Symptoms
The Edge Transport service (EdgeTransport.exe) stops responding and then restarts after the Microsoft Exchange Server November 2024 Security Update (SU) (Version 1 or Version 2) or Exchange Server 2019 CU15 is installed.
This issue occurs if Exchanger Server tries to decrypt messages that are sent from an external source that's protected by Azure Rights Management (Azure RMS). This situation is common when Journaling is used by having Journal Report Decryption enabled.
When this issue occurs, the affected messages are sent to the poison message queue, and the following event is logged:
Log Name: Application
Source: MSExchangeTransport
Event ID: 10003
Task Category: PoisonMessage
Level: Error
Description: The transport process failed during message processing with the following call stack: Microsoft.Exchange.Data.Common.LocalizedException: Agent '' encountered an unexpected error while handling event ''. ---> Microsoft.Exchange.Data.RightsManagement.RmException: Failed to fetch the key handle and properties.
Workaround
To work around this issue, disable Microsoft Information Protection Client (MSIPC). MSIPC is enabled by default in the November 2024 Security Update. Run the following setting override in an elevated Exchange Management Shell (EMS) window:
New-SettingOverride –Name "DisableMSIPC" -Component Encryption –Section UseMSIPC –Parameters @("Enabled=false") -Reason "Disabling MSIPC stack"
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Restart-Service MSExchangeTransport
Resolution
To fix this issue, install the following cumulative updates, as appropriate:
-
For Exchange Server 2019, install:Hotfix update for Exchange Server 2019 CU15 HU2: May 29, 2025 (KB5057651)Hotfix update for Exchange Server 2019 CU14 HU5: May 29, 2025 (KB5057652)
-
For Exchange Server 2016, install: Hotfix update for Exchange Server 2016 CU23 HU16: May 29, 2025 (KB5057653)
After you install the hotfix update, you may remove the setting override implemented as a part of the workaround by running the following commands from an elevated Exchange Management Shell (EMS) window:
Get-SettingOverride | Where-Object {$_.ComponentName -eq "Encryption" -and $_.SectionName -eq "UseMSIPC" -and $_.Parameters -eq "Enabled=false"} | Remove-SettingOverride
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Restart-Service MSExchangeTransport
