I was doing some checks the other day I noticed that lots of messages were queuing in the queues as "Active" but were not being sent, this was a little peculiar, I thought it was a good idea to dig a little bit deeper, I noticed that the messages is not being sent. had an email status code, which was very clear:
4.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online throttled for n mins/hr.
5.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online blocked for n mins/hr.
For security reasons, messages sent from out-of-date on-premises Exchange servers over an inbound connector of type OnPremises would soon be subject to throttling and blocking. If your out-of-date on-premises connecting servers are getting throttled or blocked.
Check violation report for throttling
If you want a report of which Exchange servers are affected then you can run this command in Powershell with the session connection to Exchange Online:
Get-OnPremServerReportInfo
This will report all the servers that are not patched to the correct level and will give the recommended versions, here you can see I have one Exchange 2016 server not on the right version or patch level.
ServerFQDN : Exch1.bear.local
Build : 15.1.2507.16
ExchangeServer : ExchangeServer2016
FirstDetectedDate : 28/03/2024 00:15:08
RecommendedBuildVersions : 15.1.2507.39,15.1.2507.37,15.1.2507.36,15.1.2507.35,15.1.2507.34,15.1.2507.32,15.1.2507.31,15.01.2507.039,15.01.2507.037,15.01.2507.036,15.01.2507.035,15.01.2507.034,15.01.2507.032,15.01.2507.031
ThrottleEnabledDate : 27/04/2024 00:15:08
BlockingEnabledDate : 27/05/2024 00:15:08
NextStageThrottleRate : 20
NextStageBlockRate : 0
NextStageStartDate : 23/05/2024 00:15:08
If you are one for the graphical report you can use the link here however for a demo this is an example, here you can see a patched server and an unpatched server.
Check your Exemptions
If you are not up to date on your patching you need to check the status of the "throttle" this can be done with this command:
Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer
That will return the current status of your EXO "non patched" throttling as below:
TenantId : <tenant-id>
BlockingScenario : UnpatchedOnPremServer
StartTime : 09/05/2024 13:08:38
EndTime : 19/05/2024 13:08:38
Details :
Add a Tenant Exemption
If you are being throttled then you can ask for some extension which applies to future messages and the currently blocked messages will clear themselves on the next transport sending cycle with this command, this command extends the "throttle" for 10 days:
New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -NumberOfDays 10
Rules about extensions
These are the rules about applying in Powershell for an extension:
Check the version of Exchange - wait what ?
Get-ExchangeServer | fl ame, Edition, AdminDisplayVersion
Edition : Enterprise
AdminDisplayVersion : Version 15.1 (Build 2507.6)
Edition : Enterprise
AdminDisplayVersion : Version 15.1 (Build 2507.6)
Edition : Enterprise
AdminDisplayVersion : Version 15.1 (Build 2507.6)
Edition : Enterprise
AdminDisplayVersion : Version 15.1 (Build 2507.6)
That is a good place to start but there is a problem with that approach, this proves it Exchange 2016 as per the version number and this proves it CU23 as per the build number, so if you reference this website for all the Exchnage version information:
https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
That will tell you that the build version should be updated when the update is indeed installed, but we see the Build version of 15.1.2507.6 from earlier (red box) but that version is not correct as we are on later (green box) - this means that this command is saying Exchange has not been patched since April 2022?
This will then return the correct data, based on the installed version of Exchange......I called this Version.ps1 so I ran this:
./Version.ps1
To get the correct report:
15.01.2507.039 15.01.2507.039 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
15.01.2507.016 15.01.2507.016 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
15.01.2507.035 15.01.2507.035 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
15.01.2507.039 15.01.2507.039 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
This then tells me that we have 1 x non-compliant server and one server that is compliant but is not patched to the level of the other servers, we are at the time of this post looking for v15.01.2507.39, so we need to get that update for Exchange 2016 April 24 HU update which for this post is this link:
https://support.microsoft.com/en-gb/topic/hotfix-update-for-exchange-server-2019-and-2016-april-23-2024-kb5037224-35eddea8-4828-4e38-b462-db89ea1100c9
Which will the in turn take you to this link:
https://www.microsoft.com/download/details.aspx?familyID=db6d864f-8ac9-44f0-bb05-45e1ef6fced4
Now you can get your Exchange server compliant and prevent delayed or blocked messages, once updated when you run "Version.ps1" it should look like this:
15.01.2507.039 15.01.2507.039 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
15.01.2507.039 15.01.2507.039 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
15.01.2507.039 15.01.2507.039 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
15.01.2507.039 15.01.2507.039 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup
Excellent all patched for the moment, however this is a lesson about keeping on top of not just Windows updates, but all Microsoft updates.