[6May2026] Updated to reflect conversion to PowerShell module.
Exchange on‑premises environments remain a critical part of many organizations’ messaging infrastructure. That also makes them frequent audit targets and attractive attack surfaces. Over time, configuration drift, mixed Exchange versions, and evolving security guidance make it increasingly difficult to keep the server compliant, especially in less strict managed environments.
The Exchange Deployment & Compliance Assessment (EDCA) was created to answer that question with evidence. It’s a PowerShell-based assessment tool, implemented as a PowerShell module, that collects information from Exchange servers and the Exchange organization. This information is then analyzed and evaluated against best practices and some well-known compliance control frameworks. The result is an (interactive) HTML report that can be used to check and monitor compliance, as well as to review remediation steps for each control. Edge Transport servers can also be added to the analysis; you only need to collect their data separately, as they are usually standalone servers. Their data file can then be added to the other data files to produce a single overview.
I have published a sample interactive report here.
Key features
- Support for Exchange 2016, Exchange 2019, and Exchange Subscription Edition (SE)
- Evaluate Exchange Server on-premises with Mailbox Server and Edge Transport roles against 7 compliance frameworks, including common Best Practices.
- Uses Remote PowerShell to connect to Exchange servers, and can use WinRM to collect system info from domain controllers; no Exchange Management Shell or Active Directory module dependency.
- Produces an interactive HTML report with framework scoring, with options for filtering and searching.
- Reported controls provide context, impact, and remediation instructions.
- The Report offers dark mode support, a print/PDF function, and the ability to hide skipped controls.
- If more reports are found, a trend chart is added to the scoring widgets.
- Option to generate a sample remediation script for failed controls (experimental).
EDCA is read‑only by design, not altering configuration items, changing system state, or automatically applying remediations. Even if controls can be automated (some cannot), the underlying process usually needs to follow a change process that also reviews the impact. The remediation steps or generated remediation script should be treated as a template with reviewable PowerShell sample code.
Usage
The EDCA module is published on the PowerShell Gallery, so to install and import the EDCA module, you need to run:
Install-Module -Name EDCA Import-Module EDCA
EDCA uses a collection, analysis, and reporting step. These steps are run when you do not specify any additional parameters when calling Invoke-EDCA:
Invoke-EDCA
When you run this on a server in an Exchange organization, provided you have sufficient permissions, it will discover all Exchange servers, collect information about Mailbox servers, and the Exchange organization. The collected information is stored in the Data folder, where analysis results will also be stored. The generated Report will be stored in a folder named Output.
When you run this on an Edge Transport server, it will collect information from the local server, similar to running EDCA with the -Local switch, so you can pick up the data file for further processing. More on usage scenarios and operating modes in the README here.
The parameters of interest are:
- Local runs against the local Exchange server.
- Collect runs against the local Exchange environment or Edge Transport server.
- Servers run against one or more specified Exchange servers.
- ThrottleLimit limits the number of Exchange servers interrogated in parallel.
- Report produces a Report using collected data or, when Collect is not specified, using info from the Data subfolder.
- Framework to limit the Frameworks being used to check for compliance.
- RemediationScript to generate a template to remediate failed controls.
- DataPath to override the default Data.
- OutputPath to override the default Output.
For example, to call Invoke-EDCA and only use the CIS framework, you would use:
Invoke-EDCA -Framework CIS
The default Data and Output folders are created in the current working folder.
Note that, to produce a report, information will first be analyzed; the result is stored in an analysis_xxx.json file in the Data folder. This can also be used for further processing, as it contains metadata and structures for compliance scores and findings.
Frameworks
Feedback
EDCA is currently released as a preview. I strongly recommend using it in test or lab environments first, especially while controls, scoring, and reporting continue to be tweaked and evolve. Feedback is very welcome.
The project is published on GitHub at https://github.com/michelderooij/EDCA, where you can also submit any issues or other suggestions. If you are not keen on using GitHub for this, use the comments section below.
The README.MD includes more details on permission and connectivity requirements, usage examples, and the latest updates.
