Exchange Emergency Mitigation Service – Findings

Exchange Server LogoYou are hopefully familiar with the new Exchange Emergency Mitigation Service (EEMS) for Exchange Server 2016 and 2019. That is a new service providing automated emergency configuration of your Exchange servers by Microsoft if a security risk has been identified. Such emergency mitigation is a technical workaround until a proper security patch is available.

The service responsible for fetching the current list of published mitigations is MSExchangeMitigation.

Exchange Organisation following the official guidance for deploying Exchange Server won’t see any specific issues with EEMS. It simply works.

But Exchange Server runs in many different infrastructures where you might end up in a situation with a non-working EEMS.


EventID 1008 – MSExchangeMitigation service does not start

You see the following event log error:

Exception encountered while fetching mitigations : System.AggregateException: One or more errors occurred. 
---> System.Net.Http.HttpRequestException: An error occurred while sending the request. 
---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. 
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

In addition, you see the following in the diagnostic logs of the Exchange Server:

S:LogLevel=Information;S:Message=Started MSExchangeMitigationS_LogLevel=Information;S:Message=Fetching mitigations from;S:Message=Using Proxy http://[IPADDRESS]/ To Fetch ConfigurationsS_LogLevel=Information;S:Message=No diagnostic data sent. DataCollectionEnabled is falseS_LogLevel=Warning;S:Message=TLS certificate or its chain validation failedS_LogLevel=Error;S:Message=Exception encountered while fetching mitigations :   One or more errors occurred.;S:Source=Microsoft.Exchange.Mitigation.Service.Mitigations.MitigationEngine

File location: V15\Logging\MitigationService

But what is the validation procedure failing? The solution is simple. The certificate revocation check for the certificate chain failed. The EEMS could not connect to the CRL endpoints of each certificate in the certificate chain. CRL endpoints are accessible by HTTP and not HTTPS for performance reasons. And outbound HTTP is often blocked for Exchange servers.

The Exchange Server must be able to validate the certificate chain successfully and establish a TLS connection to Indeed, you can disable the CRL check for the server. But this is something I do not recommend. An X509 certificate signs the XML file containing the mitigation configuration, and your servers should be able to validate and check the CRL.


Ensure your Exchange servers can communicate with the Internet to validate the certificate chain.


Enjoy Exchange Server.

Sie sehen gerade einen Platzhalterinhalt von Facebook. Um auf den eigentlichen Inhalt zuzugreifen, klicken Sie auf die Schaltfläche unten. Bitte beachten Sie, dass dabei Daten an Drittanbieter weitergegeben werden.

Mehr Informationen