Microsoft today released the February 2026 Security Updates for Exchange Server, a cumulative rollup that covers Exchange Server Subscription Edition (SE) RTM and, under the paid Extended Security Update (ESU) program, specific builds of Exchange Server 2019 and 2016. Exchange Online tenants already have the same protections, the company confirmed, but on-premises servers and any machines running Exchange Management Tools must be patched immediately.

What changed and who needs the patches

The February 2026 update is a traditional Security Update (SU) delivered as a cumulative package. It applies to:

  • Exchange Server Subscription Edition – to date, the only on-premises lifecycle option that remains in mainstream support.
  • Exchange Server 2019 CU14 and CU15 – available exclusively to organizations enrolled in the ESU program.
  • Exchange Server 2016 CU23 – likewise available only under ESU enrollment.

No separate hotfix is needed; installing the latest SU for your CU and SKU brings in every earlier hardening for that branch. The update addresses multiple elevation-of-privilege and spoofing CVEs, though Microsoft has not disclosed active exploitation of the specific vulnerabilities patched this month.

The most operationally visible change administrators will encounter is a design block on the Export-ExchangeCertificate cmdlet for the Exchange Auth Certificate. This was introduced in earlier SU cycles and remains in effect: you can no longer export that particular certificate’s private key in plain text. Legitimate rotation workflows now rely on MonitorExchangeAuthCertificate and Export-PfxCertificate instead. Any script or backup tool that still calls the old method will break.

What this means for your organisation

The practical impact depends on which version you run and whether your Exchange estate is hybrid-joined with Exchange Online.

For pure on-premises Exchange SE shops

Your primary task is to apply the February SU to every server and management workstation. Because SUs are cumulative, you can install this package even if you skipped several months—there is no need to install every interim update. The patch cycle remains the same: test in a pilot ring, deploy to production, validate functionality.

For organisations on Exchange 2016 or 2019 with an active ESU

Applying the SU is equally critical, but the clock is much louder. Microsoft’s ESU program for Exchange 2016 and 2019 will expire in mid-April 2026—roughly two months from now. After that, no more security patches will be issued for those builds, even if you purchased ESU rights. If you haven’t already started a migration to Exchange SE or Exchange Online, you must treat these updates as the final runway. Patch now, and use the eight to ten remaining weeks to complete a move to a supported platform.

For hybrid Exchange Online customers

Exchange Online is already safeguarded against the vulnerabilities fixed in the February SU. However, your on-premises Exchange servers still need the update. Leaving a hybrid management node unpatched is dangerous: the core threat model since 2025 relies on an attacker who seizes administrative control of an on-prem Exchange box and then abuses the hybrid trust to escalate into the cloud tenant. Once inside Entra ID (formerly Azure AD), an adversary can mint tokens, move laterally, and compromise mailboxes without ever touching an Exchange Online endpoint. The February SU, combined with earlier architectural changes, hardens several of the hybrid trust choke points.

The hardening isn’t a simple patch-and-forget exercise. Over the past year, Microsoft has layered on multiple mitigations that require coordinated configuration steps. If you haven’t completed all of them—dedicated Exchange Hybrid App deployment, service principal cleanup, hybrid credential rotation—the February SU alone won’t close every risk. Sequence matters.

How we arrived at this point

The backstory began in August 2025, when CISA issued Emergency Directive 25-02 in response to CVE-2025-53786, a high-severity elevation-of-privilege vulnerability in hybrid Exchange deployments. The flaw allowed an attacker with administrative control of an on-premises server to exploit a misconfiguration in hybrid trust and gain tenant-wide cloud compromise. CISA’s advisory, combined with Microsoft’s own guidance, set off a chain of architectural corrections that are still unfolding.

Subsequent Security Updates—including the monthly rollups from late 2025 through early 2026—have steadily locked down hybrid surfaces. The most notable changes include:

  • Dedicated Exchange Hybrid App: A tenant-scoped service principal that replaces the old shared principal, drastically reducing lateral movement if an on-prem server is stolen.
  • Service Principal Clean-Up: Removal of legacy keyCredentials from the shared Microsoft service principal once every on-prem server is updated.
  • Auth Certificate export block: Preventing casual dumping of the Exchange Auth private key.
  • Hardened monitoring: Tools like the Exchange Health Checker and MonitorExchangeAuthCertificate give administrators visibility into certificate and configuration health.

