SymptomsÂ
Starting in July 2026, the Exchange Server Emergency Mitigation Service (EMS) will stop processing emergency mitigations released after June 2026. As a result, the following error is logged in the server's Application event log:
Event type: Error Event ID: 1008 Event source: MSExchange Mitigation Service Exception encountered while fetching mitigations: This XML is not deemed safe to consume since Response xml's leaf certificate is from unknown issuer or has EKU mismatchÂ
Any mitigations that were previously applied will continue to function as expected. However, the server will be unable to process and apply any newly released mitigations and logs the error.
In addition, the Microsoft Exchange Flighting Service (available only on Exchange 2019 CU15 and Exchange SE) is affected and records similar errors in the server's Application log (event source MSExchangeFlighting).
ResolutionÂ
To fix this issue, install the following Security Update or later updates:Â
-
Description of the security update for Microsoft Exchange Server 2016 CU23: June 09, 2026 (KB5094144)​​​​​​​
Important:Â
-
Microsoft Exchange Server 2016 and 2019 have reached end of support. For more information, see  Support for Exchange Server 2016 and Exchange Server 2019 ends.  ​​​​​​​
-
Organizations that are enrolled in the Extended Security Update (ESU) Period 2 program are eligible to receive security updates released between May and October 2026.Â
-
To continue receiving the latest security updates, organizations that aren't enrolled in the ESU Period 2 program should migrate to Exchange Server Subscription Edition (SE).Â
-
If you have already purchased the Period 2 ESU and require information about how to access the latest security updates, please email us at ExchangeandSfBServerESUInquiry@service.microsoft.com.Â
More informationÂ
Both the Exchange Server Emergency Mitigation Service (EMS) and the Microsoft Exchange Flighting Service depend on Office Config Service (OCS) files that are signed with a digital certificate. Exchange Server versions that have not been updated with the June 2026 (or later) updates validate these signatures against a specific expected certificate issuer. Because the certificate issuer of the certificate that is used to sign OCS XML files is changing, affected on-premises Exchange servers must be updated to trust the newly signed XML files.
If this update (or a later update) is not installed, the affected services will continue to connect to the OCS) and download the applicable XML files. However, the downloaded files will fail signature validation and will not be applied, and the errors will be logged.