Forum Discussion

BjoernS's avatar
BjoernS
Copper Contributor
Jun 23, 2026
Solved

OWA inline CID images still not displayed – EEMS mitigation side effect persists?

Environment: Exchange Server Subscription Edition (SE), RTM Jun26SU installed (all updates current as of June 2026) On-premises, Windows Server 2019 OWA tested in Chrome, Edge, Firefox – all incl...
Exchange Server
inline image
owa
  • BjoernS's avatar
    BjoernS
    Jun 24, 2026

    [SOLVED] – Solution found, sharing for the community

    After further investigation and help from the community, we were able to resolve the issue. Here is the complete solution for anyone facing the same problem:

    Root cause confirmed: The EEMS mitigation M2.1.0 remained active even after installing the June 2026 SU (KB5094139). The URL Rewrite rule (script-src-attr 'none') was still present in the OWA web.config and continued to block inline CID image rendering.

    Solution (after installing KB5094139):

    Step 1: Block M2.1.0 from being re-applied by EEMS:

    Set-ExchangeServer -Identity <YourServerName> -MitigationsBlocked @("M2.1.0")

    Step 2: Create a backup of the web.config, then remove the M2.1 rule manually:

    Copy-Item "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config" `

    "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config.bak_$(Get-Date -Format 'yyyyMMdd_HHmmss')"

    PowerShell: 

    $webConfigPath = "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config"
    [xml]$webConfig = Get-Content $webConfigPath -Encoding UTF8

    # Rewrite-Knoten finden
    $rewriteNode = $webConfig.configuration.'system.webServer'.rewrite

    # Alle M2.1-Regeln aus outboundRules entfernen
    $outboundRules = $rewriteNode.outboundRules
    $rulesToRemove = $outboundRules.rule | Where-Object { $_.name -like "*M2.1*" }
    foreach ($rule in $rulesToRemove) {
        $outboundRules.RemoveChild($rule) | Out-Null
        Write-Host "Regel entfernt: $($rule.name)" -ForegroundColor Green
    }

    # Alle M2.1-PreConditions entfernen
    $preConditionsToRemove = $outboundRules.preConditions | Where-Object { $_.name -like "*M2.1*" }
    foreach ($pre in $preConditionsToRemove) {
        $outboundRules.RemoveChild($pre) | Out-Null
        Write-Host "PreCondition entfernt: $($pre.name)" -ForegroundColor Green
    }

    # Gespeicherte Datei zurückschreiben
    $webConfig.Save($webConfigPath)
    Write-Host "web.config gespeichert." -ForegroundColor Cyan

     

    Step 3: Verify the rule is gone:

    Select-String -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config" `

    -Pattern "M2.1|rewrite" -CaseSensitive:$false

     

    Expected: No M2.1 rule entry remaining ✅

    Step 4: An IIS reset is not strictly required, but can be done to be safe:

    iisreset /noforce

    Result: Inline CID images are displayed correctly in OWA again. ✅

    Important notes:

    • Only do this after installing KB5094139 – the SU fixes CVE-2026-42897 on code level
    • Microsoft explicitly allows removing M2.1 after the SU is installed (see techcommunity.microsoft.com)
    • The remaining <preCondition> entry in web.config is harmless without its associated rule
    • To revert: Set-ExchangeServer -MitigationsBlocked @() + restart MSExchangeMitigation service

    Hope this helps other admins! 🙌

Scott_Schnoll's avatar
Scott_Schnoll
MVP
Jun 23, 2026

BjoernS​ Installing the SU does not remove the mitigation. In fact, Microsoft recommends leaving the mitigation in place after installing the SU for increased protection. They understand that some customers might prefer to have the broken functionality restored, and if that's your case, you can remove the mitigation from the server manually and then block it from being re-applied. See Released: June 2026 Exchange Server Security Updates | Microsoft Community Hub for steps to do this. Hope this helps.

  • Zohaib_Yousuf's avatar
    Zohaib_Yousuf
    MCT
    Jun 27, 2026

    Simple and easy way to remove the mitigation after installing the latest Security Update (SU):

    M2

    Run the following commands to back up the affected web.config file and remove the M2 URL Rewrite outbound rule and its precondition:

    Copy-Item -Path "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config" -Destination "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config.$((Get-Date).ToString('yyyyMMdd-HHmmss')).bak"

     

    Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules" -Name "." -AtElement @{name="EEMS M2.1 OWA CSP - outbound"}

     

    Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules/preConditions" -Name "." -AtElement @{name="EEMS M2.1 OWA SPA HTML shell - precondition"}

    https://learn.microsoft.com/en-gb/Exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service#rollback-procedures-for-released-mitigations

    • Scott_Schnoll's avatar
      Scott_Schnoll
      MVP
      Jun 30, 2026

      Not so simple, Zohaib_Yousuf​.  Removing the mitigation is not enough.  You also need to block it, as I mentioned in my reply, or it will be re-added at the next interval.  Also, I would just remove the rewrite rule using IIS Manager.  It is so much easier than using PS.