No Exchange Server Security Updates for January 2026 — What on‑premise Exchange admins need to know and do now
On January 13, 2026 Microsoft’s Exchange Team published a short but important bulletin: there are no security releases for any version of Exchange Server in January 2026. The post also reiterated that, because some customers purchased the Exchange 2016/2019 Extended Security Update (ESU) and because the ESU period runs through April 2026, the team will post an explicit update each month even when nothing is being released. This article unpacks what that announcement means, explains the current support/ESU timeline and the risks of remaining on end‑of‑support (EoS) servers, and — most importantly — gives a practical, prioritized checklist you can act on this week and into Q1 2026.Contents
- Quick summary for decision makers
- Timeline and status (exact dates you need)
- What “no security releases this month” actually means (operational impact)
- Risk assessment: EoS Exchange and mitigations you should enforce now
- Action checklist (Immediate, Next 30 days, Migration window)
- ESU: what it is, how it works, and limits you must accept
- Upgrade / migration recommendations (Exchange SE and cloud options)
- Short conclusion and prioritized next steps
Quick summary for decision makers
- Microsoft has confirmed there are no Exchange Server security releases for January 2026 (applies to Exchange SE and to customers on the Exchange 2016/2019 ESU program).
- Exchange Server 2016 / 2019 reached end of support in October 2025; Microsoft offered a one‑time, paid 6‑month ESU option that runs through April 14, 2026. This ESU is limited (security updates only, only if needed) and will not be extended.
- Microsoft continues to advise customers to move to Exchange Server Subscription Edition (Exchange SE) or to cloud alternatives — upgrades are the supported path.
Timeline and status — exact dates to note
- October 14, 2025 — Exchange Server 2016 and Exchange Server 2019 reached end of support. (EoS already in the past.
- August 1, 2025 — Microsoft began offering a paid 6‑month Extended Security Update (ESU) program for Exchange 2016/2019 (customers must arrange with their Microsoft account team).
- April 14, 2026 — ESU program validity ends (no extensions). If you purchased ESU, it covers Critical and Important security updates only during this six‑month window and only when Microsoft issues them.
- January 13, 2026 — Microsoft posted that there are no Exchange Server security updates for January 2026. The Exchange Team will continue to announce each month until ESU ends even if there are no releases.
What “no security releases this month” actually means
A plain reading is simple: Microsoft did not identify any new Critical or Important security issues in Exchange Server that require an update distribution for January 2026, so no SU (security update) package will be released for any on‑prem Exchange channel this month — whether Exchange SE or ESU customers. Microsoft has said it will explicitly confirm (each Patch Tuesday) whether an update was supplied to ESU participants; in months where no security issues meet their threshold, there will be no update. Operational consequences:- If you expected a monthly update cadence and planned to install a Patch Tuesday exchange SU, there is nothing to install this month. (Continue routine non‑security maintenance if required.
- “No update” is not “no risk”; it just means Microsoft did not ship a new fix for Exchange this Patch Tuesday. Threat actors can still probe or exploit known vulnerabilities, and previously released vulnerabilities remain relevant especially for EoS software. See the risk and mitigation section below.
Risk assessment — why you must treat EoS/ESU systems as high priority
Why be concerned even when no new patches are released?- EoS software receives diminishing attention and fewer protections compared with in‑support products. Critical support (helpdesk, troubleshooting) may be restricted; ESU only covers security updates published under the limited ESU program and does not restore full support.
- Attackers continue to weaponize Exchange vulnerabilities because on‑prem Exchange servers are high‑value targets (access to mailboxes, forwarding rules, privileged accounts). Recent government advisories and industry reports reiterate that legacy Exchange deployments are attractive targets — the U.S. CISA/National Security Agency guidance highlights restricting admin access, enforcing MFA, and other compensations for on‑prem Exchange risk reduction.
- ESU customers may not receive updates every Patch Tuesday — Microsoft will only publish ESU updates if a Critical/Important issue is discovered and fixed. ESU is a short bridge; plan to complete migration before ESU expiry.
