CU23 and Exchange Server 2019 CU14/CU15 and include the dedicated Exchange hybrid app capability. Ensure those updates are applied on servers participating in hybrid functionality. (techcommunity.microsoft.com)
• Minimum supported builds for dedicated hybrid app support:
• Exchange Server 2016 CU23 — 15.1.2507.55 or higher;
• Exchange Server 2019 CU14 — 15.2.1544.25 or higher;
• Exchange Server 2019 CU15 — 15.2.1748.24 or higher;
• Exchange Server SE RTM — 15.2.2562.17 or higher.

If you run any Exchange servers below these builds and you rely on hybrid rich coexistence, apply the hotfix/CU immediately. After installing the builds, follow the guidance to create the dedicated Exchange hybrid application and to run service principal cleanup. (techcommunity.microsoft.com)

---

Migration planning: a pragmatic timeline and resource allocation​

• Immediate (0–7 days)
• Run discovery and inventory across on‑prem Exchange and hybrid tenants.
• Identify servers that service hybrid queries and confirm patch levels.
• Apply April 2025 HUs where required; document completion and test.
• Near term (7–30 days)
• Create the dedicated Exchange hybrid app in Entra ID and enable it across tenants.
• Re‑run hybrid configuration validation and perform user‑facing tests for Free/Busy, MailTips, and profile photos.
• Begin migration wave planning (mailboxes, distribution lists, archives) if moving to Exchange Online.
• Migration window (30–90 days)
• Execute mailbox migration batches, decommission on‑premises workloads as they move.
• For on‑prem customers choosing SE, plan hardware and OS compliance, and schedule in‑place or side‑by‑side upgrades as recommended.
• Contingency
• If migration cannot complete by October 14, enroll in ESU (contact Microsoft account team on or after Aug 1, 2025) to buy the six‑month bridge while continuing migration work. (techcommunity.microsoft.com)

---

Risks, tradeoffs, and what can go wrong​

• Security exposure: running unsupported Exchange ignores forthcoming zero‑day vulnerabilities and leaves organizations open to compromise. Even if you buy ESU, updates are only delivered privately and only if Microsoft determines an SU is necessary. That is not the same protection level as mainstream support. (techcommunity.microsoft.com)
• Operational disruption: if you fail to implement the dedicated hybrid app and Microsoft executes scheduled temporary EWS blocks, users will experience failed Free/Busy lookups and missing MailTips during the enforcement windows and permanently after October 31, 2025. Those interruptions can cascade into scheduling failures and user confusion. (techcommunity.microsoft.com)
• Compliance and audit: unsupported servers may violate internal or external regulatory requirements. Check compliance implications before deciding to extend operations on unsupported software.
• Migration complexity: cloud migrations surface dependencies (third‑party integrations, on‑prem authentication flows, journaling/archiving systems) that may need redesign. Budget time for those remediation projects.

---

Notable strengths in Microsoft’s approach — and remaining gaps​

Microsoft’s plan exhibits several strengths:

• Clear timelines and public reminders provide predictable decision points for enterprises. (techcommunity.microsoft.com)
• The introduction of Exchange Server SE offers an evergreen, lifecycle‑friendly on‑premises option for organizations that cannot migrate to the cloud. (support.microsoft.com)
• The dedicated hybrid app model addresses a concrete security weakness in shared multi‑tenant trust and reduces risk of lateral cloud compromise. (techcommunity.microsoft.com)
• The ESU program offers a narrow, deliberate safety valve for organizations that need a short extension to finish migrations. (techcommunity.microsoft.com)

However, gaps and risks remain:

• Adoption friction: many organizations remain unprepared to create a dedicated hybrid app and to apply hotfixes across all servers. Microsoft’s temporary blocks are a blunt instrument to force compliance.
• Operational complexity: hybrid deployments have many moving parts; organizations with limited staff or complex third‑party integrations may find migration timelines unrealistic without outside help.
• ESU limits: ESU does not equal support, and Microsoft does not guarantee updates, making ESU a poor long‑term substitute for migration. (techcommunity.microsoft.com)

---

Actionable recommendations — what to do right now​

• Inventory and patch: run the Exchange Health Checker, document hybrid usage, and install the April 2025 HUs or a later CU that contains them. Prioritize internet‑facing and hybrid servers. (techcommunity.microsoft.com)
• Create the dedicated hybrid app now: run ConfigureExchangeHybridApplication.ps1 (or the updated HCW) and perform Service Principal Clean‑Up Mode. Validate with test users. (techcommunity.microsoft.com)
• Start migration waves: if you intend to move to Exchange Online, accelerate mailbox migration planning and engage FastTrack if you qualify. If you choose SE, plan the in‑place or side‑by‑side upgrade path now.
• Budget for ESU only as contingency: contact your Microsoft account team if migration cannot be completed by October 14, 2025; do not rely on ESU to replace a migration plan. (techcommunity.microsoft.com)
• Communicate with stakeholders: inform business owners and compliance teams about the end‑of‑support timeline, potential short service interruptions during enforcement windows, and the plan to mitigate risk.

---

Conclusion​

October 14, 2025 is a hard deadline for Exchange Server 2016 and Exchange Server 2019. The clock is now counting down to a period when unsupported servers will lose official protection and hybrid behavior will be actively enforced to a tenant‑scoped model. Microsoft has provided both an on‑premises modernization path (Exchange Server SE) and a cloud migration path (Exchange Online), plus a short, paid ESU window for organizations that cannot finish migration on time. The immediate priorities for any Exchange administrator are clear: inventory, patch, create the dedicated Exchange hybrid app, and accelerate migrations or SE upgrades. Failure to act risks security exposure, user disruption, and compliance headaches. (techcommunity.microsoft.com)
The next four weeks will separate organizations that are operationally prepared from those that will face avoidable disruption. Start now.

---

Source: Microsoft Exchange Team Blog T-1 month: Exchange Server 2016 and Exchange Server 2019 End of Support | Microsoft Community Hub