Period 2 ESU for Exchange 2016/2019: New Contract for May–Oct 2026

Microsoft is preparing a second round of paid breathing room for organizations still running Exchange Server 2016 and Exchange Server 2019, but the message behind the new Period 2 ESU program is unmistakable: the company wants customers off these older builds as quickly as possible. The updated arrangement covers May through October 2026, requires a fresh purchase even for customers who already bought the first ESU window, and is framed as a final, non-renewable bridge to Exchange Server Subscription Edition. It is less a sign of wavering than a controlled taper — one more explicit concession to migration reality before Microsoft shuts the door.

Overview​

The chronology matters here because it shows how carefully Microsoft has staged the transition. Exchange Server 2016 and 2019 reached end of support on October 14, 2025, after years of warning customers that the old cadence was ending and that Exchange Server Subscription Edition (SE) would take over as the evergreen on-premises option. Microsoft first offered a six-month ESU window beginning in August 2025 and lasting through April 14, 2026, explicitly saying the period would not be extended. Now, on April 15, 2026, the company has reversed that specific promise only in the narrowest possible way: a separate Period 2 contract, running from May to October 2026, with no further extension afterward. (techcommunity.microsoft.com)
That distinction between extension and new contract is more than legal housekeeping. Microsoft is signaling that it does not want customers to see ESU as a support lifecycle replacement. The company has repeatedly said Exchange 2016 and 2019 are out of support, that support cases generally remain closed except for problems directly tied to an ESU update, and that security fixes are only available if Microsoft actually decides a Critical or Important issue warrants release. The first ESU period already established that pattern; the second period simply formalizes it for the customers who still need time. (techcommunity.microsoft.com)
The broader context is Exchange SE itself. Microsoft released Exchange Server Subscription Edition on July 1, 2025, and positioned it under the Modern Lifecycle Policy, which means there is no fixed end date so long as customers stay current. That is the product Microsoft wants enterprises to move to, whether they remain on-premises, run hybrid, or are still connecting to Microsoft 365 in some fashion. SE is not a side project or a dead-end version; it is the new platform around which the on-premises Exchange roadmap is now built. (support.microsoft.com)
The result is an unusual support story. Microsoft has an old product line that is officially dead, a new product line that is intended to be evergreen, and a temporary ESU bridge that now comes in two paid phases. That combination is likely to frustrate some administrators, but it also reflects a hard truth in enterprise messaging: migrations are rarely completed on schedule, even when the vendor has been warning for years. The new program is Microsoft’s way of monetizing that delay while still applying pressure to finish the move. That is the story in one sentence.

What Changed in Period 2​

The most important change is that Period 2 is not automatically continuous with Period 1. Microsoft says customers who want coverage from May 2026 through October 2026 must re-purchase ESU, even if they were already enrolled in the earlier window. That means organizations cannot simply sit on the existing arrangement and expect it to carry forward. If they want the new six months, they need a new contract and a fresh purchasing action through their Microsoft account team.

A separate contract, not a silent rollover​

That separation matters for procurement, budgeting, and compliance. It makes the second phase easier for Microsoft to track, easier to price, and easier to end without ambiguity. It also prevents customers from assuming they have already “bought time” once and are therefore entitled to an automatic continuation. In enterprise software terms, Microsoft is turning delay into a series of discrete commercial decisions rather than a single open-ended grace period.
The second major change is timing. Any ESU purchase made starting April 15, 2026 is automatically treated as Period 2, and updates released under that arrangement will apply only from May through October 2026. Microsoft says the old access instructions will not work for ESU updates released after April 2026, which suggests a separate distribution path and fresh participant instructions. That is the sort of operational detail that can trip up admins if they assume the process is identical to Period 1.
Microsoft also repeats an important limitation: it is not committing to release monthly security updates during Period 2. Exchange Server does not receive SUs every Patch Tuesday unless Microsoft believes there are Critical or Important security product changes to address. In other words, customers are buying the possibility of updates, not a guaranteed monthly stream. That makes ESU a security insurance policy rather than a service promise. That nuance is easy to miss, but it is the core of the offer. (techcommunity.microsoft.com)

What remains the same​

The supported server baselines remain unchanged. Microsoft says Period 2 will cover Exchange Server 2016 CU23 and Exchange Server 2019 CU14/CU15. That tracks with the company’s prior guidance, and it tells us exactly which environments are still eligible without requiring a broader servicing rethink. It is a tightly bounded bridge, not a rehabilitation of every legacy deployment ever created.
The update delivery model also stays private. Microsoft says updates released under Period 2 will be provided only to enrolled ESU customers, not through the public Download Center or Windows Update. There are no special licenses or keys in the Microsoft 365 admin center or Volume Licensing workflows; instead, the account team supplies the information needed to obtain the updates. That controlled distribution keeps the program narrowly scoped and reinforces its role as a premium stopgap. (techcommunity.microsoft.com)

