The problem
Microsoft stops supporting SharePoint Server 2016 on July 14, 2026 28days. Your server keeps running the next day. It just never gets another security patch, and Microsoft won’t open a support ticket on it.
If you’re an Ontario SMB still on SP2016 on-prem and you haven’t started planning, the clock is tight. You’ve got under two months. Decide in the next couple of weeks and most teams can still pull off a clean migration. Leave it past early June and that gets a lot harder.
Source: Microsoft Learn lifecycle
The date is fixed and public. There's no extended-support option to buy for SP2016.
The 5-minute version
If you read nothing else, do this:
- Run the inventory (PowerShell snippet below), sites, owners, sizes.
- Flag your customizations, SPD 2013 workflows, InfoPath forms, full-trust solutions. These cause the delays.
- Pick a destination, SharePoint Online for the large majority of SMBs; Subscription Edition only if you genuinely can’t use cloud.
- Book the work now, an honest timeline from today decommissions you in late summer. A short unsupported gap beats an indefinite one.
The rest of this post explains why.
What end of support changes
“End of support” has a specific meaning in Microsoft’s lifecycle policy. Three things change:
- No security updates. Any CVE found after July 14 stays unpatched. The on-prem Exchange attacks in 2021 and 2023 both hit unsupported or late-patched servers. SharePoint’s attack surface is similar, and often internet-facing.
- No support cases. You can open a ticket. Microsoft will decline to investigate and close it with a lifecycle link.
- No compliance cover. Cyber insurance, SOC 2, any framework that requires “supported software” will flag an unpatched SP2016 server as a finding.
Your four options
There are four real answers. Most teams want Option 1.
01 Option 1: Migrate to SharePoint Online (Microsoft 365)
The default for the large majority of SMBs. You drop the server, stop patching, and get a modern UI, Teams integration, and Copilot readiness. You pay per user per month instead of per CAL plus per server.
Best fit: under 500 users, under 1 TB of content, no heavy customizations.
Reality check: a clean migration is 3–6 weeks. A messy one (full-trust solutions, SharePoint Designer workflows, or InfoPath forms) is 3–6 months.
02 Option 2: Migrate to SharePoint Server Subscription Edition
Microsoft's current on-prem version, which still receives security updates.
Best fit: regulated tenants that genuinely cannot put data in the cloud, specific federal workloads, some healthcare. For most Ontario SMBs this is over-engineering: you're still running Windows Server, SQL, and a monthly patch cadence. One maintenance burden traded for another.
03 Option 3: Migrate to a non-Microsoft platform
Google Workspace, Nextcloud, Box. Rare, but legitimate if the org has already decided to exit the Microsoft stack. Treat it as a 6–12 month project, not a quick swap.
04 Option 4: Do nothing
Don't. The economics are bad, the compliance exposure is worse, and SharePoint servers tend to expose internet-facing extranet sites, a real attack surface to leave unpatched.
For the detailed trade-off between staying on-prem and moving up, see SharePoint on-premises vs SharePoint Online.
The timeline
Working backwards from July 14, 2026:
| Phase | Weeks out | What happens |
|---|---|---|
| Inventory + decision | Now → 4 weeks | Catalogue sites, storage, customizations, users. Pick the destination. |
| Pilot | 4 → 8 weeks | Move 1–2 low-risk sites. Validate permissions, external sharing, search. |
| Production migration | 8 → 14 weeks | Move in waves, most SMBs do 3–5 waves of 5–15 sites. |
| Cutover + decommission | 14 → 18 weeks | Read-only old farm, DNS redirects, training, decommission. |
Start now and a realistic timeline decommissions you in late summer. A short stretch unsupported, then done. Wait until June and the window genuinely closes.
What breaks first
If you stall, here’s the order you’ll feel it:
- Cyber insurance renewal, within 6 months. The 2025–2026 renewal cycle is when “supported Microsoft software” questions grew teeth.
- Compliance audit findings, within 12 months. SOC 2 Type II, ISO 27001, any PHIPA-touching review.
- First unpatched CVE, within 12–24 months. SharePoint Server sees several CVEs a year, regularly including remote code execution. 2024 and 2025 each had multiple RCEs, the worst being the actively exploited “ToolShell” chain.
- Browser compatibility drift, within 18–24 months. SP2016’s older auth and JavaScript stack starts breaking in newer Edge and Chrome.
The migration is rarely the hard part. The hard part is the customization rebuild that nobody wants to do and everybody discovers they have to.
Start this week
Two things you can do in under an hour. First, open PowerShell on the SP2016 server:
Get-SPSite -Limit All |
Select-Object Url, Owner, ContentDatabase,
@{n='SizeMB';e={[math]::Round($_.Usage.Storage/1MB,0)}} |
Export-Csv C:\sp-inventory.csv -NoTypeInformationThat gives you site collections, owners, and sizes. It’s the starting point for every migration decision.
Sample inventory output
Sample data. The CSV is what every later call about waves, sizing, and risk gets built on.
Second, flag your customization risk. Check for SharePoint Designer 2013 workflows, InfoPath forms, and full-trust solutions. Those three cause most of the schedule slippage in SMB migrations. Address them before cutover, not during.
Bottom line
The sooner you start, the more options you have. Run the inventory this week, flag the customizations, and pick a destination. Everything else is scheduling.