Blog Post

Exchange Team Blog
2 MIN READ

How to pause throttling and blocking of out-of-date on-premises Exchange Servers

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Dec 12, 2023
Background In the blog post published March 2023, Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online, we explained that for security reasons, messages se...
Updated Jun 05, 2024
Version 8.0
exchange online
on premises
security
transport
troubleshooting
KevinShaughnessy's avatar
KevinShaughnessy
Icon for Microsoft rankMicrosoft
Apr 22, 2024

Test-RRR We recently updated the FAQ on the following blog post to help clarify Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online - Microsoft Community Hub 

We upgraded our servers to an up-to-date version; why doesn’t the reporting reflect that?
The reporting currently doesn’t show servers that comply with the current update version recommendations. In the EAC, once a persistently vulnerable server is brought up to date, the server will no longer appear in the report. In PowerShell, the Get-OnPremServerReportInfo output only includes all of the past detected persistently vulnerable versions for the server(s). It will not include records for the server versions that are currently not considered persistently vulnerable.

Your case is a bit more nuanced: Initially we only included the latest build as compliant, but based on customer feedback the Exchange server team decided to include some older builds as well. So by the time you upgraded the one server which had initially been identified as non-compliant to the latest build, the other server was now also considered compliant. So now both servers (one on the latest build, and one on an earlier build) are compliant and thus aren't showing up in the report. Sorry for the confusion - moving forward whenever a new build is published our compliant build list will typically include one or more previous builds in addition to the latest build, so you'll be considered compliant insofar as throttling/blocking is concerned for longer. To best protect against threats, though, we still suggest installing the latest build, especially an SU, when it becomes available. 

GIsmail >>since we cannot confirm Exchange online is aware of our current build version we may have to create one in the end.

If you're not seeing any servers in the report then your/their servers aren't subject to throttling/blocking. I hear you though RE positive feedback that the server(s) EXO detects *are* up-to-date so you're not left wondering if the empty report really means all is OK. In my April 15th comment above I mention we're looking into redesigning the report to show ALL connecting servers and rely on the Status field to indicate the server's compliance / non-compliance to help make it more clear/authoritative. If you'd like feel free to DM me the tenantID and I can confirm against internal telemetry.