February 2026 Exchange Security Updates: ESU Limits, Hybrid Hardening, On-Prem Patch Guidance

Microsoft published the February 2026 Security Updates for Exchange Server and again urged administrators to apply them immediately — the rollup covers Exchange Server Subscription Edition (SE) RTM and, under Microsoft’s paid Extended Security Update (ESU) program, specific builds of Exchange Server 2019 and 2016 — while confirming Exchange Online tenants are already protected from the issues addressed.

Background / Overview​

The February 2026 Security Updates (SUs) land against a backdrop of sustained hardening and mitigation work that began in 2025 after Microsoft and government agencies identified an elevated risk to hybrid Exchange deployments. The core threat is a hybrid-trust escalation scenario: if an attacker gains administrative control of an on‑prem Exchange server, flawed trust between on‑prem Exchange and Exchange Online can enable token misuse or token issuance that escalates that on‑prem foothold into tenant‑wide cloud compromise. CISA and other security agencies treated this class of issues as urgent and directed organizations to adopt Microsoft’s hybrid hardening workflow.
Microsoft’s February SUs were issued for:

• **Exchange Server Subscription Edition to‑date on‑prem lifecycle option).
• Exchange Server 2019 — CU14 and CU15, but these updates are available only to organizations enrolled in Microsoft’s ESU program.
• Exchange Server 2016 — CU23, likewise available only under ESU enrollment.

Microsoft’s Exchange team explicitly notes no Exchange Online tenant action is required to receive the protection these SUs provide — Exchange Online is already protected — but on‑prem servers and any machines running Exchange Management Tools still must be updated.

---

What changed in February 2026 — the concrete bullets​

The February 2026 SUs are cumulative rollups that combine functional fixes with security hardenings; the mostnt items administrators should know right away are:

• Updates available for Exchange SE RTM and (under ESU) Exchange 2019 CU14/CU15 and Exchange 2016 CU23.
• Microsoft continues to require ESU enrollment to receive 2016/2019 SUs, and ESU for those versions is a limited program that ends in mid‑April 2026. Organizations not in ESU are being urged to migrate to Exchange SE or to Exchange Online.
• Exchange Online customers are already protected for the vulnerabilities fixed by these on‑prem SUs, but on‑prem management and hybrid servers must still be patched to avoid compatibility and hybrid trust problems.
• The SUs address multiple CVEs and internal hardenings — for example, several recent rollups explicitly reference elevation‑of‑privilege and spoofing CVEs that appeared in the MSRC listings. Administrators should review the Security Update Guide for CVE specifics for their builds.

---

Why this matters now — technical and operational context​

For many organizations the problem is not just a standard kernel or parsing bug: hybrid Exchange scenarios involve two control planes (on‑prem and cloud) stitched together by service principals, certificates, and token flows. An on‑prem compromise that is carefully used to manipulate hybrid tokens can bypass cloud-centric detection. That is why the hardening plan Microsoft has pursued is both patch‑level and architectural: apply updates, deploy a tenant‑scoped Dedicated Exchange Hybrid App, and perform a coordinated service principal clean‑up and credential rotation. CISA’s emergency directive and advisories underscore the severity of the potential impact and outline the same sequence recommended by Microsoft.
Operationally, this means organizations must coordinate patchuration changes and credential rotation — doing the latter prematurely, or on only part of an estate, risks breaking Free/Busy, MailTips, and other hybrid “rich coexistence” features.

---

Detailed technical highlights administrators must verify​

1) Which builds are covered (short checklist)​

• Exchange SE: RTM — February SU available.
• Exchange 2019: CU14 and CU15 — SUs available under ESU.
• Exchange 2016: CU23 — SU available under ESU.

2) ESU rules and deadlines​

• Exchange 2016 and 2019 are out of mainstream support; only organizations that purchased and enrolled in Microsoft’s ESU program are eligible to receive the SUs for those versions. ESU is a short-term bridge and not a long-term strategy.

3) Export of the Exchange Auth Certificate is blocked by design​

• Recent SUs have disabled Export‑ExchangeCertificate for the Exchange “Aut key to reduce credential exfiltration risk. Microsoft now recommends using MonitorExchangeAuthCertificate and Export‑PfxCertificate workflows for legitimate certificate rotation needs. This change has broken some auty relied on Export‑ExchangeCertificate; review and update scripts accordingly.

