Windows 8 devices fail to Sync with Microsoft Exchange with 86000C2A, 8600C2B, 86000C29 Error (or similar) after an ActiveSync Mailbox Policy is applied

Having trouble creating an ActiveSync Mailbox Policy to support your shiny new Windows Phone or Surface devices without checking the dreaded "AllowNonProvisionableDevices" setting? Well, let's see if I can help you out!

While it is documented that Windows devices only "support" certain policy settings:

https://support.microsoft.com/kb/2823900

https://support.microsoft.com/kb/2464593/en-us

There are SOME settings that can be configured that will prevent these devices from syncing AT ALL.

These settings are as follows:

-MaxCalendarAgeFilter
-MaxEmailAgeFilter
-AllowStorageCard
-WSSAccessEnabled
-UNCAccessEnabled

In my testing, I found that ANY of these settings being set to ANYTHING other than the values specified below will result in sync failure. I also included a sample of how I set the values using Exchange Management Shell:

Set-ActiveSyncMailboxPolicy $YourPolicy -MaxCalendarAgeFilter All
Set-ActiveSyncMailboxPolicy $YourPolicy -MaxEmailAgeFilter All
Set-ActivesSyncMailboxPolicy $YourPolicy -AllowStorageCard $true
Set-ActivesSyncMailboxPolicy $YourPolicy -WSSAccessEnabled $false
Set-ActivesSyncMailboxPolicy $YourPolicy -UNCAccessEnabled $false 

Here is the final, working policy that I came up with:

To APPLY the test policy that I created to my test mailbox, I ran the following:

PS C:\Windows\System32> Get-CasMailbox "MyTestMailbox" | set-CasMailbox -ActiveSyncMailboxPolicy "TestWP8"

Please note that:

DeviceEncryptionEnabled                  : False
RequireDeviceEncryption                  : True

 Are NOT the same thing.

"The DeviceEncryptionEnabled parameter, when set to $true, requires that the storage card of the device be encrypted. The default value is $false. We recommend that you don't use this setting and use the RequireStorageCardEncryption parameter instead."

The documentation on these parameters isn't currently very clear (imo), and varies depending on which cmdlet you enumerate, get-help get-ActiveSyncMailboxPolicy -full vs get-help New-ActiveSyncMailboxPolicy -full, so please go with the ABOVE guidance and DON'T use the DeviceEncryptionEnabled parameter. If you want the actual DEVICE to be encrypted, use the RequireDeviceEncryption parameter.

Please note that NEITHER Win 7 NOR Win 8 currently support encryption of the storage card:
https://support.microsoft.com/kb/2464593/en-us

During testing, I can see whether any applied parameters are working by running the following:

Get-ActiveSyncDevice | Get-ActiveSyncDeviceStatistics | select-object DeviceID,DeviceOS,DeviceOS,DeviceModel,DeviceAccessState,DevicePolicyApplied,DevicePolicyApplicationStatus

In the above example, you can see that the policy is listed as "AppliedInFull", and DeviceAccessState shows "Allowed".

If there are problems with any of your settings, you will see something like the following:

Note in the above snapshot that the DeviceAcessState shows "Blocked", and that the DevicePolicyApplicationStatus is "PartiallyApplied".

See https://help.outlook.com/en-us/140/cc952755.aspx for instructions on connecting to EMS via Remote Powershell.

These tests were performed against one of my Exchange Online (O365 for Education) domains. Results may vary slightly depending on YOUR version of Exchange. Enjoy!

Many thanks to Jamie Tsottles and Charlotte Raymundo for assisting with this post and verifying the veracity of the content :)

Comments

• Anonymous
  January 01, 2003
  Thanks for catching that Tom! I took an updated snapshot of the working policy. I believe the only differences between this one and the previous pic are that, as you noted, MaxEmailAgeFilter is now set to All, and AlphaNumericDevicePassword is set to False. That last setting is just my own personal preference, as this domain is used primarily for testing. Thanks and hth!

• Anonymous
  January 01, 2003
  Very nice post! thanks for your tips!

• Anonymous
  July 16, 2013
  Hi Kris I notice there is a slight discrepancy between the screenshot of the working policy and the text in your post. You've said in the text above that MaxEmailAgeFilter MUST be set to ALL, but in the screenshot shows it set to OneDay. Can you confirm which value the parameter should be set to? I've been testing with our service partner and we're still unable to get a WP8 device syncing without setting AllowNonProvisionableDevices to TRUE. Any help much appreciated!

• Anonymous
  November 25, 2013
  Hi Kris, thanks for the great info. Unfortunately have a company policy that the 'storage card' must be encrypted as it is on the iPhone & Android devices. We've tested the policy you've listed above and it does indeed work. With 100k users and more moving to mobile devices we'd really like to offer the Win8 Phones as they don't seem to suffer the calendar problems that the iPhones (even with the latest software update) seem to have. Are there any plans to support this storage card policy as the other phone vendors do?  Or is there a way to check Win8Phone & no storage card?  Anything creative like that?  At least then we could support Win8 w/no SD cards.  Thanks for any info!