In the comments of my article on user-initiated remote wipes for Exchange ActiveSync devices, Jonathan has described a situation in which administrator-initiated remote wipes fail if the user account has been moved to a different OU after the ActiveSync device association was created.

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Mahera Bawa\Apple-iPhone2C1/902.206
Failed

Error:
The ActiveSyncDevice exchangeserverpro.net/Company/Head Office/Users/Mahera.Bawa/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS cannot be found.
Click here for help… http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.2.309.2&t=exchgf1&e=ms.exch.err.Ex0FBD0C

Exchange Management Shell command attempted:
Clear-ActiveSyncDevice -Identity ‘exchangeserverpro.net/Company/Head Office/Users/Mahera.Bawa/ExchangeActiveSyncDevices/iPhone§Appl87941C1N3NS’

Elapsed Time: 00:00:00

Reproducing the Error

Consider the following scenario:

  1. A user connects a new mobile device to Exchange ActiveSync
  2. The user object is later moved to a different OU
  3. The user leaves the organization
  4. A remote wipe is issued for the device by an administrator, using the Exchange Management Console

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

In this situation the error occurs.

The root cause of the issue, as identified by Jonathan in his comment, is a mismatch between the identity strings returned by two different cmdlets; Get-ActiveSyncDevice and Get-ActiveSyncDeviceStatistics.

Checking for the Problem in Your Exchange Organization

I’ve written this short script to check for the issue.

$easdevices = @(Get-ActiveSyncDevice)

foreach ($easdevice in $easdevices)
{
    $easdevstats = Get-ActiveSyncDeviceStatistics $easdevice

    Write-Host $easdevice.UserDisplayName -NoNewLine

    if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString()))
    {
        Write-Host -ForegroundColor Green " - IDs match"
    }
    else
    {
        Write-Host -ForegroundColor Red " - IDs don't match"
        Write-Host -ForegroundColor Yellow $easdevice.Identity
        Write-Host -ForegroundColor Yellow $easdevstats.Identity
    }
}

Copy that code into Notepad or your ISE and save it as EASDeviceIDs.ps1, then run it from the Exchange Management Shell.

If all is well then you should see a result similar to this:

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

If there are any mismatches detected you should see this type of result instead:

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

Looking closer at the two yellow identity strings, the problem is clear. When the user was moved from Head Office to Branch Office the mismatch was created.

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

Resolving the Problem and Performing a Remote Wipe

The most obvious solution is to move the user object back to its original OU. However this is not always going to be practical, so other options are needed.

According to my testing the different remote wipe options have the following results.

User-Initiated Remote Wipe via Exchange Control Panel

If the user themselves performs a remote wipe via the Exchange Control Panel it still works, and the device is wiped successfully assuming all other requirements are met.

Administrator-Initiated Remote Wipe via Exchange Management Console

A remote wipe issued from the EMC will fail if the user object is not first moved to its original OU at the time the device association was created.

Administrator-Initiated Remote Wipe via the Exchange Control Panel

As with the user-initiated remote wipes this option appears to work fine even if the identity mismatch is occurring.

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

Administrator-Initiated Remote Wipe via the Exchange Management Shell

If an administrator uses PowerShell and the Clear-ActiveSyncDevice cmdlet to perform the remote wipe, it will be successful as long as the correct identity is specified.

I’ve written a script to detect the mismatch and use the correct identity for the remote wipe.

Firstly, if the user has no ActiveSync devices associated then the script will not do anything further.

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

If the script detects a device association but the identity values match, then it will let you know and do nothing further.

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

If the script detects an identity mismatch, then it will let you know and then initiate the remote wipe using the identity that will work. You’ll be prompted to confirm this.

Exchange 2010 Error "The ActiveSyncDevice Cannot be Found" When Performing a Remote Wipe

In my own test lab this seems to work fine however there may be real world scenarios where it does not, so please feel free to leave a comment below if you encounter a situation that this doesn’t fix.