Each month’s SU brings additional CVEs and internal hardenings that stack on top of these changes. The February 2026 update is the latest installment—and likely one of the last that will be offered to Exchange 2016 and 2019 under ESU.

What to do now: a pragmatic to-do list

Rather than a rigid step-by-step script, focus on a risk-ordered sequence that keeps the lights on while you tighten security.

1. Inventory everything
Run the Microsoft Exchange Health Checker across your entire environment and capture the exact CU, SU, and build number of every server. Include workstations that have the Exchange Management Tools installed. Identify which servers are internet-facing and which participate in hybrid features (Free/Busy, MailTips, photo sync).

2. Patch a pilot ring
Choose one mailbox server that handles hybrid lookups, one Edge Transport or hybrid connector host, and one administrative workstation. Apply the latest supported CU if you’re behind, then install the February SU. Verify build numbers and test mail flow, OWA, ECP, and any third-party integrations.

3. Validate the Dedicated Exchange Hybrid App
If you haven’t created this tenant-scoped service principal yet, do it now. Use the ConfigureExchangeHybridApplication.ps1 script or the updated Hybrid Configuration Wizard (HCW). Ensure Free/Busy and MailTips still work for the pilot users before you touch the old shared principal. The app must be functional across every server in your environment before you proceed.

4. Rotate and clean
Once all on-prem Exchange servers are on the February SU and the dedicated app is validated, you can safely run Service Principal Clean-Up Mode. This removes obsolete keyCredentials from the shared Microsoft principal, cutting off a well-known persistence path. Immediately after, rotate the credentials of your new dedicated hybrid app. Document everything; a rollback may involve re-exporting certificates with the updated procedures.

5. Update management tools and workstations
Any system that runs the Exchange Management Tools must be brought to the same patch level as your servers. Mismatched management clients can cause cmdlet failures and obscure operational issues.

6. Re-validate hybrid flows
After the full estate is patched and cleaned, run the Health Checker again. Test cross-premises mail flow, mailbox moves, and hybrid public folder access. Use MonitorExchangeAuthCertificate to check the Auth Certificate’s health and alert on anomalies.

7. Plan your migration from ESU
If you’re on Exchange 2016 or 2019, you have only a few weeks before ESU support vanishes. This is non-negotiable: no patches will arrive after mid-April. Start your migration to Exchange SE or Exchange Online now, not after the deadline. Even a temporary detour into a co-existence phase is safer than hanging on to an unsupported version.

One wrinkle: the auth certificate export block

If your backup routine or automation relied on exporting the Exchange Auth Certificate’s private key with Export-ExchangeCertificate, it’s now dead. Replace those calls with Export-PfxCertificate and update your documentation. This is not a bug—it’s an intentional hardening that Microsoft will not reverse.

Watching for compromise

If you suspect an incident, treat it as urgent. The hybrid escalation chain can move from an on-prem box to a full cloud compromise quickly. Preserve memory dumps, IIS logs, PowerShell transcripts, and Exchange audit logs before taking any disruptive action. Then hunt for:
- Anomalous EWS request patterns originating from on-prem servers.
- Unusual token issuance activity involving the Exchange service principals in Entra ID.
- Unexpected use of the microsoft.online.com suffix in authentication flows.

If you confirm compromise, isolate the host, rotate every service and admin credential (both on-prem and in Entra ID), and engage forensic support. Do not run the service principal clean-up tool until you are certain every server is patched and the adversary’s foothold is eliminated.

Outlook: what’s next

Microsoft has signaled that Exchange Server SE will remain the sole on-premises focus, and future SUs will likely introduce additional hardening around certificate handling and hybrid trust. The mid-April ESU cut-off will sharply divide organisations: those that moved to a supported platform will continue to receive patches; those that didn’t will be operating unsupported software in an increasingly dangerous threat landscape. Expect CISA and other agencies to renew pressure on legacy Exchange operators this spring. If you manage an Exchange environment, the February patch should be the trigger—not just to update, but to finish your migration planning. The runway is shorter than many organisations realize.