As of October 14, 2025, Microsoft has officially ended all support for Exchange Server 2016 and Exchange Server 2019. This means both products will no longer receive security updates, bug fixes, or technical support, leaving unpatched systems vulnerable to exploitation.
The company urges administrators to migrate to Exchange Online or adopt the new Exchange Server Subscription Edition (SE) to ensure business continuity and compliance.
Unsupported Exchange Servers Are Easy Targets
Without ongoing security patches, Exchange 2016 and 2019 servers have become high-value targets for threat actors. Historically, attackers exploited Exchange zero-days such as ProxyLogon, ProxyShell, and ProxyNotShell to deploy web shells, exfiltrate emails, and steal credentials.
Now, unpatched on-premises servers will remain permanently vulnerable. Microsoft warns that continuing to operate unsupported versions exposes organizations to compliance violations under GDPR, HIPAA, and PCI-DSS frameworks.
Organizations relying on on-premises Exchange now have two main migration options:
1. Migrate to Exchange Online (Microsoft 365)
Microsoft recommends this route for most enterprises, offering continuous updates, built-in spam filtering, and strong authentication. Exchange Online integrates natively with Microsoft Entra ID (Azure AD) for secure cloud management and minimal infrastructure overhead.
2. Move to Exchange Server Subscription Edition (SE)
For organizations with regulatory or operational constraints preventing cloud migration, Exchange Server SE provides an on-premises alternative. This edition delivers quarterly cumulative updates and aligns with Microsoft’s new subscription-based lifecycle model, ensuring long-term patching without full version upgrades.
Compliance and Lifecycle Details
According to Microsoft’s Product Lifecycle Policy, once a product reaches end of support, the company:
-
Ceases all technical assistance.
-
Stops delivering security and non-security updates.
-
Ends free and paid support contracts.
Microsoft notes that Exchange 2016’s mainstream support ended in 2020, and Exchange 2019 reached mainstream end in 2024, making today the final support sunset for both platforms. Administrators still operating these servers must upgrade immediately to maintain compliance and operational security.
The Last Stand for On-Prem Email
Security experts view this transition as the official end of traditional Exchange Server dominance.
Analysts from Rapid7 and Sophos report that attackers continue scanning the internet for legacy Exchange endpoints, even after previous patch cycles.
Cloud-based Exchange has become Microsoft’s strategic focus, with enhanced threat protection, multi-factor authentication, and spam mitigation frameworks. Organizations choosing to remain on-premises face higher costs, operational overhead, and constant exposure without guaranteed patching.
To protect enterprise environments, Microsoft and independent researchers recommend:
-
Migrating to Exchange Online or Server SE immediately.
-
Backing up all mailbox databases before migration.
-
Removing public exposure to ECP and OWA interfaces.
-
Disabling remote PowerShell for all non-admin users.
-
Applying endpoint and email gateway monitoring to detect suspicious activity.
Failure to act increases the likelihood of compromise via known Exchange exploit kits still circulating on dark web markets.
The end of support for Exchange 2016 and 2019 marks a pivotal moment for enterprise IT.
While the transition may be complex, continuing to operate unsupported versions is an unacceptable security risk. Microsoft’s clear message: migrate now or face inevitable compromise.
Modern Exchange platforms provide stronger encryption, proactive threat mitigation, and compliance-ready controls that legacy systems can no longer deliver.
2 thoughts on “Microsoft Announces End of Support for Exchange Servers”