...let us turn it off and wait to see what happens...
That sounds very -er- scientific.
Some Exchange Online users who have the RPS feature turned off by Microsoft can now have it re-enabled – at least until September when the tool is retired. Microsoft is moving all of its Exchange Online tenants from the legacy – and increasingly insecure – Remote PowerShell Protocol to the PowerShell v3 module. The first step …
Not much of a choice. We have to do it the same way: Warn, deadline, communicate and so on, but there are always those lazy users which ignore everything from IT.
U: "Hey, it does not work"
IT: "Yeah, it is called maintenance"
U: "Need it now"
> Such Exchange servers are not trusted within Microsoft's zero-trust security model.
So by blocking e-mails from outdated versions of Exchange, Microsoft is admitting that Exchange Online, which is created, maintained, and patched by Microsoft themselves is not up to the challenge of handling e-mails from "untrusted" servers?
I'm all for encouraging patching and maintenance, but deliberately breaking the underlying protocols that run the Internet is Not Cool, Microsoft.
This will only affect servers that are in hybrid mode, where the on premises servers have connectors to O365. They will not be throttling/blocking from on premises only servers (yet!).
Regarding admitting that O365 is not up to the challenge. Nobody can be 100% certain they can catch everything, so taking action against unpatched on prem server seems fair enough to me. There are plenty of tools you can use to check & remediate on prem servers and the Exchange team generally do a very good job at keeping customers updated, unlike some other parts of Microsoft. If you manage Exchange or O365, keeping an eye on the official Exchange blog should be part of your daily routine.
The most peculiar thing is their definition of zero-trust. This should mean treat absolutely EVERYTHING as hostile, regardless of patch status. So while I can see that the action they are taking is worthwhile it isn't because of a "zero trust model". It is more like a "provable trustworthiness model".
"Regarding admitting that O365 is not up to the challenge. Nobody can be 100% certain they can catch everything, so taking action against unpatched on prem server seems fair enough to me."
Yes, indeed. Microsoft deserve criticism for lots of things but this actually seems a sensible step.
Who doesn't patch their Exchange servers? Talk about asking for trouble!
Exactly. Anyone who has been obliged for commercial reasons to accept traffic from a legacy relay knows how miserable that is. The EXO team are merely getting peevish at the amount of tat relayed in from weak customers. The fact that the EXH server software has bugs to exploit is another question.
For those looking for the EXO blog on throttling stale Exchange, it's here:
Several times mentioning "old Exchange Servers", but never mentioning which Exchange Server and CU Level are, at least, expected. Which makes the article useless. As useless as Microsofts own information which does not have a clear written list but rather walls of text written by ChatGPT marketing functions - always including the "2 min read", which is not enough to actually interpret and understand what Microsoft writes in its perfectly convoluted way.
2013 is still in support until April 11, 2023…
I suspect there are many (probably SMEs) still running 2013, I interpret this as potentially being a bit of a kick to these users to migrate to M365 and Exchange Online and decommission (rather than retain) their WS2012 systems…
Even if you move the mailboxes to Exchange online, you still need a local Exchange server for account management if you use hybrid local / Azure AD user accounts.
Well, you CAN get rid of the Exchange server, but creating and managing accounts without one creates a load of extra hassle which most would prefer to avoid!