Why Microsoft Is Doing This​

On the surface, Microsoft’s decision looks like a concession to customer reality. Some organizations simply did not finish their migrations by April 2026, whether because of technical debt, change control, budget timing, third-party dependencies, or the sheer complexity of hybrid Exchange estates. But the company’s wording is almost comically blunt about its own preference: it says, in effect, that it would rather not sell Period 2 to anyone and that customers should migrate instead. That is rare candor for a vendor announcement, and it tells us the ESU is being offered because the alternative would be leaving a subset of customers completely unprotected.

Commercial pragmatism over ideology​

The commercial logic is straightforward. Microsoft gets to avoid a cliff-edge moment where an unfinished migration becomes an immediate security liability for too many enterprises at once. At the same time, it preserves the strategic pressure to move to Exchange SE, which is the platform the company wants customers standardizing on for the future. It is a classic example of pragmatic enforcement: help the laggards, but do not normalize the delay. (support.microsoft.com)
There is also a risk-management angle. Exchange remains a high-value target because it sits at the center of enterprise identity, email, calendaring, and often authentication workflows. Microsoft has spent years hardening the platform and warning administrators that staying on unsupported releases is dangerous. By offering a second ESU phase, the company can reduce the chance that a large population of customers will remain exposed on unpatched systems while still on-premises. That is not altruism; it is containment. (learn.microsoft.com)
The ESU approach also acknowledges a reality Microsoft cannot fully wish away: many customers still need on-premises Exchange, even if only as a management or coexistence layer in hybrid environments. Microsoft’s own end-of-support roadmap continues to advise migration to Exchange SE or Microsoft 365, but it also recognizes scenarios in which organizations keep at least one Exchange server to manage recipients when Microsoft Entra Connect and on-premises AD remain the source of authority. That means the end state is not always “all cloud, all the time,” and the transition path has to accommodate hybrid operations. (learn.microsoft.com)

Who Period 2 Is For​

Microsoft says the program is intended for customers with a Microsoft Enterprise Agreement who still cannot complete the move to Exchange SE by the end of April 2026. That qualification is important because it narrows the audience to organizations large enough to have formal enterprise procurement and likely enough internal complexity to justify the delay. This is not a consumer-facing safety net and not a blanket offer for anyone still running Exchange 2019 in a corner.

Enterprise, not SMB, reality​

That emphasis on enterprise agreements suggests Microsoft views the remaining problem as one of scale and governance, not lack of awareness. These are customers with change freezes, compliance review cycles, mail-flow interdependencies, and often multiple business units pulling in different directions. They are the organizations that did hear the warnings, but could not always act fast enough to align infrastructure, security, and operational sign-off. (techcommunity.microsoft.com)
The program also targets specific supported versions. Microsoft repeatedly references Exchange 2016 CU23 and Exchange 2019 CU14/CU15, which means eligibility is tied to a known, maintained baseline. That detail matters because it limits support sprawl and keeps the ESU program from becoming a general-purpose patching service for arbitrary old builds. It is a boundary, and Microsoft is making sure the boundary is visible. (techcommunity.microsoft.com)
For organizations that are already running Exchange SE, the practical impact is different. They are not the target audience, although they may still care because the ESU program’s existence is a reminder that Microsoft is still cleaning up the transition from the legacy generation to the subscription-era platform. In a sense, Period 2 is a signal to the whole market that the cutover is not complete until the last legacy deployments are gone. That signal is as important as the updates themselves. (support.microsoft.com)

What Period 2 Means for Security Operations​

The security posture of a Period 2 customer is still fundamentally weaker than that of a fully supported Exchange SE deployment. Microsoft is explicit that the ESU does not restore support lifecycle status, does not open the door to regular support cases, and does not imply there will be monthly fixes. If a Critical or Important issue emerges, Microsoft may release a private SU to ESU customers; if not, there is nothing to deploy. That is better than silence, but it is not the same as being on a fully serviced platform. (techcommunity.microsoft.com)

