Skip to content
feed: live
>_ 0dayNews
microsoft
Analysis

Microsoft to retire OWA Light in Exchange Server

Microsoft is disabling OWA Light in an August 2026 Exchange Server update, ending a legacy client shipped when IE6 was current. Admins can disable it today.

kilobaud Dave "Kilobaud" Ferris · Published · 2 min read

Microsoft’s Exchange Team announced on Wednesday that OWA Light — the lightweight compatibility client that has shipped with Exchange Server since the OWA name still meant “Outlook Web Access” — will be disabled in an Exchange Server update planned for August 2026. The feature was deprecated on August 19, 2024; the retirement update turns that deprecation into a removal. Microsoft’s three stated reasons, quoted from the blog post, are reducing legacy surface area, simplifying engineering work, and continuing to improve the modern experience. BleepingComputer’s writeup has the operator-facing walkthrough.

OWA Light existed because at some point in the mid-2000s, “the web” still meant Internet Explorer 6 on a machine that could not run script fast enough to justify the full-fidelity webmail client. The lightweight version was a compatibility shim for that world, and it kept being there long after that world stopped. Microsoft’s own phrasing in the announcement acknowledges as much: “OWA Light was an important compatibility experience when the web needed it. Today, the full Outlook on the web experience is the right place for us to focus.”

Analysis: which of the three reasons Microsoft listed first

Analysis, not incident reporting. The announcement does not call out a specific CVE, a specific breach, or a specific piece of active exploitation tied to OWA Light. That is not the same as saying the code was safe — it is the same as saying that a specific-incident story is not what Microsoft chose to frame this decision around. What follows is an analytical read of Microsoft’s own ordering, not a claim about undisclosed vulnerabilities.

The three reasons appear in the blog post in this order:

  1. Reducing legacy surface area.
  2. Simplifying engineering work.
  3. Continuing to improve the modern experience.

Placing “reducing legacy surface area” first, on a security-relevant deprecation, is a category of framing that vendors typically reserve for cleanup-motivated retirements rather than feature-motivated ones. The Exchange on-prem product has spent the last five years in a slow, expensive cleanup of accumulated attack surface after ProxyLogon and ProxyShell reset the risk calculus on the platform. A client that shipped by default in every install, that most admins never think about, and that most users have never opened, is the version of that cleanup that generates the least support-ticket noise. Reading the ordering as a signal about which reason mattered most to the team making the call is analytical inference, not fact from Microsoft; the company has not said so.

What admins can do now, without waiting for August 2026

Microsoft published two PowerShell commands that disable OWA Light immediately, without waiting for the retirement update to arrive:

Set-OwaMailboxPolicy -OwaLightEnabled $false
Set-OwaVirtualDirectory -LogonPageLightSelectionEnabled $false

The first turns off the light client for a mailbox policy. The second removes the “use the lightweight version” option from the OWA sign-in page. Together they approximate the state the August 2026 update will make permanent, minus whatever engineering cleanup ships with it.

For shops still running Exchange on-prem, the operational question is whether anyone in the organization can name which mailbox policies have OwaLightEnabled set to $true right now, and why. If nobody can, that is itself the argument for turning it off ahead of the update rather than after.

Sources

Found this useful? Share it.