Microsoft's Exchange team published a short blog post on January 13, 2026 confirming that no security updates will ship for any on-premises Exchange Server version this Patch Tuesday. The announcement covers both the current Exchange Server Subscription Edition (Exchange SE) and customers enrolled in the paid Extended Security Update (ESU) program for Exchange Server 2016 and 2019. While the news means one fewer maintenance task this month, it also puts a sharper focus on what happens when the ESU clock runs out on April 14, 2026.
The Bulletin in Plain Terms
The message from Microsoft was straightforward: after evaluating vulnerabilities reported in the preceding weeks, the engineering team determined that none met the bar for a security update release in January. That means no cumulative update, no security hotfix, and no out-of-band patch for any Exchange channel this month. The company said it will continue to publish a monthly notice—even on months with zero releases—so customers know exactly where they stand. This new transparency is part of the ESU program's commitment to keep enrolled organizations informed through the end of support.
For IT teams that have built monthly patching into their operational rhythm, January's silence may feel like a breather. But it's not a signal to take the foot off the gas. Exchange servers, especially those past end of support, remain high-value targets and the absence of a new fix does nothing to reduce the risk from previously disclosed vulnerabilities or unknown zero-days.
What This Means for Different Organizations
If You're Running Exchange 2016 or 2019 with ESU
The six-month ESU bridge was designed exactly for moments like this: when no critical updates appear, you don't have to scramble. But you also can't afford complacency. ESU coverage is a stopgap, not a substitute for a migration plan. It provides security updates only when Microsoft releases them, and it does not restore full product support. The April 14 expiration is a hard stop—there will be no extension, and after that date, no further patches of any kind will ship.
If You're Running Exchange 2016 or 2019 Without ESU
These servers have been out of support since October 14, 2025. They haven't received any security updates since then (unless you purchased ESU). January's no-update announcement doesn't change the immediate risk profile, but it should reinforce the urgency. Every month that passes without a patch is another month threat actors can develop or deploy exploits against known weaknesses. If you haven't already purchased ESU, you can no longer do so—the enrollment window closed when the program began. Your only safe path forward is an accelerated migration.
If You're Running Exchange Server Subscription Edition
Exchange SE remains fully supported and will receive updates as normal. This month simply didn't require one. The in-support lifecycle means your servers are automatically eligible for all future security and quality updates. Still, the broader landscape of Exchange threats means you should keep rigorous patch management and monitoring practices in place.
How We Got Here: A Timeline of Deadlines
Exchange Server 2016 and 2019 officially reached end of support on October 14, 2025. To give organizations more breathing room, Microsoft offered a one-time, paid Extended Security Update program starting August 1, 2025. That program runs for exactly six months, ending April 14, 2026. The terms were clear from the start: ESU covers Critical and Important security updates only, it does not guarantee a monthly patch, and it will not be extended.
The January 13 bulletin is the third such monthly confirmation since ESU began in October 2025 (the program technically started in August, but the first post-support Patch Tuesday was November 2025). Each month, Microsoft has either released an ESU-only update or confirmed that none were needed. This transparency is helpful for planning, but it also underscores the temporary nature of the safety net.
Key dates at a glance:
| Date | Milestone |
|---|---|
| October 14, 2025 | Exchange 2016/2019 end of support |
| August 1, 2025 | ESU enrollment opens |
| April 14, 2026 | ESU program expires; no further updates |
| January 13, 2026 | January 2026 Patch Tuesday: no security updates |
Exchange servers have been a favorite target for ransomware gangs and nation-state actors for years. Even as recently as late 2025, CISA and the NSA renewed warnings about on-premises Exchange deployments, urging organizations to enforce multi-factor authentication, restrict administrative interfaces, and move to cloud or modern on-prem versions. The January quiet period doesn't mean the threat has diminished—it only means Microsoft didn't ship a fix this month.
Immediate Actions: Your 48-Hour Checklist
1. Confirm Your Exchange Inventory
You can't secure what you don't know about. Run the following in Exchange Management Shell on every suspected server and document the results:
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
Record each server's operating system, cumulative update level, internet exposure (are admin endpoints reachable from outside?), and backup status.
