Applies To
Exchange Server SE Exchange Server 2019 Exchange Server 2016

Symptoms 

Starting in July 2026, the Exchange Server Emergency Mitigation Service (EMS) will stop processing emergency mitigations released after June 2026. As a result, the following error is logged in the server's Application event log:

Event type: Error  Event ID: 1008  Event source: MSExchange Mitigation Service  Exception encountered while fetching mitigations: This XML is not deemed safe to consume since Response xml's leaf certificate is from unknown issuer or has EKU mismatch 

Any mitigations that were previously applied will continue to function as expected. However, the server will be unable to process and apply any newly released mitigations and logs the error.

In addition, the Microsoft Exchange Flighting Service (available only on Exchange 2019 CU15 and Exchange SE) is affected and records similar errors in the server's Application log (event source MSExchangeFlighting).

Resolution 

To fix this issue, install the following Security Update or later updates: 

Important: 

  • Microsoft Exchange Server 2016 and 2019 have reached end of support. For more information, see  Support for Exchange Server 2016 and Exchange Server 2019 ends.  ​​​​​​​

  • Organizations that are enrolled in the Extended Security Update (ESU) Period 2 program are eligible to receive security updates released between May and October 2026. 

  • To continue receiving the latest security updates, organizations that aren't enrolled in the ESU Period 2 program should migrate to Exchange Server Subscription Edition (SE). 

  • If you have already purchased the Period 2 ESU and require information about how to access the latest security updates, please email us at ExchangeandSfBServerESUInquiry@service.microsoft.com. 

More information 

Both the Exchange Server Emergency Mitigation Service (EMS) and the Microsoft Exchange Flighting Service depend on Office Config Service (OCS) files that are signed with a digital certificate. Exchange Server versions that have not been updated with the June 2026 (or later) updates validate these signatures against a specific expected certificate issuer. Because the certificate issuer of the certificate that is used to sign OCS XML files is changing, affected on-premises Exchange servers must be updated to trust the newly signed XML files.

If this update (or a later update) is not installed, the affected services will continue to connect to the OCS) and download the applicable XML files. However, the downloaded files will fail signature validation and will not be applied, and the errors will be logged.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.