No New Exchange Server Security Updates in March 2026
Organizations waiting eagerly for Patch Tuesday were in for a surprise. In the latest announcement, it was made clear that there will be no Exchange Server security updates for Exchange 2016, 2019, or even the new SE version this March.
This is not unprecedented, as security patches are only announced when a new exploit is found. However, this time, the lack of any new changes spells a critical warning.
Moreover, not even a month remains for the Extended Security Update (ESU) program to expire, and combined with the lack of security updates for Exchange Server 2016 or 2019, organizations need to make decisions ASAP.
Don’t worry, you are not alone. I have helped countless businesses navigate this particular phase and have prepared the full guide on what to make of the announcement. One thing is for sure: staying on legacy hardware that is already deprecated is increasingly risky.
Go through my guide and use this patch-free month to plan out an exit. Let us first break down what the announcement means.
Hide
Microsoft Exchange Team Announces No New Exchange Server Security Updates for March 2026
Not every organization was able to shift to the new version before the Exchange Server 2016 and 2019 EOL, so for them, Microsoft introduced a paid ESU program, which extended the lifetime by 6 months.
Earlier, if Microsoft did not find any major security flaws in Exchange Server, the Exchange Blog Team would just be silent. This lack of communication was frustrating for admins. However, recently things have changed; even if there isn’t an explicit patch, there is still an announcement regarding it.
That’s exactly what went down this time. The announcement was a small post where the team informed that there are no security patches; instead, ESU users would get their final patch in April 2026.
In the announcement, there was a push towards adopting the new Exchange Server SE Version.
However, no patches does not mean that admins should not do anything. This is a golden opportunity to plan for an exit from unpatched legacy systems into a long-lasting and secure environment.
Actionable Steps for Admins during a Patch-Free Month
Since you won’t get any patches this month, it is the perfect time to perform secondary administrative activities that you might have been delaying:
Audit your Inventory: An Exchange Server environment is a dynamic place that changes minute by minute, with new emails entering new user accounts, being made of offboarded user data being archived, and a lot more. As an admin, you must stay on top of all these changes because you will have to keep a record when a migration takes place. One basic activity that admins may forget is to check the Exchange Server build number, so make sure that you don’t.
Verify ESU Status: If your organization has made the decision to delay the transfer by opting in for the Extended Security Updates program, make sure you have patched up to the last update and keep your system up to date.
Finalize Backup Integrity: Ensure your server backups are immutable and isolated. If a zero-day vulnerability is discovered immediately after the April deadline and you haven’t migrated, your only viable defense will be a clean, uncompromised restore to a newly built, supported environment.
Use a Tool to Migrate: Deploy the SysTools Exchange to Office 365 Migrator and move all of your data at once. Get the free demo today.
You can adjust which user data migrates, which user data migrates before others, and apply date filters as well. The entire process is handled via a GUI console, maximizing user ease and minimizing complexity.
Conclusion
So one thing is for sure: there will be no new Exchange Server security updates this March. That is why my advice to admins is to use this time to quit the legacy systems and shift to either the subscription edition or, even better, move to the cloud. Either of those routes would be better than operating unsecured on-premises systems that become riskier with each passing day.
For those in the ESU program, one final patch will happen in April, but my suggestion is not to wait until then and plan a transfer. The utility I described in the text can help you shift the user data with ease, so use it when you decide to quit the on-prem service.
Frequently Asked Questions
Q: Is there any new security update for on-prem Exchange Server in March 2026?
Although Microsoft did make an announcement, in it they explicitly mentioned that there will be no security releases for Exchange Server SE, 2019 or 2016 for the month of March 2026.
Q: When will the patch for ESU holders be released?
In the same announcement, the Exchange Blog team mentioned that the final patch for ESU program subscribers will be released next month, in April 2026.
Q: Does the new SE version of Exchange On-Prem get monthly patches?
Yes, it is the latest iteration of the on-prem variant and will get regular patches. Although this time it was also skipped over.
Q: Will my current systems still work if patches stop?
Yes, they will work; the patches have nothing to do with the functionality of the system. However, if there is a previously unknown vulnerability that is exploited by a nefarious entity, then it could be disastrous for your infrastructure. Which is the exact situation that the patch prevents.