Here is the script code.

param (

    [parameter(mandatory=$true, ValueFromPipeline=$true)]
    [string]$user

)

$mailbox = Get-Mailbox $user
$name = $mailbox.Name
$easdevices = @(Get-ActiveSyncDevice | where {$_.UserDisplayName -like "*$name"})

$count = $easdevices.count

Write-Host -ForegroundColor Yellow "$count ActiveSync devices found for $mailbox"

foreach ($easdevice in $easdevices)
{
    $easdevstats = Get-ActiveSyncDeviceStatistics $easdevice

    if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString()))
    {
        Write-Host -ForegroundColor Green "IDs match, normal remote wipe process should work."
    }
    else
    {
        Write-Host -ForegroundColor Red "IDs don't match"
        Write-Host $easdevice.Identity
        Write-Host $easdevstats.Identity

        Clear-ActiveSyncDevice -Identity $easdevice.identity

    }
}

Copy the code into Notepad or your ISE and save it as Clear-EASDevice.ps1. To execute the script run a Get-Mailbox for the mailbox you want to target, and pipe that into the script.

Get-Mailbox mahera.bawa | .\Clear-EASDevice.ps1

You can append an notification email address to the Clear-ActiveSyncDevice command in the script as well, for example:

Clear-ActiveSyncDevice -Identity $easdevice.identity -NotificationEmailAddresses administrator@exchangeserverpro.net

Summary

This appears to simply be a bug in how Exchange detects a user object that has moved between OUs and does not update both identity values correctly.

Or perhaps the issue is that the Clear-ActiveSyncDevice cmdlet as it is executed from the management console is referencing the wrong object’s identity value, since we seem to be able to work around the problem by specifying the correct one in the shell.

You may find it simpler to just use the Exchange Control Panel to initiate your remote device wipes. However the scripted option is available if you prefer that.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Niall 9

    Thanks for your write-up of this, & the code, it helped me solve a similar issue for one user trying to Remove-MobileDevice (removes the device listing, does not wipe the mobe) that would not remove, causing app problems. The mismatched Identity info was the clue.
    I was using the GUID as -Id for Remove-MobileDevice, but it kept erroring, “connection not found”.

    The solution:
    $MD = Get-MobileDevice -mailbox
    $MDS = Get-MobileDeviceStatistics -mailbox
    Then
    Remove-MobileDevice -Id $MD.Identity
    and
    Remove-MobileDevice -Id $MDS.Identity

    Thanks for the $var.Identity insight! Worked a treat.

    1. Niall 9

      Should say:
      $MD = Get-MobileDevice -mailbox username
      $MDS = Get-MobileDeviceStatistics -mailbox username
      ;\>)

  2. Beyaca Martin

    I know this post is pretty old but I am desperately seeking help. I have a phone that wont respond to the remote wipe request from the EMC, or at least that’s what it seems. I’ve initiated several device wipe requests however, I have not received any kind of device wipe acknowledgement. I’ve verified on that phone that it is still able to sync to the Exchange Server and retrieve emails, etc. With that said, I still do not get an acknowledgement. Do you have any ideas why this might happen. Any help would be appreciated, thanks.

  3. Bruce

    Paul,

    Thank you for the script to identify ID mismatches.
    I did not understand the procedures when the user was renamed and now I receive ID’s mismatch.
    Can you clarify?

  4. Julius

    Hi Paul,

    Nice article. I just had some issues with removing activesync devices that were linked to a deleted mailbox. The AD user account still exists.
    Error:

    Couldn’t find ” as a recipient.
    + CategoryInfo : InvalidArgument: (:) [Get-ActiveSyncDeviceStatistics], RecipientNotFoundException
    + FullyQualifiedErrorId : 396B03C0,Microsoft.Exchange.Management.Tasks.GetMobileDeviceStatistics
    + PSComputerName :

    I consider MFCMAPI as the last option but to simply fix this, I created a mailbox and linked to the problematic user account. After that, I was able to remove all activesync devices registered to that user.

    Hope this helps. Thanks.

  5. Kostas

    Hi,

    Your article is very helpful. I have the same issue and resolve it with the article and your script. Thank you very much.

  6. Sudarshana Ganguli

    In the case I was dealing with – the ExchangeActiveSync “folder” attached to the AD user was removed. Hence the device(s) could not be removed using the Clear or Remove commands. Had to go to MFCMapi tool –> Open the Mailbox –> Expand the “ExchangeSyncData” –>Hard Delete the objects from there to allow new active sync connections. When I went back to ECP the stale items disappeared.
    Thank you all for your input.

  7. Michael

    Hi guys,

    Is there a way to fix the error with the two ous without to wipe the device?

    Thanks and Greetings
    Michael

    1. TexKim

      I have the same question. I don’t want to wipe any BYOD devices, I just want to remove the stale partnerships.

