Microsoft has stopped issuing support, security fixes, bug patches and time‑zone updates for Exchange Server 2016 and Exchange Server 2019 as of October 14, 2025, and organizations that continue to run these on‑premises versions now face a materially higher security, compliance, and operational risk profile.
Microsoft’s Exchange engineering team set a clear lifecycle endpoint many months in advance and repeated that messaging at T‑12, T‑9, T‑6 and T‑1 month intervals so administrators could plan migrations or upgrades. These announcements explain what “end of support” means in concrete terms: after October 14, 2025 Microsoft will no longer provide technical support, bug fixes, security fixes, or time zone updates for Exchange Server 2016 and Exchange Server 2019.
Microsoft’s broader strategy for the last decade has been cloud‑first: encourage or enable customers to move mailboxes and services to Exchange Online (Microsoft 365), while offering a modernized on‑premises pathway for customers that must remain offline or on their own hardware. The product released to support that on‑premises modernization is Exchange Server Subscription Edition (SE), which reached general availability earlier in 2025.
Practical technical requirements and steps:
The calendar has moved from warning to action — the technical and security consequences of inaction are now real and immediate.
Source: Microsoft Exchange Team Blog Support for Exchange Server 2016 and Exchange Server 2019 ends today | Microsoft Community Hub
Microsoft’s Exchange engineering team set a clear lifecycle endpoint many months in advance and repeated that messaging at T‑12, T‑9, T‑6 and T‑1 month intervals so administrators could plan migrations or upgrades. These announcements explain what “end of support” means in concrete terms: after October 14, 2025 Microsoft will no longer provide technical support, bug fixes, security fixes, or time zone updates for Exchange Server 2016 and Exchange Server 2019. Microsoft’s broader strategy for the last decade has been cloud‑first: encourage or enable customers to move mailboxes and services to Exchange Online (Microsoft 365), while offering a modernized on‑premises pathway for customers that must remain offline or on their own hardware. The product released to support that on‑premises modernization is Exchange Server Subscription Edition (SE), which reached general availability earlier in 2025.
What exactly ends today — the practical definition
- No more security updates for newly discovered vulnerabilities in Exchange Server 2016 or 2019.
- No more bug fixes or cumulative quality updates that could affect stability or functionality.
- No further time‑zone or daylight‑saving updates that keep calendars and scheduled meetings correct.
- No official technical support from Microsoft through standard support channels.
Why this matters now: the threat and compliance dimensions
Mail servers are one of the most valuable targets for attackers. Unsupported Exchange installations present a large blast radius because they often hold long‑lived credentials, routing rules, journaled copies of communications, and native hooks into identity and collaboration workflows.- From a security perspective, an unpatched Exchange server can be leveraged for:
- Credential harvesting and phishing amplification.
- Lateral movement into other systems (especially in hybrid environments).
- Ransomware and data exfiltration that exploits unpatched vulnerabilities.
- From a compliance perspective, regulatory frameworks and auditors frequently flag unsupported software as a control gap; remediation or documented compensations are typically required.
- From an operational perspective, missing time‑zone updates can break scheduling across geographically dispersed teams and create user disruption.
Your supported options now: Exchange Online, Exchange Server SE, or the limited ESU bridge
Microsoft recommends two principal supported migration paths for organizations running Exchange Server 2016 or 2019:- Migrate to Exchange Online (Microsoft 365) — the cloud‑first recommendation that eliminates most on‑premises maintenance overhead and provides continuous feature and security updates. Microsoft also offers FastTrack assistance for qualifying tenants to help plan and execute mailbox migrations.
- Upgrade to Exchange Server Subscription Edition (SE) — a version‑less, evergreen on‑premises product that received general availability on July 1, 2025. Exchange SE continues to be serviced under Microsoft’s Modern Lifecycle Policy and is intended for organizations that must remain on‑premises or that want a supported on‑prem path. For many Exchange Server 2019 customers an in‑place upgrade to SE is supported; Exchange 2016 customers are typically recommended to perform a side‑by‑side (legacy) upgrade to move to SE.