2. Verify ESU Enrollment
ESU is not automatic. Check with your Microsoft account team or licensing portal to confirm which servers are covered. If you purchased ESU and the enrollment wasn't completed properly, you won't receive the updates—and with only three months left, you can't afford to lose that protection.
3. Lock Down Administrative Access
Immediately restrict access to all Exchange management interfaces (Exchange Admin Center, PowerShell, WinRM, RPC) to known management IP ranges or a dedicated jump host. Do not expose OWA, ECP, or ActiveSync admin paths to the public internet. CISA's long-standing guidance still applies: enforce MFA on every administrative account, minimize the number of privileged users, and consider just-in-time access for the most sensitive roles.
4. Validate Backups
Test a full mailbox restore from your most recent backup. Confirm that you can recover both database-level and item-level data. If your backup chain has gaps, fix them now—a compromised Exchange server without a reliable backup is a catastrophe in waiting.
Short-Term Strengthening (7–30 Days)
- Apply OS and firmware patches. Attackers often pivot from the underlying Windows Server OS to Exchange; keeping the host fully updated closes that vector.
- Enhance logging and detection. Ensure that Exchange audit logs, IIS logs, and mailbox audit data are streaming to your SIEM and retained for at least 90 days. Verify that your endpoint detection and response (EDR) solution is actively monitoring all Exchange servers.
- Hunt for indicators of compromise. Look for unauthorized OWA logins from unusual locations, webshells in Outlook Web App directories, suspicious scheduled tasks, or new mailbox forwarding rules. Check for misconfigured mail flow rules that might forward sensitive data externally.
- Rotate credentials. If any sign of compromise emerges, immediately reset passwords for service accounts, domain admin accounts, and any account with mailbox delegation rights.
The Clock Is Ticking: Migration Planning (30–90 Days)
If you haven't finalized your migration roadmap, January is the month to get it done. Your destination should be either Exchange Server Subscription Edition (on-premises) or Exchange Online (cloud). Both paths are supported by Microsoft; the choice depends on your organization's compliance, performance, and operational requirements.
On-Premises: Exchange Server Subscription Edition
Exchange SE uses a modern subscription-based lifecycle and is the natural successor to Exchange 2019. It supports in-place upgrades from 2019 in many scenarios, but you'll need to validate compatibility with third-party tools like archiving, backup, and antivirus solutions. Set up a lab environment, test co-existence with your current servers, and pilot a small user group before moving production mailboxes.
Cloud: Exchange Online
For many teams, moving to Exchange Online eliminates the patching burden and reduces the attack surface. A hybrid migration allows you to move mailboxes in waves while keeping on-premises mail flow intact. You'll need Azure AD Connect for identity synchronization, hybrid MFA configuration, and careful planning for mail routing (MX records) and compliance (retention, eDiscovery). If cloud migration was already on your roadmap, accelerate the schedule; Microsoft FastTrack and partner programs can help.
Final Stretch: What to Do Before April 14
- Set a hard deadline. Assign each server a target decommissioning date, with at least a two-week buffer before the ESU expiration. Share that schedule with leadership and application owners.
- Rehearse the cutover. Run at least one full dress rehearsal of the migration—move test mailboxes, validate mail flow, and monitor for any authentication hiccups.
- Plan compensating controls if you'll miss the deadline. If a legacy application forces you to keep a 2016 server alive past April 14, implement aggressive network isolation (air-gap style), use a dedicated jump box for all admin actions, and deploy extra monitoring to alert on any anomalous behavior. Understand that beyond April 14, any vulnerability discovered in that server will remain unpatched forever.
The Outlook
Microsoft's monthly cadence of transparency will continue through April. The next Patch Tuesday is February 10, 2026, and the Exchange Team will again post whether any updates are available. As the ESU window narrows, the probability of a last-minute security release increases—but there's no guarantee. The safest strategy remains the same: move off unsupported Exchange servers before April 14.
The January silence is a reminder, not a reprieve. Use the quiet month to put your house in order.