Patch Tuesday without certainty​

The strange thing about ESU is that it creates an expectation of monthly rhythm while still preserving Microsoft’s discretion. The company says it will confirm with participants each Patch Tuesday whether a security update was provided, even if the answer is no. That means operations teams must watch the channel every month, document the status, and remain ready to apply a release if one exists. In other words, Patch Tuesday becomes a check-in process rather than a guaranteed patch cycle. (techcommunity.microsoft.com)
There is also a messaging risk in the way the program interacts with Microsoft’s broader security posture. In October 2025, the company said the last publicly available Exchange 2016 and 2019 SUs had been released, and that only ESU customers would receive future updates. Then in 2026, it continued posting monthly notices even when no updates were issued. This pattern is useful for transparency, but it may also encourage some organizations to treat ESU as a comfortable waiting room rather than a ticking clock. (techcommunity.microsoft.com)
One important operational nuance is that customers blocked or throttled when sending to Exchange Online should not assume ESU is their fix. Microsoft says those problems generally indicate servers that are roughly a year out of date, and that installing the October 2025 public updates is sufficient to resolve the immediate throttling issue. That means some organizations can fix operational friction without waiting for ESU, though they still remain out of support and should migrate.

How This Compares to the Original ESU Window​

The first ESU phase was already framed as temporary and limited. Microsoft announced it in July 2025, said it would begin on August 1, 2025, and stated that it would last only six months, ending in April 2026. It also made clear from the outset that customers should not rely on the program and should instead upgrade to Exchange SE. In that sense, Period 2 does not represent a philosophical shift; it is a continuation of the same migration strategy under fresh dates. (techcommunity.microsoft.com)

Same model, new invoice​

The mechanics are largely unchanged. Access is still controlled through Microsoft account teams, and the updates remain private rather than public. The company still says no support cases are available for ordinary end-of-support issues, and the ESU still covers only Critical and Important security changes that Microsoft decides are necessary. The only real difference is that the bridge now has a second segment attached to it. (techcommunity.microsoft.com)
That extra segment tells us something about migration behavior. If Microsoft had seen enough customers complete the move by April 2026, it would not need a second ESU contract. The new period suggests that some enterprises underestimated the complexity of moving from Exchange 2016/2019 to SE, or that procurement and change windows simply did not align in time. Delayed migrations are rarely caused by a single problem; they are usually a stack of small ones. (techcommunity.microsoft.com)
It is also worth noting that Microsoft has already hinted that Exchange SE will tighten coexistence rules. The company said that with Exchange SE CU2, installation will block if any build of Exchange 2016 or 2019 is present in the organization. That creates a hard line for hybrid environments and further strengthens the case that ESU is a temporary escape hatch, not part of the intended steady state. (techcommunity.microsoft.com)

Enterprise Migration Reality Check​

From a migration-planning perspective, Period 2 should not be read as permission to stall. It is more accurately a deadline extension with a fee attached. Enterprises that use the extra six months wisely can complete mailbox moves, retire legacy dependencies, test coexistence constraints, and reduce the chances of a last-minute disruption. Enterprises that use it passively may find themselves in October 2026 facing the same problem again, only without another Microsoft-sanctioned bridge.

What smart teams will do with the extra time​

The best-case scenario is straightforward. Teams will use the new period to finish the inventory of every remaining Exchange dependency, decide whether the end state is cloud, hybrid, or SE on-premises, and eliminate any tooling that still assumes legacy builds will remain patchable indefinitely. That is boring work, but it is the work that prevents emergencies. In infrastructure, boring is usually good. (learn.microsoft.com)
A more disciplined team will also validate backup, restore, certificate, and management tooling against SE now rather than later. Microsoft has already made some security-related changes in the Exchange update stream, including restrictions around exporting the Auth Certificate private key starting with the October 2025 SU. Those kinds of changes are reminders that legacy habits may no longer survive a modern servicing cadence. (techcommunity.microsoft.com)
The weakest response would be to treat Period 2 as a comfort blanket. That would be a mistake because the program is explicitly finite, explicitly non-renewable, and explicitly limited to the last supported baseline set Microsoft is willing to cover. The end of October 2026 is not just a date; it is a hard stop. After that, there is no announced third window.

The Competitive and Market Implications​

The competitive impact of this announcement is subtle but real. Microsoft is reinforcing a broader market message that on-premises messaging is still viable, but only if customers accept the subscription model and the modern lifecycle framework. Exchange SE is the anchor product, ESU is the bridge, and everything else is legacy. That framing protects Microsoft from the accusation that it is forcing an abrupt cloud-only future, while still steering customers toward a controlled end state. (support.microsoft.com)

