When you install the September 2021 CU (or later) on Exchange Server 2016 or Exchange Server 2019, the EM service will be installed automatically on servers with the Mailbox role.
Microsoft Exchange Emergency Mitigation (EM) provides the fastest and easiest way to temporarily resolve threats to connected on-premise Exchange servers before your IT security team installs applicable security updates (Remember, an official Patch is the best way for persist mitigation ).
As Microsoft say “The use of the EM service is optional. If you do not want Microsoft to automatically apply mitigations to your Exchange servers, you can disable the feature.”
The EM is designed to run as a Windows service that integrates with the cloud-based Office Config Service (OCS). Ideally, the tool runs hourly checks on the OCS for any vulnerability that require mitigation.
The EM service can apply the following types of mitigations:
- IIS URL Rewrite rule mitigation: This mitigation is a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server.
- Exchange service mitigation: This mitigation disables a vulnerable service on an Exchange server.
- App Pool mitigation: This mitigation disables a vulnerable app pool on an Exchange server.
There are some prerequisites that should be on the Windows Server that has an installed Exchange before the EM service can work ,These include:
- Connectivity to URL officeclient.microsoft.com/* over TCP/443
- IIS URL Rewrite Module.
- Universal C Runtime in Windows (KB2999226).
Disabling auto apply of Mitigations through EM Service :
To disable automatic mitigation for your entire organization, run the following command:
Set-OrganizationConfig -MitigationsEnabled $false
To disable automatic mitigation on a specific server, replace <ServerName> with the name of the server, and then run the following command:
Set-ExchangeServer -Identity -MitigationsEnabled $false
Viewing Applied Mitigations
Once mitigations are applied to a server, you can view the applied mitigations by replacing <ServerName> with the name of the server, and then running the following command:
Get-ExchangeServer -Identity | Format-List Name,MitigationsApplied
To block any mitigation, add the Mitigation ID in the MitigationsBlocked parameter:
Set-ExchangeServer -Identity <ServerName> -MitigationsBlocked @(“M1”)
The command blocks the M1 mitigation, which ensures that EM service will not reapply this mitigation in the next hourly cycle.
SHMUEL H.