4) SUs are cumulative — install the latest matching SU​

• Microsoft’s servie SUs is cumulative; install the latest SU that matches your installed CU and SKU. You do not need to apply every interim SU or HU sequentially.

---

Practical, prioritized operational runbook (recommended)​

Apply this runbook to minimize risk and to avoid common functional breakage when applying the February SU.

• Inventory and triage (Day 0)
• Run the Exchange Health Checker across every Exchange server and record exact CU/HU/SU build numbers and hybrid participation. Include management workstations that run Exchange Management Tools.
• Identify internet‑facing endpoints (OWA/ECP/EWS) and servers that participate in hybrid features (Free/Busy, MailTips, profile photos).
• Pilot patch ring (Day 0–7)
• Create a small pilot that reflectlbox server participating in hybrid lookups, an Edge/connector server, and a management workstation.
• Apply the target CU (if required) and then the latest SU for that CU. Reboot and verify build numbers.
• Deploy dedicated hybrid app (Day 3–21)
• Use ConfigureExchangeHybridApplication.ps1 or the updated Hybrid Configuration Wizard (HCW) to create a tenant‑scoped dedicated Exchange Hybrid App in Entra ID (Azure AD).
• Validate Free/Busy, MailTips, and other hybrid features in a pilot slice before proceeding to service principal cleanup. Microsoft’s HCW updates and the ConfigureExchangeHybridApplication script are the supported path.
• Service principal cleanup and credential rotation (after validation)
• After all on‑prem servers are updated and the dedicated app is validated across the estate, run the Service Principal Clean‑Up Mode to remove legacy keyCredentials from the shared Microsoft service principal and rotate credentials for the tenant‑scoped app. Document the action and maintain roll‑back records.
• Update management tools and workstations
• Update any servers or workstations running the Exchange Management Tools to the same SU/CU to preserve management compatibility. Do not leave mismatched management clients that can cause operational issues.
• Post‑upgrade validation and monitoring
• Re-run the Health Checker, validate hybrid flows, test mail flow, OWA/ECP, and connectors. Use MonitorExchangeAuthCertificate to inspect Auth Certificate behavior. Harden log collection and centralize Exchange IIS, PowerSh in your SIEM for cross‑domain hunts.

---

Compatibility caveats and gotchas​

• DAGs and multi‑node deployments: patch mailbox servers one node at a time, let database replication converge, and follow standard DAG best practices to avoid failover surprises.
• Edge Transport and transport agents: some HUs/SUs have caused EdgeTransport.exe restarts for certain configurations; test Edge nodes early in the pilot.
• HCW re‑runs: re‑running the Hybrid Configuration Wizard with certain options can re‑upload certificates to the shared principal and re‑introduce legacy keyCredentials. Doleanup actions carefully.
• Export‑ExchangeCertificate: scripts that previously exported the Exchange Auth Certificate private key will fail; update automation and backup processes to use supported methods.

---

Detection, hunting, and incident response priorities​

If you suspect compromise, treat the event as high‑impact due to the potential cloud escalation vector:

• Preserve volatile evidence (memory, Exchange process dumps, IIS and PowerShell logs) and isolate the host.
• Hunt for anomalous EWS requests, unexpected token issuance originating from on‑prem systems, and unusual service principal activity in Entra ID.
• Correlate on‑prem IIS/w3wp logs, Exchange audit logs, and Entra ID logs in a centralized SIEM to detect stealthy hybrid abuse patterns.
• If compromise is confirmed: isolate, rotate service and admin credentials (both on‑prem and in Entra ID), and engage forensic partners; doleanup of shared principals until you have validated remediation steps and are certain all on‑prem servers have been updated. ([cisa.gov](Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments | CISA## CVE and technical detail summary (what SUs address)

Microsoft’s support pages for SUs enumerate the CVEs addressed in each rollup. Examples found in related KB releases include elevation of privilege and spoofing CVEs referenced in recent rollups (for example, CVE‑2025‑59249, CVE‑2025‑64666, CVE‑2025‑64667 among others in recent months). Administrators must consult the Microsoft Security Update Guide and the KB article that matches their CU/SKU to get the authoritative CVE list and KB identifier for each build. public KB pages and the Security Update Guide remain the source of truKB mappings; treat third‑party consolidations as helpful but always verify against Microsoft’s entries.