Hybrid stays relevant, but legacy does not​

For cloud rivals, this is both a challenge and an opportunity. Exchange Online remains the destination Microsoft most consistently recommends for full mailbox migration, but some enterprises are not ready to abandon on-premises infrastructure. By keeping a supported on-premises path alive through SE, Microsoft reduces the appeal of third-party mail systems that promise continuity without the same migration pressure. At the same time, the company continues to make clear that old Exchange versions are not a safe harbor. (learn.microsoft.com)
The market also learns something from the existence of ESU itself. Microsoft only creates paid security bridges when it believes the installed base is large enough and valuable enough to justify the process. That implies Exchange 2016 and 2019 remain widely deployed in serious enterprise environments, especially where mail flow, compliance, and directory integration make replacement difficult. The extra ESU period is therefore not just a product decision; it is a map of customer inertia. (techcommunity.microsoft.com)
One could argue that the recurring ESU pattern normalizes delayed modernization, but Microsoft tries to counter that by repeatedly tying the offer to critical and important security coverage only, not to broad operational support. That distinction preserves the incentive to move forward while acknowledging that some customers need a little more runway. It is a compromise, not a capitulation. (techcommunity.microsoft.com)

Strengths and Opportunities​

The strongest aspect of Period 2 is that it lowers the odds of a sudden security gap for organizations that are genuinely close to finishing migration but need a little more time. It also gives administrators a more predictable window to plan cutovers, freeze management changes, and close out the last legacy dependencies without panic. Microsoft’s insistence on a hard stop in October 2026 keeps the program from turning into a permanent escape hatch, which is probably the right balance.

• It buys time for unfinished but active migrations.
• It preserves Critical and Important security coverage during the bridge period.
• It reduces pressure on teams managing complex hybrid estates.
• It keeps Exchange SE as the clearly preferred end state.
• It gives procurement and operations a defined, finite planning window.
• It may help avoid risky “do nothing” behavior in late-stage projects.
• It encourages disciplined cleanup before the final deadline. (techcommunity.microsoft.com)

Risks and Concerns​

The biggest risk is that customers may misread the second ESU as a signal that they can keep postponing migration. That would be a dangerous inference because Microsoft has not changed the underlying status of Exchange 2016 or 2019: they remain out of support, and support cases are still constrained. There is also a risk that administrators will assume monthly security fixes are guaranteed when Microsoft has very clearly said they are not. (techcommunity.microsoft.com)

• The program could encourage further delay instead of action.
• Customers may assume updates are monthly and automatic.
• The separate contract may complicate procurement and budgeting.
• Some organizations could mis-handle update access after April 2026.
• Security teams may overestimate the value of ESU compared with SE.
• Hybrid environments may remain exposed to configuration drift.
• The hard end date could create a new crunch in late 2026. (techcommunity.microsoft.com)

There is also a communications issue. Microsoft has now published a steady stream of “no updates this month” posts for Exchange Server, which is helpful for transparency but may create confusion about what exactly customers are paying for. If no SU is released, the value proposition is largely one of optionality and reassurance, not a visible monthly deliverable. That is a valid model, but it is not always easy to explain to executives who expect a patch in exchange for a fee. That gap between expectation and reality is where support frustration usually starts. (techcommunity.microsoft.com)

Looking Ahead​

The next few months will show whether Period 2 is primarily a last-mile safety net or the beginning of a prolonged cleanup phase. If Microsoft continues to publish monthly notices, customers will be able to see whether actual Exchange security updates are being produced, but the broader strategic direction will not change: the company wants the installed base on Exchange SE or off legacy Exchange entirely. The program’s finite duration is the clearest clue of all.

Signals to watch​

• Whether Microsoft releases any Period 2 security updates at all.
• How many enterprises publicly discuss late migration pressure.
• Whether support and throttling policies evolve for stale Exchange builds.
• Whether Exchange SE coexistence rules become even stricter.
• How quickly account teams move Period 2 purchases through enterprise channels.
• Whether Microsoft adds more guidance for hybrid administrators before October 2026. (techcommunity.microsoft.com)

For now, the message is simple even if the program mechanics are not. Microsoft is willing to sell another six months of security coverage, but only because it believes a small cohort needs it and because the alternative would be leaving those systems exposed. The company has also made it plain that this is the last bridge, not the start of a new road. The real destination remains Exchange SE, Microsoft 365, or decommissioning the old servers altogether. (techcommunity.microsoft.com)
Microsoft’s Period 2 ESU announcement is therefore best understood as a final act of transitional realism. It acknowledges the messy pace of enterprise migration while preserving the strategic pressure to modernize, and it does so with unusually direct language about what it is — and what it is not. For Exchange administrators, the safe reading is not “we got more time,” but “we got a little more time, and we should use every day of it to finish the move.”

---

Source: Microsoft Exchange Team Blog Announcing Period 2 Exchange 2016/2019 Extended Security Update (ESU) program | Microsoft Community Hub