- Microsoft announced a one‑time, six‑month ESU program for Exchange Server 2016/2019 to cover critical and important security updates through April 14, 2026, for enrolled customers. This is explicitly a bridge, not a long‑term support model, and distribution is private to enrolled organizations. Enrollment mechanics and eligibility were communicated in advance. Treat ESU as contingency time to finish migration work, not as an alternative strategy.
Exchange Server SE: what it is, and practical upgrade guidance
Exchange Server SE changes how on‑premises Exchange is licensed and serviced: it is governed by the Modern Lifecycle Policy (no fixed support cutoff as long as your configuration remains current and you install updates). SE was made generally available on July 1, 2025, and Microsoft published recommended upgrade paths:- If you are running Exchange Server 2019, Microsoft recommends an in‑place upgrade to Exchange SE.
- If you are on Exchange Server 2016, Microsoft recommends a legacy (side‑by‑side) upgrade to Exchange SE.
- If you still have Exchange Server 2013 or earlier present in the environment, you must remove those first before installing Exchange 2019 CU15 or upgrading to Exchange SE.
- SE requires active Software Assurance (SA) or eligible cloud subscription licensing for users and devices that access the server.
- SE’s evergreen servicing means administrative discipline is still required: staying current with cumulative updates and hotfixes remains vital.
- Hardware, OS, and integration compatibility must be validated prior to in‑place upgrades; older third‑party add‑ins may require updates or replacement.
Hybrid customers: the dedicated Exchange hybrid app and urgent hotfix requirements
One of the most operationally consequential items for hybrid customers is Microsoft’s enforcement of the dedicated Exchange hybrid app model. This change addresses a specific security weakness where the legacy shared service principal could allow an attacker with on‑premises admin access to escalate into Exchange Online.Practical technical requirements and steps:
- Install the April 2025 hotfix updates (released April 18, 2025) on Exchange Server 2016 CU23 and Exchange Server 2019 CU14/CU15 to enable the dedicated hybrid app functionality.
- Supported minimum builds for the dedicated hybrid app are:
- Exchange Server 2016 CU23 with April 2025 HU — build 15.1.2507.55 or higher.
- Exchange Server 2019 CU14 with April 2025 HU — build 15.2.1544.25 or higher.
- Exchange Server 2019 CU15 with April 2025 HU — build 15.2.1748.24 or higher.
- Exchange SE RTM — build 15.2.2562.17 or higher.
- Use the updated Hybrid Configuration Wizard (HCW) or the ConfigureExchangeHybridApplication.ps1 guidance to create a tenant‑specific service principal (the dedicated hybrid app) in Entra ID (Azure AD), remove custom certificates from the shared “Office 365 Exchange Online” application, and enable Service Principal Clean‑Up Mode.
A pragmatic migration checklist — prioritized, actionable steps
The following checklist condenses the essential work to get from unsupported risk to a supported state, grouped by priority.- Immediate inventory and risk triage
- Identify every Exchange server (including legacy and internet‑facing), hybrid connectors, and integration points.
- Prioritize internet‑facing and hybrid servers for immediate remediation.
- Apply mandatory hotfixes and verify builds
- Install the April 2025 hotfix updates (KB5050672/73/74 as applicable) and confirm builds meet the minimums required for the dedicated hybrid app.
- Configure the dedicated Exchange hybrid app
- Run the updated HCW or ConfigureExchangeHybridApplication.ps1, create the tenant‑scoped service principal in Entra ID, and perform Service Principal Clean‑Up Mode as documented.
- Choose final destination and start migration work
- If moving to Exchange Online: plan mailbox coexistence and migration waves, engage FastTrack if you qualify (customers with 150+ eligible licenses can request guided assistance), and test mail flow and compliance features in pilot tenants.
- If upgrading on‑premises to Exchange SE: validate hardware/OS compatibility, choose in‑place (recommended for 2019) or side‑by‑side (recommended for 2016) upgrade paths, and schedule change windows to update and test.
- Contingency: enroll in ESU only if migration cannot complete
- ESU is a short, paid bridge (through April 14, 2026) and not a replacement for migration. Contact your Microsoft account team to enroll.