      I’ve tried remove the the partnership based on GUID:

      Get-ActiveSyncDevice -id

      I get an error that the GUID can’t be found.

      I’ve tried:

      Get-ActiveSyncDevice | where {$_.DeviceId -eq “Appletcetc”} | Remove-ActiveSyncDevice

      The command completes and doesn’t throw errors, but it doesn’t remove it either.

      I’ve logged into OWA with full access rights on the mailbox and while the stale device is listed, attempts to remove it gives an error popup.

      I guess MFCMapi is the last resort…

  8. Manish R. Patel

    Hello,

    I am not able to remove device patnership of few users from Exchange 2013 CU3 console as well as exchange powershell.
    Getting error “The mobile device xxxxxxxxxxxxxxxxxx cannot be found”.

    Able to see device detail through “Get-MobileDeviceStatistics”

    User OU is same

    Thanks in advance
    Manish

  9. Joe

    this is very helpful for me and the exchange admin team.

    many thanks Paul

  10. Ed Kummel

    I seem to be getting this error with a considerable number of users when running your script Paul:
    Couldn’t find ‘Mobile Mailbox Settings’ as a recipient.
    + CategoryInfo : InvalidArgument: (:) [Get-ActiveSyncDeviceStatistics], RecipientNotFoundException
    + FullyQualifiedErrorId : E8C47191,Microsoft.Exchange.Management.Tasks.GetMobileDeviceStatistics

    You cannot call a method on a null-valued expression.
    At C:scriptsEASDeviceIDs.ps1:9 char:79
    + if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString <<<< ()))
    + CategoryInfo : InvalidOperation: (ToString:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    – IDs don't match
    BlackBerry§Passport SQW100-1

    The common issue I've been able to identify is that these users have multiple mobile devices. *AND* there's a device mismatch issue.

    1. Paul Cunningham

      Could you email me some more details (paul at exchangeserverpro dot com), such as the exact command you’re running when you see the errors, the get-activesyncdevice output for the user you’re running against, and anything else you think might be relevant from your troubleshooting so far.

    2. Viswatej Kasapu

      Hi Paul, I too got this error when i try to list out available active sync devices using command

      “(Get-ActiveSyncDevice -Filter {DeviceType -ne ‘EASProbeDeviceType’}) | Select-Object guid | %{Get-ActiveSyncDeviceStatistics -Identity $_.Guid.ToString()}”

      I got error “Couldn’t find ‘Mobile Mailbox Settings’ as a recipient.”

      Please help me in resolving issue.

  11. phil

    hi Paul,

    I have a weird issue where a user has the option in EMC for manage mobile phone, however, no devices can be found anywhere. I cannot find any devices through ecp, nor through powershell. nothing seems to be linked to the user that I can see. how can I remove all assocations of any old devices from the user so that the manage mobile phone option is no longer available in emc?

    Phil.

  12. Rob Walker

    Paul,

    I was wondering if there is a way to disable remote wipe for specific users. I have a client that is looking to prevent administrators from blocking owners. I have tried to convince them that this is a good feature for their business but they just don’t want it.

    Thanks in advance for your help!

    1. Paul Cunningham

      A custom RBAC role would do it. By default anyone who can manage recipients can perform remote wipes on mobile devices.

  13. Jonathan Shapiro

    Paul:

    I came across this article while searching for information on another issue. I use a PowerShell script to produce a CSV listing with ActiveSync stats. It uses Get-ActiveSyncDeviceStatistics. What I’ve noticed is that the DevicePolicyApplied attribute doesn’t always seem to report the current policy set by the administrator to the user account even though the device has recently synced. Is this a case of the statistics in Exchange not updating? Or is this the mobile device failing to properly pick up the assigned policy? In such cases, the EMC clearly shows the correct policy applied to the user, and in some cases, if the user has two different devices – say an Android phone and an iPad, one may show the expected policy, while the other may not.

    1. Paul Cunningham

      Hard to say as I’ve never seen that myself. Count be the device not reporting back successful application of the policy.

  14. Ang

    Paul, is there a way to incorporate the LastSuccessSync filter from get-casmailbox into this script? I’m attempting to clean stale devices, but many of the accounts have been moved to a Terminated OU already.

  15. Wizchip

    WOW.. all this headache because users were moved to a NEW OU in Active Directory and the EXCHANGE TEAM didn’t take this into account.

    Job Security.. and end user pains.

