Exchange Server 2016 & 2019 End of Support: Complete Migration & Upgrade Playbook for IT Teams

On October 14, 2025, Microsoft permanently ends extended support for both Exchange Server 2016 and Exchange Server 2019. Unlike the Windows Server lifecycle, there are no Extended Security Updates (ESUs) available for Exchange. Once the date passes, your on-premises mail infrastructure stops receiving security patches, compliance updates, and hotfixes — period.

If you administer Exchange for a 200-seat law firm or a 5,000-mailbox enterprise, the risk calculus is identical: unpatched Exchange servers are the #1 target for threat actors scanning for known CVEs in on-premises email infrastructure. The Hafnium attack chain in 2021 exploited four zero-days in Exchange Server and compromised an estimated 250,000 servers worldwide within a week. Running an unsupported version after October 2025 invites that same exposure — permanently.

This guide walks through every option available to your team, the real costs involved, and a concrete timeline to get this done before the deadline.

What "End of Support" Actually Means for Exchange 2016/2019

IT teams sometimes conflate "end of support" with "end of life." They're different. Your Exchange 2016 or 2019 server won't stop functioning on October 15th. Mail will still flow. OWA will still load. But here's what you lose:

• No security patches. Zero-day vulnerabilities discovered after October 14 will never be patched. Your server stays permanently exposed.
• No cumulative updates. Microsoft already shipped the final CU for Exchange 2019 (CU15) and Exchange 2016 (CU23). There will be no further CUs.
• No support tickets. Microsoft Premier/Unified Support will decline cases for unsupported Exchange versions. You're on your own.
• No compliance coverage. Auditors reviewing HIPAA, SOC 2, PCI-DSS, or GDPR controls will flag an unsupported mail server as a critical finding. If your organization handles protected health information, this directly impacts your HIPAA compliance posture.
• No coexistence with Exchange SE. Microsoft has confirmed that Exchange Server 2013 and earlier cannot coexist with Exchange SE. If you're still running 2016, you must upgrade to 2019 CU15 first before deploying SE in the same org.

Exchange Server End-of-Life Timeline: Key Dates

Version	Mainstream Support Ended	Extended Support Ends	Final Update	ESUs Available?
Exchange Server 2013	Apr 11, 2018	Apr 11, 2023	CU23	No
Exchange Server 2016	Oct 13, 2020	Oct 14, 2025	CU23 + SU	No
Exchange Server 2019	Jan 9, 2024	Oct 14, 2025	CU15 + SU	No
Exchange Server SE	July 2025 (GA)	Modern Lifecycle	Rolling CUs	N/A — Continuously updated

The critical detail: Exchange 2016 and 2019 share the same end-of-support date. If you upgraded from 2016 to 2019 thinking you'd bought yourself more time — you didn't. Both are done on October 14, 2025.

Path 1: Upgrade to Exchange Server Subscription Edition (SE)

Exchange Server SE is Microsoft's next on-premises Exchange release, expected to reach general availability in July 2025. It follows a Modern Lifecycle Policy — meaning continuous updates rather than a fixed end-of-support date. For organizations that need to keep mailboxes on-premises (regulatory requirements, data sovereignty, latency-sensitive workloads), this is the supported path forward.

Exchange SE Upgrade Requirements

Before you can deploy Exchange SE, your environment must meet these prerequisites:

• Current Exchange version: You must be running Exchange Server 2019 CU15 (or later SU) before upgrading to SE. If you're on Exchange 2016, you need to upgrade to Exchange 2019 first, then apply CU15, then move to SE.
• Windows Server version: Exchange SE requires Windows Server 2022 or Windows Server 2025. If your Exchange 2016 server runs on Windows Server 2016, you'll need new hardware or a fresh OS install.
• Active Directory: Forest functional level must be Windows Server 2016 or higher. Schema updates are required. Run AD health checks before touching Exchange — replication issues, lingering objects, or tombstone problems will break the upgrade.
• TLS 1.2/1.3: Exchange SE requires TLS 1.2 minimum. If you haven't disabled TLS 1.0/1.1 yet, now is the time.
• Licensing: Exchange SE requires a subscription license. Organizations with active Software Assurance on Exchange 2019 licenses can transition. Otherwise, you'll need new Server + CAL subscriptions.

