Persistently vulnerable Exchange Servers: prepare for email throttling & blocking

Transport-based enforcement system blocks emails from persistently vulnerable Exchange servers

Microsoft started to throttle and even block emails sent to Exchange Online from unsupported or unpatched Exchange Server versions. As part of this process, the transport enforcement system in Exchange Online reports emails sent from vulnerable Exchange Servers, introduces delivery delays that gradually increase, and eventually blocks mail flow completely to force admins to update their on-prem environments.

See if this feature affects you and what you can do to keep your mail flow running.

Who is affected by the Exchange throttling policy?

The throttling and blocking of mail flow has now been enabled for all “persistently vulnerable Exchange Servers”, that is nearly all versions of Exchange Server other than Exchange Server Subscription Edition (SE).

If your organization is still using Exchange 2016 or 2019 and can’t switch to Exchange SE just yet, you can temporarily keep your mail flow running by installing the last publicly available updates released in October 2025, with no need to enroll into the Extended Security Update / Period 2 Exchange ESU program. However, the October 2025 updates will eventually be affected too, making the switch to Exchange SE inevitable.

How to check if my tenant is affected?

The Exchange admin center (EAC) features reports dedicated to this specific scenario. Go to the Exchange admin center > Reports > Mail flow > Connecting on-premises Exchange servers or use this direct link.

You can also connect to your Exchange Online organization using Connect-ExchangeOnline and then run Get-OnPremServerReportInfo.

If you get the following message, there’s nothing you need to do at the moment.

PowerShell cmdlet Get-OnPremServerReportInfo

Email throttling & blocking timeline

There are two timelines that apply to Exchange Server’s mail flow throttling and blocking:

  • The transport enforcement system’s stages. They gradually increase throttling and blocking if your server has been classified as persistently vulnerable.
  • Feature rollout. Since email throttling and blocking can potentially affect (and harm) multiple organizations, Microsoft started with the oldest on-premises environments that supported hybrid and gradually added newer (less vulnerable) servers. As I mentioned before, we’re at the point where the transport enforcement system has been rolled out for all Exchange Server versions other than Exchange SE.

Transport enforcement system stages

There are 8 stages in total. Stage 1 begins as soon as the system detects a non-compliant server. If the vulnerability is not resolved, the system will progress to the next stage after a specified period of time.

The first stage lasts 30 days, each next stage lasts 10 days.

  1. For the first 30 days, non-compliant server(s) will appear in the new mail flow report. During this period, there is no email throttling or blocking. It’s a warning phase that gives time to upgrade or patch the server.
  2. Mail flow throttling begins. For 5 minutes every hour, emails will bounce with an SMTP 450 error. As a result, email delivery will be delayed.
  3. Throttle increases to 10 minutes per hour.
  4. The throttling period increases to 20 minutes per hour.
  5. Throttling caps at 30 minutes per hour. Email blocking begins. From this moment, for 5 minutes every hour, Exchange Online will bounce emails with a permanent SMTP 550 error. Those emails will not reach final recipients, and senders will need to send them again.
  6. The blocking period increases to 10 minutes per hour.
  7. The blocking period increases to 20 minutes per hour.
  8. The final stage, enforced after 90 days of non-compliance – this is when all emails from vulnerable server(s) will be blocked.

Rollout stages

The transport enforcement system has been introduced gradually. The start date marks the first instance when a specific Exchange distribution (version) was scanned for vulnerabilities, allowing Stage 1 enforcement to begin.

Here’s how the rollout was staged:

  1. August 9, 2023 – Exchange 2007
  2. September 23, 2023 – Exchange 2010
  3. December 22, 2023 – Exchange 2013
  4. March 21, 2024 – Exchange 2016 and 2019

Ways to stay compliant

To prevent mail flow throttling and blocking in your on-prem environment, your best option is to migrate to Exchange Server Subscription Edition (SE). You can do it hassle-free by using CodeTwo Exchange Migration – a highly secure server application allowing you to migrate from Exchange 2013, 2016, or 2019 with no double hops, scripting, or manual PST exports.

As I mentioned before, you can also install the October 2025 updates for Exchange 2016 & 2019 to postpone the enforcement of throttling and blocking in these Exchange versions.

Additionally, as a short-term solution, you can request an enforcement pause directly from the EAC mail flow report. Enforcement can be paused for up to 90 days per year to temporarily stop mail flow throttling and blocking if you let the system get beyond the first stage of the enforcement system. The 90-day limit is reset on the first day of the year.