    Sorry 10,000 users.. please reset your device Mail Apps so that we can REMOTE WIPE it or REMOVE it if needed.

    1. Paul Cunningham

      What end user pain? And why would you tell 10,000 people to do that?

  16. Flo

    Is there a way to create a script about the issue with the ExchangeSyncData folder?

    I was using EWSEditor (and also MFCMapi) and it’s solving our issue, but i’m facing couple of hundreds of users with a CNF record, according to AD problems. As I said, a delete of the ExchangeSyncData folder, plus a re-sync (and therefore a new partnership) is the solution, but I can’t do that manually for that amount of users.

    Any Idea how to bring that into a script?

  17. Lyncdude

    Hi,

    Great Article,

    I have a question but not totally related to the article, is it possible to edit / customize the error message sent by Exchange (outlook) when user exceed the allowed limited number of devices?

  18. Kottees

    Hi Paul,

    Another good one. Even if we don’t have the permission to wipe the device same error pops-up for me.

    I believe that’s the default behaviour, Am I right?

    I was expecting an Access Denied 😀

  19. Steven

    Hi Paul, this article is really helpful. But I got an issue here. Since the user has been moved to another OU, why wasn’t this relationship replicated to our Exchange server?? Thanks in advance.

    1. Paul Cunningham

      Exchange reads from AD. It doesn’t replicate from AD.

      I agree it is not ideal that the attribute doesn’t update automatically when a user object is moved to a different OU. But that is just the way it is right now.

  20. Carol Ostos

    We had a user that got married and requested a change to her displayname and primary smtp address.
    Not an unusual request but this was the first one I had for an OMA enabled user. Please note, we do not change the username.

    While running some reports I realized her last sync date was early this year so I reached out and she confirmed the device was broken and access could be revoked (thanks for letting us know ;))

    While trying to remove the partnership, I got this error message so a quick google search sent me this way.

    Tried the scripts with the following results.

    a) EASDeviceIDs, this script was useful to identify the ID mismatch
    b) Clear-EASDevice, this script did not help me much and here’s why

    First of all, I realized I needed to make a change to replace the name with the display name

    $name = $mailbox.UserDisplayName

    The output returned: 18 ActiveSync devices found for UserDisplayName

    This seemed a bit odd since the user only had one device. I confirmed this using EMC, EMS, ADSI. Aside that, it found the mismatch IDs so I said, let’s give it a go.

    After completion, I was hoping for 2 things, a) Device removal, b) Email notification.
    Unfortunately, I got none.

    In the end, I grabbed the Identity from the output of “EASDeviceIDs” and did it manually.

    Remove-ActiveSyncDevice -Identity “blah”

    Hope this helps

      1. Carol Ostos

        Hey Paul, how about this? I have started playing with BES 10 and Work Spaces, so at first I was trying to connect using my domain admin account which is mailbox enabled and I could not get it working. For some reason I seem to see now Manage Mobile Phone but I dont see any devices and if I try to remove the partnership of this phantom connection I get “The operation cannot be performed because no device has been selected”…Any clues?

        1. Paul Cunningham

          Your domain admin account will likely have the permissions inheritance turned off if you look at the Security tab of the user object in AD. That prevents stuff like OWA and EAS working properly because the Exchange ACLs aren’t on the object.

          I recommend using a non-admin account for your testing.

        2. Carol Ostos

          You were right, I completely forgot that domain admin accounts are not the best accounts to use when testing functionality.

          Followed your advice but even after disabling ActiveSync, I would still see “Manage Mobile Phone”, this was annoying me so I kept looking for a solution to make it go away.

          I found the attribute responsible to make “Manage Mobile Phone” become available to the User Mailbox, here’s the description

          Setting msExchMobileMailboxFlags to 1 will force the button to show up for the user whether they have a Mobile Device or not.

          All I had to do is set the value to and listo!

          Hope this helps cause I’m sure I’m not the only neat freak out there.

          Thanks Paul

        3. Carol Ostos

          If you have a stale device that cannot be removed try this

          Use MFCMAPI to delete “ExchangeSyncData” entries manually on the problematic mailbox:

          1. Change problematic user’s outlook from cache mode to online mode

          2. Launch MFCMAPI

          3. “Session” Menu->choose “Logon and Display Store Table”->choose problematic user’s mail profile in jumped window (don’t need to choose if there’s only one profile on client)

          4. Double-click “Mailbox – User Name” in the top-pane

          5. In the next window->Expand Root Container-> Expand ExchangeSyncData container

          6. Locate the stale device ID entry, right-click on it and choose “Delete Folder”

  21. Vikas

    Hi……

    Any One please help…… I can not find last success sync time in exchange 2007…..

