Microsoft Releases New ESU Updates for Exchange Server 2016 and 2019
Microsoft has released July 2026 security updates for Exchange Server Subscription Edition, Exchange Server 2016, and Exchange Server 2019.
The updates include a permanent fix for the Critical CVE-2026-42897 vulnerability. Exchange Server 2016 and 2019 organizations need Period 2 Extended Security Updates coverage to receive the protected releases.
Exchange Server Extended Security Updates Enter Period 2
Microsoft introduced a second Extended Security Updates period for Exchange Server 2016 and Exchange Server 2019 after standard support ended.
Period 2 coverage is available only to commercial customers who purchase the additional support. Microsoft previously said it would release updates during this period only when relevant security vulnerabilities required fixes.
The Exchange Server 2016 and 2019 updates are not publicly available. Microsoft distributes them privately to eligible commercial customers with valid Period 2 ESU agreements.
Exchange Server Subscription Edition customers can receive the applicable update through the standard supported distribution channels.
July 2026 Updates Fix CVE-2026-42897
The July 2026 Exchange Server updates contain a permanent fix for CVE-2026-42897, which Microsoft classifies as Critical.
Microsoft previously published temporary mitigations for the vulnerability because a complete security update was not available at the time.
Administrators who install the July updates should roll back those temporary mitigations. Organizations that cannot install the updates must continue using the previous mitigations and remain affected by their known limitations.
The updates are cumulative, meaning they also include fixes and improvements released in earlier Exchange Server updates.
Microsoft Recommends Updating On-Premises Servers
Microsoft recommends installing the July 2026 updates on all supported on-premises Exchange Server deployments.
The recommendation also applies to Exchange servers used as part of hybrid Microsoft 365 environments. Exchange Online customers do not need to install the updates because Microsoft manages the cloud service directly.
Administrators should test the update in a controlled environment before deploying it across production systems. This can help identify compatibility, configuration, or operational problems before they affect users.
Known Issues Affect the Latest Updates
Microsoft has acknowledged at least one known issue with the July 2026 Exchange Server security updates.
Organizations should review the documented issue and evaluate its potential impact before starting a large deployment. Administrators should also confirm that recovery procedures and recent backups are available.
Exchange Server 2016 and 2019 customers without Period 2 ESU coverage cannot obtain the new protected updates through a public download page or standard update channel.
In other news, Microsoft released Windows 10 KB5099539 and Windows 11 KB5101650 and KB5099414 as part of July 2026 Patch Tuesday. The broader release addressed more than 570 security flaws across Microsoft products.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages