Issue with Exchange 2019 on premise management shell after server 2025 "upgrade"

Question

Issue with Exchange 2019 on premise management shell after server 2025 "upgrade"

Darren Woolley 0

User's image

This is occurring on 2 sites that we are trying to migrate from on premise exchange and since the "auto" upgrade of server 2025 happened we are unable to access the management console

The Exchange Admin Centre appears to be working fine and the SSL certificate is up to date

Any help is appreciated

Anonymous

2025-03-07T02:19:19.12+00:00

Hello, @Darren Woolley

Just checking in to see if above information was helpful.

If the issue has been resolved, please mark the helpful replies as answers.

Best Wishes,

Alex Zhang

4 answers

Your answer

Anonymous

2025-03-07T02:19:19.12+00:00

Hello, @Darren Woolley

Just checking in to see if above information was helpful.

If the issue has been resolved, please mark the helpful replies as answers.

Best Wishes,

Alex Zhang

Answer 1

Anonymous

Hi, @Darren Woolley

Welcome to the Microsoft Q&A platform!

Today Exchange Server 2019 releases CU15. with the release of CU15, CU13 is now no longer supported due to the “N-1” policy. If you are using an older version, please update it and try again.

Released: 2025 H1 Cumulative Update for Exchange Server | Microsoft Community Hub

If you are a supportable version. Depending on the error message, this could be that WinRM is not enabled or the listener is not configured. Run the following command as administrator:

winrm quickconfig
winrm enumerate winrm/config/listener

This will start the WinRM service, set it to start automatically, and configure a listener for WS-Management protocol messages.

User's image

Installation and configuration for Windows Remote Management - Win32 apps | Microsoft Learn

If you are using a non-domain member, you must use Basic Authentication, and you must also set Basic Authentication on the virtual directory, as shown below:

Get-PowerShellVirtualDirectory -Server ServerName | Set-PowerShellVirtualDirectory -BasicAuthentication:$TRUE

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Anonymous

2025-02-19T01:31:20.8066667+00:00

Is there any update on this thread? If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. Thanks for your understanding.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Michael Lovett 0 Reputation points

2025-07-17T14:32:27.61+00:00
We are experiencing the same problem, but we installed a new Server 2025 Exchange Server, then installed Exchange Server 2019 CU15, and noticed we couldn't access the Local Exchange Admin Console (PowerShell) on the new server, we veried WinRM, IIS Virtual Directory Permissions and Modules, we can access the EAC from the older 2016 Exchange Server and connect to the newere Exchange 2019 server, and can launch the Toolbox and see that email is flowing via the Queue on the new server, but can't launch locally. We have discovered the following:

Key Findings:

✅ WebAdministration module loaded

✅ WinRM functional and responding

✅ Exchange install path validated

✅ Default Web Site bindings for HTTP & HTTPS confirmed

✅ PowerShell vDir identified

⚠️ Remote PowerShell (HTTP) failed due to missing/invalid content type

We can't run locally the Exchange Health Check script https://github.com/microsoft/CSS-Exchange/blob/main/Diagnostics/HealthChecker/HealthChecker.ps1 on the new server but on the old it can pull the information from the new server, but any attempt to run the EMC or Toolbox is failing. We have validated the SPNs are registered and compared the old with the new server, but the difference is the old server is running on Server OS 2016 and the newer Server is Server 2025 with the latest Windows July 2025 Updates.

We believe the issue is related to Kerberos authentication or local loopback authentication being blocked when the shell is called:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'E:\Program Files\Microsoft\Exchange Server\V15\bin*RemoteExchange.ps1*'; Connect-ExchangeServer -auto -ClientApplication:ManagementShell "

We have followed all of the steps listed in these two articles and still no luck:

https://techcommunity.microsoft.com/blog/exchange/resolving-winrm-errors-and-exchange-2010-management-tools-startup-failures/588661

https://learn.microsoft.com/en-us/troubleshoot/exchange/administration/connecting-remote-server-failed

I am very curios if you have resolved it. As a final hope we went ahead and upgraded this Exchange 2019CU15 Hybrid Server to the recently release Exchange SE (Subscription Edition) and licensed it using the Hybrid Wizard. Mail flows from the server as we have tested it, but can't manage it locally on the server, and some remote testing options won't work remotely such as Test-Mailflow -Identity EXCHANGESERVER, but will work locally on the server itself.

Looking for clues on what Kerberos or WinRM or other permissions settings that might block this from working on the new Server 2025 now running Exchange SE RTM. Our goal is to retire the Exchange 2016 Server running on Server 2016 and replace it exclusively with the Exchange SE Server now running on Server OS 2025 with July 2025 updates. We only use this server for Account Management on-premise for Office 365 Users, and SMTP mailrelay.

Answer 2

Hüsing, Georg 0

We are currently running into the same problem using ECP in Exchange Server 2019 CU15 running on Windows Server 2025. Due to the EOL on October the 14th it is a delicate issue in my opinion.

Hüsing, Georg 0 Reputation points

2025-09-05T06:20:09.5966667+00:00

After inPlace-Update on Exchange Server SE, the ECP still cannot be used. The connection to the Exchange Server still fails due to

New-PSSession : [<FQDN>] Connecting to remote server <FQDN> failed with the following error message : The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid.

Answer 3

briesed-1088 0

Same here. Upgraded our Jump Host from Server 2019 to 2025 and the Exchange Mgmt Shell stopped working showing this WinRM error.

Michael Lovett 0 Reputation points

2025-09-05T13:04:30.35+00:00

Currently I am running the Exchange Management Tools from a Server 2022 Box which happens to also be our System Center Operations Management Server, but it appears the problem running the tools locally is specific to Server 2025 and most likely newer security restrictions, but I was able to get the Exchange Management Shell and Exchange Toolbox and ECP to work by separately installing the tools on a Server 2022 box, not ideal but works for now, until I resolve the issue of running locally on the Server 2025. Some of my issues also stems from our enforcement on our domain of the CIS Benchmarks for Windows Servers which makes security more restrictive which could also complicate matters https://www.cisecurity.org/benchmark/microsoft_windows_server

Answer 4

Remote Management Enablement for EXCHANGESE (contoso.com)

It’s been a challenging process, but we identified the specific Group Policy Object (GPO) settings that were preventing the Exchange Health Check and Management Tools from functioning correctly when accessed remotely from a new server—other than the original EXCH1. The configuration below now enables remote management from the SCOM server, allowing it to check health status, report accurately, and run both the Exchange Management Shell and Exchange Toolbox to manage the EXCHANGESE server as needed.

With remote monitoring and management now operational, I’m shifting focus to getting the tools to work locally. I suspect the issue is related to Credential Passing and may require a similar solution. Meanwhile, I’ve begun the decommissioning process for the EXCH2016 server.

Understanding the Kerberos Double-Hop Issue in EMS

When accessing the Exchange Management Shell (EMS), the Kerberos double-hop issue becomes a critical factor—especially when launching EMS remotely or even locally if it attempts to authenticate to itself or another service.

What Happens During EMS Launch:

EMS uses remote PowerShell to connect to the Exchange server—even for local launches.
Authentication is attempted via Kerberos, which is secure but strict.
If EMS needs to access another service (e.g., Active Directory), it must delegate your credentials.
Without proper delegation, Kerberos blocks the second hop—causing EMS to hang or fail.

Configuration Changes for Secure Remote Management of EXCHANGESE

To overcome the Kerberos double-hop limitation and enable secure remote management, the following GPO and Active Directory configurations were applied:

Enable Credential Delegation via Group Policy

On the client machine or via domain-level GPO:

Navigate to: Computer Configuration → Administrative Templates → System → Credentials Delegation

Enable these policies:

Allow Delegating Fresh Credentials
- Allow Delegating Fresh Credentials with NTLM-only Server Authentication
Configure with the following SPNs:
```
      WSMAN/exchangese.contoso.com
```

HTTP/exchangese.contoso.com RPC/exchangese.contoso.com HOST/exchangese.contoso.com WSMAN/exchangese HTTP/exchangese RPC/exchangese HOST/exchangese ```

These SPNs cover WinRM, HTTP endpoints, RPC services, and host-level authentication for both the FQDN and short hostname of the Exchange server.

Configure Constrained Delegation in Active Directory

On the computer or user account initiating the remote session:

Open Active Directory Users and Computers
Locate the account, open Properties
Go to the Delegation tab
Select:
- “Trust this computer/user for delegation to specified services only”
  - “Use Kerberos only”
  - Add the following services:
```
      WSMAN/exchangese.contoso.com
```

HTTP/exchangese.contoso.com RPC/exchangese.contoso.com HOST/exchangese.contoso.com WSMAN/exchangese HTTP/exchangese RPC/exchangese HOST/exchangese ```

Verify SPN Registration

Ensure the EXCHANGESE server’s computer account in Active Directory has these SPNs registered:

WSMAN/exchangese.contoso.com
HTTP/exchangese.contoso.com
RPC/exchangese.contoso.com
HOST/exchangese.contoso.com
WSMAN/exchangese
HTTP/exchangese
RPC/exchangese
HOST/exchangese

Missing SPNs can result in failed authentication or session hangs during remote PowerShell sessions.

Configure WinRM for HTTPS (Optional)

If Kerberos trust cannot be established or constrained delegation isn’t feasible, configure WinRM to use HTTPS with a valid SSL certificate:

PS E:\Program Files\Microsoft\Exchange Server\V15\bin> winrm get winrm/config/client
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true [Source="GPO"]
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = *.contoso.com [Source="GPO"]
    spn_prefix = HOST

✅ Outcome

With these configurations in place:

Remote PowerShell sessions to EXCHANGESE authenticate successfully
EMS launches without delays or credential errors
Credential delegation is secure, compliant, and scalable for enterprise use

Share via

Issue with Exchange 2019 on premise management shell after server 2025 "upgrade"

4 answers

Your answer