Health mailbox's password is exposed in logs for a failed probe in Exchange Server 2016 and 2013

Applies to: Exchange Server 2013 EnterpriseExchange Server 2013 Service Pack 1Exchange Server 2013 Standard Edition More

Symptoms


Assume that you use probes for monitoring Microsoft Exchange Server 2016 and Exchange Server 2013. When there's a failed probe, the details of the health mailbox service's account and its password are logged, and you may notice that the password is shown in plain text. Here is an example of the details for a failed ActiveSync probe:

Invoke-MonitoringProbe -Identity: "ActiveSync.Protocol\ActiveSyncDeepTestProbe" –Server: ServerName | fl
RunspaceId: RunspaceId
Server: ServerName
MonitorIdentity: ActiveSync.Protocol\ActiveSyncDeepTestProbe 
RequestId: RequestId
Error: Error occurred:
          User: UserName
          Password: Password
          Target: RequestURL
          Response: <Settings xmlns="Settings:"><Status>StatusValue</Status></Settings>

Cause


This issue occurs because the password isn't correctly handled in the probe message.

Resolution


To fix this issue, install one of the following updates:

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


Learn about the terminology that Microsoft uses to describe software updates.