A Final Reprieve: Microsoft Announces Paid Extended Security Updates for Exchange and Skype Servers

Microsoft has officially announced a paid Extended Security Update (ESU) program for Exchange Server 2016 and 2019, offering a six-month window of continued security patches beyond the products’ end-of-support date. The move is a direct response to customer feedback, providing a crucial, albeit temporary, lifeline for organizations that are in the process of migrating but need more time to complete their transition away from the legacy on-premises platforms.¹

The end-of-support date for both Exchange Server 2016 and 2019 is October 14, 2025. After this date, these products will no longer receive security patches, non-security updates, or technical assistance, leaving them vulnerable to potential exploits. Recognizing that complex migrations to the new Exchange Server Subscription Edition (SE) may not be complete, Microsoft has introduced this ESU as a solution for businesses that are mid-flight in their upgrade projects.¹

Understanding the Terms of the ESU

In a detailed announcement, the Exchange Team clarified the specifics of the program, which is also available for Skype for Business Server 2015 and 2019.¹ It is critical for organizations to understand that this is not a simple extension of support, but a limited, last-resort measure with strict conditions.

First, the ESU program is explicitly not an extension of the standard support lifecycle.¹ The servers officially go out of support on October 14, 2025, and customers will not be able to open support cases for them unless an issue is directly caused by a security update released during the ESU period.¹ The program’s sole purpose is to provide security updates rated as “Critical” or “Important” by the Microsoft Security Response Center (MSRC).¹

Second, there is no guarantee that any security updates will be released during the ESU period.¹ Microsoft states it is “not committing to actually releasing any SUs,” as patches are only created when necessary to address discovered vulnerabilities.¹ The updates will not be delivered through standard channels like Windows Update or the public Download Center. Instead, they will be provided privately to customers enrolled in the ESU program.¹

Finally, the ESU is a one-time offer with a firm deadline. It provides coverage for exactly six months, ending on April 14, 2026. Microsoft’s communication on this point is unambiguous: “This period will not be extended past April 2026 (you do not need to ask).”¹ This sends a clear message that organizations must use this time to finalize their migrations.

Who Qualifies and How to Proceed

The ESU program is intended for a specific subset of customers. To be eligible, organizations must already be running Exchange 2016 Cumulative Update (CU) 23 or Exchange 2019 CU14/CU15.¹ The program is designed for those who have started their migration to Exchange Server SE but cannot meet the October deadline.¹

Starting August 1, 2025, eligible customers can contact their Microsoft account team to get information about per-server costs and to purchase the ESU.¹ At present, the program appears to be available primarily through direct engagement with Microsoft, with no clear path yet for customers who purchase licenses through resellers or the Cloud Solution Provider (CSP) program.

The Unmistakable Message: Migrate Now

Throughout its announcement, Microsoft’s core recommendation remains unchanged: organizations should prioritize completing their migration to Exchange Server SE rather than relying on the ESU.¹ The company urges customers using Exchange 2019 to perform the quick in-place upgrade to Exchange Server SE to benefit from its modern lifecycle policy.¹

For many organizations, especially those still on Exchange 2016, the path involves a multi-step migration to Exchange 2019 before they can upgrade to the new Subscription Edition. This ESU provides the necessary breathing room to complete these complex projects without exposing critical infrastructure to unpatched vulnerabilities.

While this last-minute reprieve is a welcome concession for many businesses, the message from Microsoft is resolute. The future of its server products is either in the cloud with Microsoft 365 or on the latest subscription-based on-premises versions. This six-month ESU is not a change in strategy, but a final, paid grace period before the door closes permanently on these legacy products.

Sources

1. The Exchange Team, Microsoft Tech Community (July 15, 2025) https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-exchange-2016-2019-extended-security-update-program/ba-p/4189333