Health Checker does not detect IIS outbound rewrite rules (e.g., EOMT CVE-2026-42897 mitigation)

[dpaulson45]

Summary

Get-URLRewriteRule.ps1 in Health Checker only enumerates inbound IIS URL Rewrite rules (system.webServer/rewrite/rules). It does not read outbound rules (system.webServer/rewrite/outboundRules). This means mitigations deployed as outbound rules — such as the EOMT OWA CSP - outbound rule from CVE-2026-42897 — are invisible to Health Checker.

Problem

In Get-URLRewriteRule.ps1, all three lookup paths only access .rewrite.rules:

• Line 49 (web.config):

  $rules = $content.configuration.'system.webServer'.rewrite.rules

• Line 72 (applicationHost.config per-location):

  $rules = $location.'system.webServer'.rewrite.rules

• Line 97 (applicationHost.config global):

  $rules = $ApplicationHostConfig.configuration.'system.webServer'.rewrite.rules

None of these check .rewrite.outboundRules.

Additionally, the display logic in Invoke-AnalyzerIISInformation.ps1 only iterates .rule children from the inbound collection:

$displayRewriteRules = ($currentRewriteRules.rule | Where-Object { $_.enabled -ne "false" }).name |
    Where-Object { $_ -notcontains $excludeRules }

Expected Behavior

Health Checker should enumerate and display both inbound (rewrite/rules) and outbound (rewrite/outboundRules) IIS rewrite rules, so that mitigations like EOMT OWA CSP - outbound are visible in the report.

Affected Files

File	Role
Get-URLRewriteRule.ps1 (L49, L72, L97)	Rule enumeration (inbound only)
Invoke-AnalyzerIISInformation.ps1 (L442-459)	Rule display/reporting

Related

File	Role
CVE-2026-42897.ps1 (L147-254)	Creates the outbound rule EOMT OWA CSP - outbound