How to pause throttling and blocking by transport enforcement system

There are two ways to pause throttling and blocking of affected Exchange servers. Using either of them, you can ensure that all your emails will be received in Exchange Online, even when your connected on-premises servers are not on schedule when it comes to updates.

In the Exchange admin center

Go to Exchange admin center > Reports > Mail flow > Connecting on-premises Exchange servers > Enforcement Pause. You will see this option only if you have servers that were identified by the transport enforcement system as persistently vulnerable.

Using PowerShell

  1. First, connect to your Exchange Online organization using Connect-ExchangeOnline .
  2. Then, use the cmdlet below to check if there is an active enforcement pause:
    Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer
    Side note: The documentation on the cmdlet is limited at the moment. Please note that there are two additional blocking scenarios that you can check using this cmdlet. To get results for other scenarios, change the “-BlockingScenario” attribute value to: TenantRelayMessageRate or TenantOnPremRate.
  3. Next, run the following cmdlet to create a pause (effective immediately) or to extend the pause that’s already in place:
    New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -Number of Days /* Value up to 90 */

Interestingly, there is currently no cmdlet that would allow you to cancel the enforcement pause after you’ve updated the affected servers.

How do I migrate?

Migration under time pressure poses a lot of risks. Quite ironic, since in this scenario, migration is forced by a feature that should counter risks.

To migrate with confidence, use a dedicated migration tool. This way, you can benefit from:

  • 24/7 technical assistance from people who handle complex migration projects on a daily basis.
  • Streamlined and simplified migration process (no scripting or complex planning).
  • Advanced reporting.
  • Unlimited delta migrations to make sure each mailbox item is migrated.
Tools for Exchange Server

Recommended articles

How to start remote PowerShell session to Exchange or Microsoft 365

How to start remote PowerShell session to Exchange or Microsoft 365

One of many features of the PowerShell command line tool is its ability to connect with and manage the Exchange Server remotely. The procedure described below applies to the classic on-prem Exchange server and to the Microsoft 365/Exchange Online version.
How to migrate Exchange public folders to a shared mailbox in Microsoft 365

How to migrate Exchange public folders to a shared mailbox in Microsoft 365

Still using public folders? Learn how to move them easily to a modern alternative with CodeTwo.
How to migrate from Exchange 2013 to Microsoft 365 (Office 365) and why do it now?

How to migrate from Exchange 2013 to Microsoft 365 (Office 365) and why do it now?

Server migration is a very stressful task. It involves moving business-critical data between different locations. Since the extended official support for Exchange 2013 ended on April 11, 2023, the number of companies which are looking into migration away from it might be on the rise. While there is more than one possible target server to migrate to, Exchange 2013 to Microsoft 365 migration seems to be one of the most popular scenarios. In this article, I’ll show you what the available methods are to migrate from Exchange 2013 and how to approach them.

Comments

  1. avatar
    Jake Clayton says:

    Running Exchange 2013 on Server 2012 R2 – and when connected to exchange-online via powershell 5.1 with my own creds, trying to run this command:

    Get-OnPremServerReportInfo but getting ” is not recognized as the name of a cmdlet”

    Is it my creds ? something else?

    • avatar
      Adam the 32-bit Aardvark says:

      My bet is that you either have insufficient permissions (although the role required to run this cmdlet is pretty basic: View-Only Recipients) or you are using an outdated Exchange Online PowerShell module. Are other cmdlets working for you? You can try updating the PowerShell module by using the following cmdlet (remember to run PowerShell console with admin permissions):
      Update-Module -Name ExchangeOnlineManagement
      Once updated, reconnect and check if any other Exchange Online cmdlets are working when using your credentials. If the issue persists, you can try updating to PowerShell 7 (or install it on another machine and try there).

  2. avatar
    James Clinton says:

    unfortunately, I have just tried the command
    New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -NumberOfDays 90
    in powershell (after succesfully checking that the date throttling starts is this sunday, unfortunately it’s sat with a blinking cursor for the past 15 minutes
    Even checking
    Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer
    It just sits there
    anyone else enabled this delay successfully?

  3. avatar
    Peter Webster says:

    We have sevral Exchanage 2010 servers due to legacy systems and are now being throttled for rmwial from Exch to O365. Is there no way around this, except for upgrading then ?

    • avatar
      Adam the 32-bit Aardvark says:

      Unfortunately, the only real way to move forward is to upgrade to a supported Exchange version or to a cloud only environment. That’s why Microsoft announced the transport-based enforcement system earlier and is implementing it gradually. If the legacy systems you mention are based on Exchange 2010, this may be a sign that they also require upgrading.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.