Realistic Upgrade Timeline (Exchange 2016 to SE)

Here's what the upgrade path actually looks like for a mid-size org (500-2,000 mailboxes) still on Exchange 2016:

1. Weeks 1-2: Inventory current environment. Document Exchange version, CU level, OS version, certificate expiry dates, third-party connectors (spam filters, archiving, DLP).
2. Weeks 3-4: Deploy new Exchange 2019 server on Windows Server 2022. Install CU15. Configure as additional server in the existing org.
3. Weeks 5-6: Migrate mailboxes from Exchange 2016 to 2019. Use Exchange Management Shell (PowerShell) for batch moves. Test mail flow, Outlook connectivity, ActiveSync, OWA.
4. Weeks 7-8: Decommission Exchange 2016 servers. Update DNS (MX, Autodiscover, virtual directories). Remove 2016 from the org.
5. Week 9+ (post-July 2025): Upgrade Exchange 2019 CU15 to Exchange SE via in-place upgrade.

That's a minimum 9-week runway if everything goes according to plan. Factor in change control boards, testing windows, and vendor coordination, and you're looking at 3-4 months. Starting in Q2 2025 is already late.

If your team doesn't have deep Exchange administration experience, consider bringing in dedicated Exchange Server support to handle the upgrade. A misconfigured coexistence deployment can break mail flow for the entire organization.

Path 2: Migrate to Microsoft 365 (Exchange Online)

For many organizations, the end of Exchange 2016/2019 support is the forcing function to move email to the cloud. Microsoft 365 eliminates the patching, hardware, and certificate management overhead entirely. Microsoft handles infrastructure, and you get continuous feature updates.

Migration Methods: Which One Fits Your Org?

The right migration approach depends on your mailbox count, current Exchange version, and coexistence requirements:

Cutover Migration

Best for orgs with fewer than 150 mailboxes on Exchange 2016 or 2019. All mailboxes move in a single batch over a weekend. No hybrid infrastructure required. Typically completes in 24-48 hours. Read our detailed walkthrough: Cutover Migration from Exchange to Microsoft 365.

Staged Migration

Works for larger environments where you need to move mailboxes in batches over several weeks. Users are migrated in groups (by department, location, or priority). Requires directory synchronization. See our staged migration guide for Exchange Online for the full process.

Hybrid Migration

The enterprise-grade approach. Establishes a permanent (or temporary) coexistence between on-premises Exchange and Exchange Online. Enables features like cross-premises calendar sharing, unified GAL, and seamless mailbox moves. If you're running Exchange 2019 CU15 with 1,000+ mailboxes, this is typically the right call. We cover the setup in our minimal hybrid migration guide.

IMAP/PST Migration

Last resort for environments running Exchange 2010 or earlier (or non-Exchange mail systems). Slower, limited metadata preservation. Only use this if other methods aren't viable.

Microsoft 365 Plan Selection for Exchange Migrations

Choosing the right Microsoft 365 plan matters — you're not just buying an email service, you're selecting a productivity and security platform. Here's the breakdown for Exchange migration scenarios:

• Microsoft 365 Business Standard: Exchange Online, Teams, SharePoint, OneDrive, desktop Office apps. Ideal for SMBs under 300 users. No advanced compliance or eDiscovery.
• Microsoft 365 Business Premium: Everything in Standard plus Intune device management, Azure AD P1, Defender for Office 365 Plan 1. Best fit for organizations that need conditional access and mobile device management.
• Microsoft 365 E3: Enterprise-grade. Unlimited archive mailboxes, litigation hold, DLP policies, Azure Information Protection P1. Required for orgs with 300+ users or regulatory compliance needs.
• Microsoft 365 E5: E3 plus advanced threat protection, Cloud App Security, Audio Conferencing, Power BI Pro. For organizations that need the full security and compliance stack.

