Microsoft Introduces Exchange 2016/2019 Extended Security Program
Six Months of an Extended Security Update Program from October 2025 to April 2026

Those who aren’t dedicated followers of the EHLO blog might have missed two interesting posts this week. The first covers delicensing resiliency for Exchange Online and the news that Microsoft is reducing the threshold for this feature to 5,000 tenant mailboxes. I think the feature should be available to all Exchange Online tenants, but let’s leave that debate aside.
Coping with the consequences of a mailbox becoming delicensed isn’t such an issue for Exchange on-premises organizations. They have their own challenge, notably the need to upgrade to Exchange Server Subscription Edition (SE) before Exchange 2016 and Exchange 2019 exit support on October 14, 2025.
Updating a Server to Exchange Server SE is Boringly Easy
The second EHLO post of the week offers a lifeline to organizations who don’t believe that they can deploy Exchange Server SE by the October 2025 deadline. Performing an in-place server upgrade to Exchange Server SE is the easiest Exchange upgrade an on-premises administrator is likely to ever know. It’s been described as “boring” because literally nothing happens apart from version numbers being updated and a few other minor tweaks. The fact that Exchange 2019 and SE share the same documentation for system requirements testifies to the closeness of the two products.
Microsoft designed the upgrade to the first iteration of Exchange Server SE to be boring to remove the barrier where administrators believe that an Exchange upgrade is a major event with many potential problems lurking under the surface waiting to make a server inoperative. Read the documentation, follow the steps laid down, and your update will proceed smoothly.
Factors Stopping Upgrades Happening
Although the server upgrade is easy, there’s usually some other factors that come into play that can slow deployment. Now is peak vacation period so people might not be available. The organization might decide to introduce new hardware or roll out Windows Server 2025. This might be especially so when the organization runs Exchange 2016 on an older version of Windows Server (here’s the operating systems matrix). In any case, lots of preliminary steps might need to be resolved before anyone sits down to update a server.
To help organizations that are struggling to get their ducks in a row to allow the deployment of Exchange Server SE to proceed, Microsoft is therefore introducing a six-month Extended Security Update program. The idea is simple: After August 1, 2025, customers can contact their Microsoft account team to request a subscription to a new product SKU that entitles them to receive security updates for Exchange 2016 and Exchange 2019 for six months. The price of the SKU is per-server, and it’s assumed that the Microsoft account team knows how many servers a customer operates so that they can calculate an initial price before any discounts are negotiated. If you don’t have a Microsoft account team, call the local Microsoft office and get them involved.
There are several important points to consider before proceeding to enrol in the Extended Security Program:
- The agreement only lasts six months and Microsoft doesn’t plan to extend it past April 14, 2026.
- During the agreement, Microsoft will deliver security updates for problems that the Microsoft Security Response Center deems to be critical or important. In other words, a security issue must meet a threshold before Microsoft will create a security update for Exchange 2016/2019.
- Security updates issued through the program will be released privately to program participants. You won’t be able to download the updates from the Microsoft download center.
- There’s no guarantee that any security problems will emerge between October 15, 2025, and April 14, 2026. In other words, this is insurance in case a problem happens, and no refunds are coming if the security landscape remains calm throughout the six-month program lifetime.
- Microsoft says that they will inform program participants if a security update is available on Patch Tuesdays during the covered period.
- The Extended Security Update Program does not affect the end-of-lifetime support dates for Exchange 2016 and Exchange 2019. Those dates remain as they are. This program only covers security issues.
Not a Revenue Generating Opportunity
Cynics will say that this is yet another example of Microsoft adjusting deadlines, this time to create an opportunity for a little extra revenue by charging customers for six months of security insurance. Pragmatists will recognize just how slow Exchange Server updates have been since Exchange 2000 appeared. Given the engineering costs involved, I doubt Microsoft will make much if anything from the Extended Security Update program. This is no more and no less than a lifeline for those who need that extra time.
Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work, which includes topics like Exchange Server SE that are important to hybrid Microsoft 365 deployments.