  22. Larry Rix

    Any idea on how to clean up devices for users that have had their mailbox removed?

    Couldn’t find ‘XYZ.local/Old_Users/User1’ as a recipient.
    + CategoryInfo : InvalidArgument: (:) [Get-ActiveSyncDeviceStatistics], RecipientNotFoundException
    + FullyQualifiedErrorId : D00BFA21,Microsoft.Exchange.Management.Tasks.GetMobileDeviceStatistics

    XYZ.local/Office1/People/User1You cannot call a method on a null-valued expression.
    At C:Usersadministrator.XYZDocumentseasdeviceids.ps1:9 char:79
    + if ($($easdevice.Identity.ToString()) -eq $($easdevstats.Identity.ToString <<<< ()))
    + CategoryInfo : InvalidOperation: (ToString:String) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    – IDs don't match
    XYZ.local/Old_Users/User1/ExchangeActiveSyncDevices/SmartPhone§B73CC1B2D8B6CF9D84C46BDC3B3DF888

  23. dinesh

    Hi Paul,

    I am getting the same error while removing the device ,We had change the user name .

    When I am running the script nothing found it says “No activesync devices associated ” , But when I am going to user properties there are two entries .

    FYi, I have remove the both mobile entries through edsitedit also.

    when I am trying through ECP wipe or remove the device it says “Black Ipad cound n’t found” Error code

    There’s no article associated with the error you found, Error ID: Ex0FBD0C, but you can get help a couple of different ways. We recommend trying forums first.

      1. Levi C. Rogers

        Dinesh,

        This was awesome. I tried everything in the book to fix this and this just handled. You are a gentleman and a scholar.

  24. Jon

    If you want to remove the stale activesync device, use the GUID instead of the actual Identity value:
    Remove-ActiveSyncDevice -Identity 0622e300-c53a-4336-84da-0fb01c596d1f

    I’ve had no issues with this method.

  25. Tim

    Hi Paul

    As usual an excellent post and helped us out with a security issue with one of our customers.

    Script ran on Exchange 2010 as per the post. I think our issue might have been that the customer migrated from Exchange 2003 to 2010 and could of had some issues with the ActiveSync details in that process.

    🙂

  26. JD

    Paul,

    Thanks for researching this. We currently went through an AD overhaul and users were moved from one OU to another. When trying to remote wipe phones through EMC, it still points to the old activesync device location.

    I tried running a clear-activesyncdevice command and piping the new identity and it says its successful, but I never get an acknowledgement in EMC, nor do I get an ack email.

    Do you know why this is?

  27. Alexander Lerner

    Paul, I have this problem in a somewhat harder way. We have some ActiveSyncDevice – Objects that were deleted directly in the “Active Directory Users and Computers” and the retention time for the deleted objects is over, so I really can’t find this objects any more.

    The Get-ActiveSyncDeviceStatistics still claims, the Device is here, but any actions (remove-, clear-) end in “ActiveSync Device not found”

    Any Idea how I can finally delete the remnants of these devices?

    Thanks

    AL

  28. Bryan C

    Though the EMC gui shows I have 4 devices (2 old iPhones, an iPhone 5 and an iPad), when I run this I get “0 ActiveSync devices found for “MAILBOX NAME”.

    Any suggestions?

    I’m using my mailbox as the test since I can simply re-add my devices to activesync if removed. My iPhone 5 and iPad are still syncing as well…

  29. Faisal Khan

    Paul you are always very helpful. I had the same problem while wiping device from Exchange Management Console but then right as you said, it worked from ecp without any complain! Thank you
    Faisal khan

  30. Peter T.

    Paul,
    Thanks for the information. Is it possible to edit the incorrect ID (Get-ActiveSyncDevice/Stats) so the EMC can be used for remote wipe?

    1. Paul Cunningham

      Possibly not via the shell, but maybe via ADSIEdit. I haven’t checked to be honest.

  31. Randy B

    I ran into the same issue with a name change.
    Thank you for the article and research, it save me so much time.

  32. Aaron A.

    Paul, this article was extremely helpful. Thank you for taking the time and doing the research and coding.

Leave a Reply