---

Strategic considerations: ESU, migration, and long‑term posture​

• ESU is temporary: Exchange 2016 and 2019 public support ended; ESU provides a strictly time‑limited paid window for security fixes and is not a long‑term s should plan migration to Exchange SE or Exchange Online as the durable path forward. The ESU window for these versions is explicitly time‑boxed and has firm deadlines that were communicated during Microsoft’s lifecycle announcements.
• Migrate sooner, not later: Staying on EOL products even with ESU is a compliance and operational risk. For regulated industries with long change windows (healthcare, government), treat ESU as a runway to complete migration rather than a replacement for a migration plan.
• Modern lifecycle option: Exchange Server Subscription Edition (SE) is Microsoft’s on‑prem lifecycle path; it receives ongoing SUs and aligns better with Microsoft’s hybrid/security guidance. If you must remain on‑prem for regulatory or technical reasons, migrate to SE and adopt a stay‑current update cadence.

---

Quick FAQ (concise operational answers)​

• Do I need to install the February SU if my last SU was several months old?
• No — SUs are cumulative. Install the latest SU that matches your installed CU/SKU; you do not need every intermediate SU.
• My organization is hybrid with Exchange Online — what must we do?
• Exchange Online is already protected, but you must install the SU on your on‑prem Exchange servers and any systems running Exchange Management Tools. Re‑run the HCW if you change the Auth Certificate after installing the SU.
• We’re not in the ESU program and we run Exchange 2016/2019 — where do we get the updates?
• Only organizations enrolled in ESU may receive SUs for Exchange 2016/2019. If you’re not enrolled, migrate to Exchange SE or Exchange Online to continue receiving security fixes. Microsoft made this explicit in the KB guidance.

---

Critical analysis — strengths, risks, and the hard tradeoffs​

Strengths

• Microsoft’s approach is comprehensive: patches plus architectural changes (tenant‑scoped dedicated hybrid app) materially reduce the shared‑principal attack surface. The combination of updates, tooling (HCW, ConfigureExchangeHybridApplication.ps1), and guidance from national CERTs creates a prescriptive path for remediation.
• Cumulative SUs simplify operational patching: installing the latest SU gives you all prior hardenings for the CU/SKU, lowering the sequencing burden for emergency rollouts.

Risks and tradeoffs

• Sequencing and scale: the mitigations require coordination. Credential rotation and service principal cleanup done in the wrong sequence or without full patch coverage can break hybrid features and cause business impact. Large distributed estates are at highest risk.
• Automation breakage: hardenings such as blocking Export‑ExchangeCertificate will break scripts and backup routines that previously relied on exporting private keys. Review and update automation before large‑scale rollout.
• ESU dependency: organizations that delay migration and depend on ESU face increasing risk and a fixed deadline; ESU is finite and not a substitute for a migration plan.

Unverifiable or uncertain points

• Microsoft and government agencies stated there were no known widespread active exploitations for the specific February SUs at publication time. That claim is time‑sensitive and can change; treat claims about “no active exploitation” as transient and verify with telemetry before deprioritizing remediation.

---

Checklist: immediate actions (top‑of‑page, for SOC / IT ops)​

• [ ] Inventory all Exchange servers and management workstations; capture CU/HU/SU build numbers.
• [ ] Prioritize internet‑facing and hybrid‑participating servers.
• [ ] Deploy the February 2026 SU to a tested pilot ring for the applicable CU/SKU.
• [ ] Update management workstations running Exchange Management Tools.
• [ ] Create and validate the Dedicated Exchange Hybrid App using HCW/ConfigureExchangeHybridApplication.ps1; do not clean the shared principal until validation is complete.
• [ ] Rotate credentials only after a validated, fully patched estate; preserve logs and produce an incident response ready checklist if anomalies are detected.

---

Patching alone is necessary but not sufficient: this month’s SU is part of a wider, architecture‑level remediation that requires coordinated patching, hybrid reconfiguration, credential rotation, automation updates, and focused detection. Treat February 2026’s exchange SUs as an immediate operational priority, sequence changes carefully, validate in pilot rings, and accelerate migrations off unsupported builds — the technical risk for hybrid estates depends more on how these updates and cleanup actions are executed than on the single act of installing the SU.

---

Source: Microsoft Exchange Team Blog Released: February 2026 Exchange Server Security Updates | Microsoft Community Hub