What security teams need to know about the coming demise of old Microsoft servers – Source: www.csoonline.com

October 2025 is going to be a big month for saying goodbye to several aging Microsoft technologies. Not only is it the end of support for Windows 10, but it’s also the end of support for Exchange 2016 and Exchange 2019.

While there will be options going forward, the demise of these products comes with security concerns and quite frankly costs to consider. Microsoft has stated that, unlike it did Windows 10, it will not release any extended support updates for either Exchange 2016 or 2019

Those who wish to stay with an on-premises solution can consider Microsoft’s offering called Exchange Server Subscription Edition, or Exchange Server SE for short. The first release of this platform will be around the same time as the demise of Exchange 2016 and 2019.

Microsoft has stated that the migration pain will be minimal as the SE version will use the same code as Exchange Server 2019 CU15 with a few cosmetic differences. For example, the license agreement will be updated to reflect the name change and the build and version number will be updated.

Multiple versions of Exchange will not be allowed

Users will be able to perform an in-place upgrade on top of your existing infrastructure as well as a more legacy style migration, a lengthier process by which a new server infrastructure is created and mailboxes are moved to the new server.  During this process there is some disruption as the mailboxes can be temporarily paused or impacted by the migration process, but it typically can be planned around and minimized.

The Subscription Edition is exactly what it sounds like: users will be required to have subscription licenses or licenses with active software assurance for users and servers, with the addition of support for Server 2025. Exchange Server 2019 CU15 adds support for Transport Layer Security (TLS) 1.3 and reintroduces certificate management in the Exchange admin center.

Multiple versions of Exchange will not be allowed to coexist — they must all be brought up to date with the Exchange SE version. In addition, Exchange 2013 is no longer serviced. If you are on these older versions, there will be no in-place upgrade option, so users will have to do a double hop from these older platforms to Exchange 2019 to get on a version that will then support the in-place “patch” to the supported SE version.

Managing an on-premises Exchange server is getting more difficult

Users will have to decide between now and October whether to continue with on-premises mail servers or consider alternatives. The expertise to patch and maintain an on-premises Exchange server is getting tougher all the time. We’ve seen Microsoft introduce bugs into their software causing Exchange administrators to decide whether to patch and live with a side effect, deal with deploying a workaround, or go unprotected.

Attention to bugs in on-premises Exchange servers that are similar to those seen in cloud deployments have only recently received attention. In addition, it’s unclear how well the integration will fit with other cloud-ready or cloud-first technologies such as Microsoft Teams.

Those who currently employ on-premises Exchange servers should review whether they are all on the supported versions of Exchange 2016 CU23 or Exchange 2019.

Get on the easiest path to transition to Exchange SE

The least disruptive path to transition to Exchange SE will be from Exchange 2019 CU 15.  Users should plan to keep supported versions of Exchange as the concept behind subscription versions is that only those releases will be supported by the vendor. Those who have fallen behind on patching and maintenance will need to review whether they have the resources going forward to maintain support.

Microsoft already has limits in place to block and protect its Exchange online servers from interacting and receiving email from older unsupported platforms. It’s anticipated that this technology will be expanded to ensure that only supported platforms are able to communicate on the internet.

Users need to consider whether they have the resources, expertise, and body of knowledge to continue supporting an on-premises server. Many more organizations are moving to Microsoft 365 as this places the burden of patching, installing, and day-to-day maintenance on Microsoft.

While the CIS Benchmarks will still help you guide secure deployment of an on-premises server, it doesn’t reflect the fact that the number of companies and businesses that use on-premise Microsoft mail servers is shrinking. It’s worth considering whether an organization has the community resources within and the necessary vendor support to stay with an on-premises mail server.

That isn’t to say that if you migrate to a cloud mail server in the form of Microsoft 365 your security issues will immediately cease to exist. Rather, you go from focusing on maintenance and deployment to protecting and securing authentication to your cloud assets. More vendors and consultants are moving towards supporting and knowing the Microsoft 365 platform better than an on-premises solution.

Get ready for the big switch to Exchange SE well before it happens

While the change may be months away, now is the time for users to review their needs and perform a technical and cultural analysis to determine what is best for their organizations.

Some may be in a situation where they can easily move to Entra and full cloud deployment. Others may be mandated to stay with on-premises solutions — if so, the only option may be to plan migration to SE. If you are mandated to keep your data domiciled in your data centers, an on-premises solution is still viable.

However, if you are an organization a bit more flexible in your mail server needs, you may want to take this time to reevaluate the solutions that you standardize on. While not used quite to the same market share as Microsoft Exchange and Microsoft 365, there are other vendors that support mail solutions.

It is often in times like these that we are forced to stop and evaluate our needs and determine if a more drastic migration might be in the long-term interest of our organization.

I would strongly recommend reviewing the benchmark documents for Microsoft 365 to review the best practices that will ensure you have a secure deployment should you decide to make the migration to that platform. The Hafnium attacks back in 2021 encouraged many organizations to give up their on-premises infrastructure —  the SE mandate may weed out even more.