Not sure which plan fits? Use our Microsoft 365 plan comparison page to see feature-by-feature differences and current pricing.

Migration Timeline: Exchange On-Premises to Microsoft 365

For a hybrid migration of 1,000 mailboxes from Exchange 2019:

1. Week 1: Pre-migration assessment. Audit mailbox sizes, distribution groups, public folders, mail-enabled applications, Exchange Online service limits. Identify shared mailboxes and resource rooms.
2. Week 2: Configure hybrid. Run Hybrid Configuration Wizard, set up Azure AD Connect for directory sync, configure mail flow connectors, validate Autodiscover.
3. Weeks 3-6: Batch mailbox migrations. Prioritize IT staff and pilot users first. Move 200-300 mailboxes per batch. Monitor Exchange Online mail traffic reports to verify delivery.
4. Week 7: Migrate remaining objects — public folders, shared mailboxes, mail contacts. Update MX records to point to Exchange Online Protection. Decommission hybrid server (optional — some orgs keep it for recipient management).
5. Week 8: Post-migration validation. Test Outlook profiles, mobile device reconnection, calendar sharing, Teams integration. Update DNS TTLs.

Need hands-on help? Our Exchange to Microsoft 365 migration service handles the entire process — from pre-migration audit to post-cutover validation.

Path 3: Hybrid Deployment (Keep Some Mailboxes On-Premises)

Some organizations can't move everything to the cloud. Regulatory constraints, latency requirements for on-premises applications, or specific mailbox configurations may require keeping a subset of mailboxes on Exchange SE while moving the rest to Exchange Online.

A hybrid deployment gives you:

• Unified Global Address List (GAL) across on-premises and cloud mailboxes
• Cross-premises free/busy calendar sharing
• Seamless mailbox moves between on-premises and cloud (users don't need to reconfigure Outlook)
• Centralized compliance and eDiscovery across both environments

The trade-off: hybrid adds infrastructure complexity. You need Azure AD Connect, certificate management for hybrid endpoints, and ongoing maintenance of the on-premises Exchange SE server. For organizations with dedicated IT teams or managed IT support, this complexity is manageable. For lean IT departments, the operational overhead may not be worth it.

Security Implications of Running Unsupported Exchange

This isn't theoretical risk. Exchange Server is one of the most-targeted services on the internet. Here's the recent attack history:

• ProxyLogon (CVE-2021-26855): Remote code execution via SSRF. Attackers could read emails, deploy webshells, and move laterally — all without authentication. 250,000+ servers compromised globally.
• ProxyShell (CVE-2021-34473, 34523, 31207): Chained vulnerabilities allowing pre-auth RCE. Used by ransomware groups including LockFile and Conti.
• ProxyNotShell (CVE-2022-41040, 41082): SSRF + RCE chain targeting Exchange 2013, 2016, 2019. Exploited in the wild before patches were available.
• CVE-2024-21410: NTLM relay attack on Exchange allowing privilege escalation. Patched in February 2024 CU.

Every one of these vulnerabilities was patched via cumulative or security updates. After October 2025, equivalent vulnerabilities discovered in Exchange 2016/2019 will never be patched. Your Exchange server becomes a permanent attack surface. This is why security compliance frameworks require supported software — it's not a checkbox exercise, it's a direct risk exposure.