Action checklist (prioritized)
Below is a practical plan: "What to do today", "This month", and "Through April 2026".A. Immediate (today / within 48 hours)
- Confirm whether you run any Exchange 2016/2019 servers (and whether they are EoS), or Exchange SE. Record build and CU levels. (For each server, capture: OS, Exchange build (CU), internet exposure, management interfaces, last backup timestamp and location.
- If you need a quick command to confirm Exchange version (run on an Exchange Management Shell):
- Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
(Document results in your change/CMDB system. - Verify whether you have ESU enrollment for any servers. ESU is not automatic — it must be purchased and coordinated with your Microsoft account team. If you don’t have ESU, you cannot receive ESU‑only patches.
- Lock down access to Exchange administrative endpoints:
- Restrict RPC/WinRM/PowerShell/OWA/ActiveSync/EWS to known management IPs and VPN networks; do not expose management interfaces to the public Internet.
- Ensure management and admin accounts use MFA and only the minimum number of admin accounts exist. (CISA recommends restricting administrative access and enforcing MFA.
- Verify offline backups and test restore procedures. Ensure you can recover mailboxes and full server images to a known good restore point.
- Apply non‑Exchange (host/OS) patches and firmware updates — OS-level vulnerabilities are commonly exploited to pivot to Exchange. Keep Windows Server fully patched where possible.
- Harden perimeter and detection:
- Ensure logging/collection for Exchange audit logs, mailbox audit logging, and IIS logs are flowing to your SIEM. Increase retention for recent logs.
- Confirm endpoint detection and response (EDR) is monitoring Exchange servers.
- Tune IDS/IPS and EDR to watch for common Exchange exploit indicators (unauthorized OWA logins, webshell patterns, abnormal Post/PUT to OWA/EWS, mailbox forwarding rules changes).
- Review mail flow rules and connectors for misconfigurations or persistent forwarding rules that may indicate compromise.
- Scan internal hosts (credential hygiene) — ensure domain admin credentials and Exchange service account credentials are rotated if suspicious activity is found. Implement just‑in‑time admin where possible.
- Finalize migration plan and schedule to Exchange SE (on‑prem) or to Exchange Online where appropriate. Microsoft recommends upgrading organizations to Exchange SE; it is the supported path for on‑premise customers.
- If you purchased ESU: verify your process for receiving ESU updates and confirm patching procedures for ESU packages (Microsoft will only confirm availability to ESU participants on Patch Tuesday). Budget and resourcing should assume the ESU window ends April 14, 2026.
- Conduct a threat hunt: look for IOCs from 2024–2025 Exchange exploitation campaigns (webshells, abnormal scheduled tasks, service account misuse) and remediate any persistence found.
- Complete migration/upgrade prior to April 14, 2026. Do not plan to run EoS servers past ESU expiry — there will be no more security updates after that date.
- If migration isn’t possible before April 14, plan compensating controls: aggressive network isolation, jump‑box admin model, enhanced monitoring, and rapid incident response playbooks.
ESU explained (what it covers and its limits)
If you’re still evaluating ESU: here’s the concise, precise explanation you must share with procurement and legal teams.- What ESU is: a one‑time, paid, six‑month Extended Security Update program for Exchange Server 2016 and 2019 meant only as a migration bridge; it is not an extension of lifecycle support. Enrollment began August 1, 2025 and updates are provided to enrolled customers only.
- What ESU is NOT: it does not restore full Microsoft product support, it does not guarantee monthly updates, and it will not be extended beyond April 14, 2026. Microsoft explicitly warned that it may not release any updates during the ESU window if none are required.
- How updates are delivered: Microsoft confirms on Patch Tuesday whether an update was issued and will provide ESU customers access to that ESU update package if one was produced. If no ESU update is produced, no patch is available for that month.
- Practical implication: ESU is strictly a last‑resort stopgap — treat it as such in budgeting and migration planning.
