Skip to content
← All posts
· 4 min read·Emre Yurtbay

Exchange Server 2016 and 2019 are end of life – migrate safely now

No security updates since October 2025. What businesses running their own Exchange server should do – the paths to Exchange Online and Exchange Server SE.

Exchange ServerMicrosoft 365Cloud MigrationIT SecuritySMB

Many businesses in the Ruhr region have run their email on an in-house Exchange server for years – in the basement or a data centre. It quietly did its job, and that is exactly the problem now. Because Exchange Server 2016 and 2019 reached end of support on 14 October 2025. Since then there are no more security updates, no bug fixes and no technical support through the regular channels.

Note: This article explains the technical situation and does not replace individual legal or security advice. As of: June 2026.

Why "but it still runs" is dangerous here

A mail server without security updates is an open flank. Exchange servers have repeatedly been the target of large-scale attacks – and a central mail server is a rewarding target: whoever compromises it can read along, send in your name and often gains a foothold across the entire domain.

There is also a compliance angle: anyone processing personal data must take appropriate technical measures under GDPR. A provably unpatched, end-of-life system is hard to defend as "appropriate" if something goes wrong. So "it still runs" is not a viable strategy – it is a deferred risk.

The ESU bridge – short, expensive, not a permanent state

For Exchange 2016/2019 Microsoft offers a paid Extended Security Update (ESU) programme. It is important to understand: this is an emergency bridge, not a second life. The ESU deliver only security updates rated Critical and Important – no support, no new features.

And the bridge is time-limited: after Period 1 (until 14 April 2026), Period 2 runs from May 2026 to the end of October 2026. After that it is definitively over. So buying ESU now only buys time until autumn – useful for planning a clean migration, but not for postponing it further.

Where to migrate? Two sound paths

For the vast majority of businesses there are two destinations to choose from:

1. Exchange Online (Microsoft 365)

The standard route for small and medium businesses. Microsoft runs the mail server and handles updates, high availability, spam and virus protection. You pay per mailbox and month and are rid of operating your own server. For most businesses without an in-house IT team this is the most pragmatic and secure path – including an EU data option and a data processing agreement.

2. Exchange Server SE (Subscription Edition)

If you want to stay on-premises for good reasons – data sovereignty, specific industry requirements or integration with legacy systems – you use Exchange Server SE. SE has been available since 1 July 2025 and is the only on-premises edition of Exchange that is still supported. Technically, the first SE release is largely equivalent to a fully up-to-date Exchange 2019; the licensing model, however, has moved to an ongoing subscription.

There are two paths to SE:

  • In-place upgrade: directly from Exchange Server 2019 (CU14 or CU15) – comparatively lightweight.
  • Legacy upgrade (transition): required if you are coming from Exchange Server 2016. Here SE is set up on new servers and the mailboxes are migrated. Microsoft explicitly recommends going straight to SE – rather than installing new 2019 servers first.

A realistic roadmap

Whatever the destination, the sequence is similar:

  1. Take inventory: which Exchange version, which cumulative update, how many mailboxes, which dependencies (scanners, ERP, line-of-business software that sends via SMTP)?
  2. Pick a target: Exchange Online or Exchange Server SE – based on data protection, budget, available know-how and operational responsibility.
  3. Plan ESU only as a buffer: if you cannot finish by autumn, use ESU Period 2 as a secured transition window – with a firm end date in view.
  4. Migrate and decommission cleanly: move mailboxes, switch over SMTP applications, adjust DNS/Autodiscover, check SPF, DKIM and DMARC, and only switch off the old server after a controlled decommissioning.
  5. Document: what was migrated and secured, and when? You need this for audits, insurers and your own traceability.

What this means for businesses in Recklinghausen

If you still have an Exchange 2016 or 2019 in the house, now is the right moment – not the last one. Until the end of October 2026, ESU offers a secured transition window, but a planned migration is always calmer and cheaper than a forced one. Smaller businesses in particular often gain more security and less maintenance effort from the move than they expect.

Are you still running your own Exchange server and unsure which path fits you? In a free initial consultation we look at your setup together and sketch out a realistic roadmap – level-headed and without sales pressure.

Discuss your project