Cost Comparison: Exchange SE vs. Microsoft 365

The total cost of ownership (TCO) analysis is more nuanced than comparing license prices. Here's a realistic breakdown for a 500-user organization over 3 years:

Cost Factor	Exchange SE (On-Prem)	Microsoft 365 E3
Server hardware (2 servers, HA)	$15,000-25,000	$0
Windows Server licenses (2)	$2,000-4,000	$0
Exchange SE licenses + CALs	$12,000-18,000/yr	Included
Microsoft 365 subscription	$0 (unless hybrid)	$18/user/mo ($108,000/yr)
Backup infrastructure	$5,000-10,000/yr	$2,000-5,000/yr (3rd party)
IT admin time (patching, monitoring)	20-40 hrs/month	5-10 hrs/month
SSL certificates	$200-500/yr	$0
Estimated 3-Year TCO	$95,000 - $145,000	$330,000 - $345,000

On raw cost, Exchange SE appears cheaper. But factor in the operational burden: patching CUs quarterly, managing database availability groups, monitoring disk space for transaction logs, handling certificate renewals, and maintaining server infrastructure. If your IT team is already stretched thin, those 20-40 hours per month have a real opportunity cost.

For organizations considering outsourced IT management through an MSP, Microsoft 365 reduces the on-premises footprint your MSP needs to manage — which can lower managed services costs.

Exchange Online vs. Exchange Server SE: Feature Comparison

Beyond cost, there are functional differences that matter for specific workloads:

Capability	Exchange SE	Exchange Online (M365)
Mailbox size limit	Limited by disk	50 GB (100 GB with archive)
Data residency control	Full (your hardware)	Microsoft datacenters (geo selection available)
Public folders	Full support	Supported (with limits)
Transport rules complexity	Unlimited	Service limits apply
Third-party integrations	Direct server access	API/connector-based
Teams/SharePoint integration	Limited (requires hybrid)	Native, deep integration
Copilot AI features	Not available	Available with Copilot license

The trend is clear: Microsoft is investing heavily in Exchange Online while Exchange SE gets maintenance-level updates. If your organization's roadmap includes Teams, SharePoint Online, or Copilot, migrating to Microsoft 365 aligns with where Microsoft is heading.

Pre-Migration Checklist: What to Do Right Now

Regardless of which path you choose, start with these actions this week:

1. Audit your current Exchange version and CU level. Run Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion in Exchange Management Shell. Know exactly where you stand.
2. Document mailbox inventory. Run Get-Mailbox -ResultSize Unlimited | Select DisplayName, PrimarySmtpAddress, TotalItemSize. Identify oversized mailboxes, inactive accounts, and shared mailboxes that need special handling.
3. Check Active Directory health. Run dcdiag /v and repadmin /replsummary. Fix any replication errors before touching Exchange.
4. Inventory third-party dependencies. Spam filters (Barracuda, Mimecast, SpamBull), archiving solutions, CRM integrations that connect via EWS or SMTP relay, multi-function printers that scan-to-email.
5. Review SSL certificates. Check expiry dates on your Exchange certificates. If they expire before migration, renew them now — a certificate expiry during migration will break Outlook connectivity. See our Exchange certificate authentication guide for details.
6. Assess your Windows Server version. Exchange SE requires Server 2022 or 2025. If you're on Server 2012 R2 or 2016, budget for Windows Server upgrades as part of this project.
7. Calculate licensing costs. Whether it's Exchange SE subscription licensing or Microsoft 365 per-user pricing, build the business case now. Finance teams need lead time for budget approval.

Common Migration Pitfalls to Avoid

After handling hundreds of Exchange migrations, these are the issues we see most frequently:

• Not testing Autodiscover before cutover. Broken Autodiscover = broken Outlook profiles for every user. Test from outside your network before flipping DNS.
• Forgetting mail-enabled applications. LOB apps, scanners, and monitoring systems that send email via Exchange relay. These break silently when you decommission the on-premises server and nobody notices until a customer complaint comes in.
• Public folder migration gaps. Public folders with custom permissions, calendar folders, and mail-enabled public folders each require different migration steps. Don't assume a batch migration handles everything.
• Skipping the pilot group. Always migrate IT staff and a small pilot group first. Validate Outlook, OWA, ActiveSync, and Teams calendar integration before moving production users.
• Ignoring DNS TTL values. Lower MX record TTLs to 300 seconds at least 48 hours before the cutover. Default TTLs of 3600+ seconds mean some mail servers will keep sending to your old Exchange server for hours after you flip DNS.
• Not planning for deleted items retention. Exchange Online has different default retention policies than on-premises. Configure retention policies before migration to avoid user confusion.