Upgrading to Exchange Server SE (on‑prem) — why it matters
Microsoft’s guidance for customers running Exchange on‑prem says the supported migration path is to Exchange Server Subscription Edition (Exchange SE). Exchange SE uses a modern lifecycle model and will continue to receive updates under that lifecycle; Microsoft encourages organizations to upgrade rather than rely on ESU. If you have not already started upgrading from 2016/2019 to SE, plan to do so as a priority. Practical notes:- Exchange SE is designed to be compatible with roles and architecture from Exchange Server 2019; planning often centers on testing in a lab, checking third‑party integrations (archive, backups, antivirus), and validating in‑place upgrade paths or co‑existence strategies as appropriate.
- If you run third‑party mail gateways or archival tools, confirm vendor compatibility with Exchange SE before upgrading.
Consider cloud migration (Exchange Online) as a high‑priority option
For many organizations, migrating mailboxes and mail flow to Exchange Online reduces attack surface and eliminates the on‑prem patching burden. Cloud services receive continuous security updates and are often the best long‑term option for organizations that can accept a SaaS model. If cloud migration is in your roadmap, accelerate planning and pilot migrations (mailbox moves, identity integration with Azure AD, hybrid coexistence testing).(You’ll need separate planning for identity (Azure AD Connect, hybrid MFA), network (mail routing and MX), and compliance (retention, eDiscovery) during any move.
What to tell leadership (one‑page executive summary)
Bullet points you can present to managers or CISOs:- Microsoft: “No Exchange Server security updates for January 2026.” (Published Jan 13, 2026.
- Exchange 2016/2019 are EoS (Oct 14, 2025) — Microsoft provided a limited 6‑month ESU through April 14, 2026 (paid; limited scope). ESU is not a long‑term solution.
- Risk posture: EoS Exchange servers are a higher‑risk asset. Until migration/upgrade is complete, apply strict network isolation, enforce MFA for admin accounts, harden and monitor Exchange servers, and validate backups and recovery.
- Immediate ask: confirm your inventory and ESU status within 48 hours; present a concrete migration timeline for each remaining Exchange server (ideally completed before April 14, 2026).
Example operational playbook (concise)
- Inventory and evidence (Day 0): list servers, CUs, ESU purchase status, exposures. (Documented.
- Lockdown (Day 0–2): block public IPs to admin endpoints, enforce MFA, restrict L3 access, disable unused services.
- Backups & test restores (Day 1–7): full VM/image backup and mailbox restore tests.
- Detection & hunt (Day 2–14): run hunts, increase log retention, monitor for IOCs.
- Plan & schedule migration (Day 7–45): allocate resources, create test and production migration windows, get vendor sign‑off, pilot test a small user group.
- Migrate, validate, decommission (Day 45–90+): monitor post‑migration for mail flow and AAD sign‑in anomalies. Remove decommissioned Exchange servers from the network and domain once validated.
Where to find Microsoft’s official notices (for your team)
Microsoft is publishing Exchange Team blog posts with monthly updates about Exchange security releases — the Exchange Team will continue making an explicit announcement even for months with no releases until the ESU program ends. The January 13, 2026 “no updates” bulletin is the latest example. For ESU details and enrollment, reference Microsoft’s ESU announcement and the Exchange team blog series that explain the program and limitations; procurement and account teams must coordinate with Microsoft to purchase ESU.Final notes and prioritized next steps (do these this week)
- Inventory and confirm ESU status for any Exchange 2016/2019 server (48 hours).
- If any Exchange servers are internet‑exposed for management, immediately isolate or firewall them to management networks only. (Do not leave admin ports exposed.
- Validate backups and run at least one full-mailbox restore test (7 days).
- Prepare a migration schedule with target dates per server/application owner; aim for completion before April 14, 2026 (ESU expiry).
- Keep monitoring Microsoft’s Exchange Team blog each Patch Tuesday for update/no‑update notices (the team will continue monthly confirmations while ESU runs).
If you want, I can:
- Produce a one‑page slide (PDF) for leadership summarizing the dates, risks, and the migration ask.
- Generate a prioritized checklist file (CSV or ticket template) you can import to your ITSM system to track each Exchange server, ESU status, migration owner, and target date.
- Walk through a short PowerShell snippet to enumerate Exchange build levels and export the inventory.
Source: Microsoft Exchange Team Blog No Exchange Server Security Updates for January 2026 | Microsoft Community Hub