- Strengthen compensating controls during transition
- Increase monitoring and logging (SIEM rules), enforce MFA and conditional access, segment legacy systems, and restrict administrative access. These do not replace patches but reduce immediate exposure.
Realistic timelines and resourcing
- Small deployments with straightforward mailbox counts and few integrations can often complete a migration to Exchange Online or an on‑prem SE upgrade in weeks with focused effort and vendor assistance.
- Medium and large enterprises frequently require months to inventory, remediate custom integrations (journal, SMTP relays, archive connectors), pilot migrations and complete cutover.
- If resource constraints exist, engage partners or FastTrack early and consider ESU enrollment as a measured contingency — not an indefinite plan.
Benefits and trade‑offs of each path
- Moving to Exchange Online:
- Benefits: continuous security and feature updates, simplified management, advanced cloud security tooling, and access to cloud‑only features (including new generative AI services).
- Trade‑offs: ongoing subscription costs, network and identity integration work (Azure AD), and potential data residency or compliance considerations.
- Upgrading to Exchange Server SE:
- Benefits: supported on‑premises mailbox hosting under a modern servicing policy, continuity of on‑premises control.
- Trade‑offs: you retain on‑premises operational overhead (patching, backups, HA), and licensing requires SA or qualifying cloud subscriptions.
- Using ESU:
- Benefits: temporary breathing room to finish migrations.
- Trade‑offs: paid, limited, delivered privately, and reliant on Microsoft’s discretion to issue updates; not a substitute for full migration.
Risks and uncertainties to flag
- Microsoft’s ESU program is time‑limited and does not guarantee that monthly updates will be released; ESU is issued only for Critical or Important security fixes at Microsoft’s discretion. Relying on ESU delays inevitable migration work and can create cost and compliance traps.
- Hybrid enforcement activity (temporary EWS blocks and a permanent shift to the dedicated hybrid app model) can result in intermittent functional disruptions for organizations that do not implement the dedicated hybrid app and required hotfixes. These enforcement actions were communicated in advance and have concrete enforcement windows that administrators must heed.
- Some third‑party add‑ons, journaling appliances, archiving devices, or on‑prem connector appliances may not be compatible with modern Exchange builds or Exchange Online without vendor updates or replacement. Include third‑party vendors early in the migration planning process.
- Any claim that a particular vendor or partner can “fully automate” a migration without manual testing of mail flow, journaling, compliance rules, or large PST imports should be treated skeptically; practical migration projects typically require human validation and staged testing.
What enterprise leaders and security teams should do this week
- Treat October 14, 2025 as a governance hard line in your risk register and escalate to leadership if you do not have a documented migration or upgrade plan.
- Confirm whether any production mailboxes remain on Exchange 2016/2019 and tag their owners for remediation priority.
- Validate hybrid servers are patched to the April 2025 HU minimums and that the dedicated Exchange hybrid app configuration is in place for tenant‑scoped operations.
- If migration resources are constrained, secure ESU enrollment as a documented contingency and plan immediate migration wave scheduling.
- Communicate to business owners about potential short service interruptions during enforcement windows and the steps your team is taking to reduce disruption.
Final assessment — opportunity and obligation
The end of support for Exchange Server 2016 and Exchange Server 2019 is a predictable moment in Microsoft’s lifecycle calendar, but its simultaneous alignment with other October 14, 2025 cutoffs (Windows 10, Office 2016/2019) compresses risk into a short, operationally heavy period. That pressure creates both a challenge and an opportunity.- Challenge: Many organizations that deferred earlier migrations will now face concentrated migration, testing, and change‑management work under tight deadlines and potential compliance scrutiny.
- Opportunity: Moving to Exchange Online or upgrading to Exchange Server SE modernizes messaging infrastructure, reduces long‑term operational risk, and positions organizations to take advantage of cloud‑native security services and new capabilities.
The calendar has moved from warning to action — the technical and security consequences of inaction are now real and immediate.
Source: Microsoft Exchange Team Blog Support for Exchange Server 2016 and Exchange Server 2019 ends today | Microsoft Community Hub