What About Exchange 2010 and 2013?

If you're still running Exchange Server 2010 or 2013, your situation is more urgent — extended support for both versions has already ended (2010 in October 2020, 2013 in April 2023). You're already running unsupported infrastructure.

The upgrade path from Exchange 2010/2013 to SE is longer because you can't skip versions in coexistence. You'd need to go 2010 → 2016 → 2019 CU15 → SE, which is impractical. For these environments, a direct migration to Microsoft 365 using cutover or staged migration is the most efficient path. We've documented Exchange 2010 end-of-life migration options and a real-world case study of a 2010-to-M365 healthcare migration.

Exchange Server SE: What We Know So Far

Microsoft has shared limited but important details about Exchange SE. Here's what's confirmed:

• In-place upgrade from Exchange 2019 CU15. No side-by-side migration required. The upgrade process is similar to applying a CU.
• Subscription licensing model. No more perpetual Server + CAL licensing. Exchange SE requires an active subscription.
• Modern Lifecycle Policy. No fixed end-of-support date. Microsoft will provide updates as long as you maintain an active subscription and stay current on CUs.
• Windows Server 2022 and 2025 support. Confirmed compatibility with both OS versions.
• REST API support. Exchange SE will include the new REST-based Admin API alongside the existing PowerShell cmdlets.
• TLS 1.3 support. Built-in support for TLS 1.3, which Exchange 2016/2019 don't support natively.

For a complete deep-dive, read our Exchange Server SE guide series covering architecture, licensing, and migration planning.

How Medha Cloud Can Help

We've been managing Exchange Server environments since Exchange 2003. Our Exchange Server support team handles everything from CU deployments to full hybrid configurations. Here's what we bring to this specific transition:

• Exchange health assessment: We audit your current Exchange environment — version, CU level, database health, Active Directory dependencies, certificate status — and deliver a documented report with specific recommendations.
• Upgrade execution: Whether you're going Exchange 2016 → 2019 → SE or directly to Microsoft 365, we handle the technical execution. DAG configuration, mailbox moves, DNS cutover, post-migration validation.
• Hybrid deployment: For organizations that need both on-premises and cloud mailboxes, we configure and maintain the hybrid infrastructure — Azure AD Connect, hybrid mail flow, certificate management.
• Zero-downtime migration: Our Microsoft 365 migration services use background mailbox moves that don't interrupt user access. Users keep working in Outlook during the migration.
• Post-migration support: We don't disappear after cutover. Our managed IT services provide ongoing monitoring, administration, and support for your Exchange Online or Exchange SE environment.

Next Steps

October 2025 is not far away. If you haven't started planning, start this week. Here's the decision tree:

• Need to stay on-premises? Ensure you're on Exchange 2019 CU15, budget for Exchange SE licensing, and plan the upgrade for Q3 2025. Talk to our Exchange team to scope the project.
• Ready to move to the cloud? Run a migration assessment to determine the right migration method and Microsoft 365 plan. We can typically complete a 500-mailbox migration in 4-6 weeks.
• Not sure which path is right? Schedule a consultation. We'll analyze your environment, compliance requirements, and budget constraints, then recommend the approach that makes sense for your organization.

Whichever path you choose, the worst option is doing nothing. Unsupported Exchange servers are a ticking clock — every day past October 14, 2025, your risk surface grows and your compliance posture weakens.