Home » Exchange Server » Removing Old Quarantined ActiveSync Devices from Exchange Server

Removing Old Quarantined ActiveSync Devices from Exchange Server

Anil asks if there is a way to purge ActiveSync devices that have been in a quarantine state for longer than a given period of time.

Yes there is a way to do this quite easily with PowerShell. Let’s take a look at exactly how it can be done.

First of all, the scenario that Anil is referring to is when devices are quarantined due to the default organization policy for ActiveSync.

If we use the Get-ActiveSyncDevice cmdlet in the Exchange Management Shell to list all ActiveSync devices in the organization you can see those that are in a quarantined state.

So let’s filter the list down to just those devices in a quarantined state.

I will just point out at this stage that most of the quarantined devices in this example are due to the default organization policy. If you had a separate ActiveSync device access rule that quarantined specific device types then the “DeviceAccessStateReason” would be “DeviceRule”.

If we’re only interested in purging devices that have been sitting quarantined for a month then we can do some date math based on the “FirstSyncTime” to filter the list even further.

Note, all of my quarantined devices have been like that for more than a month, but I think you get the idea.

So now that we’ve got a list of quarantined devices that have been sitting in that state for a month or longer, it is time to remove them. To do so we simply pipe the output into the Remove-ActiveSyncDevice cmdlet.

If you don’t want to be bothered with the confirmation prompt just add -Confirm:$false to the end of the command.

Simple as that. Of course, if the device still has an Exchange account configured on it and continues to try and reconnect you may find it ends up in the quarantine list again anyway, but this process should still help you keep the list reasonably clean.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

10 comments

  1. Anil says:

    Hi Paul,

    Need a small favour

    Can you please let me know if we can the list of activesync users which are in Quarantine state for more than a month for a particular OU.

    Thanks in Advance 🙂

  2. Anil says:

    Hi Paul,

    I have used the identity {$_.userdisplayname -match ” Domain.com/OU” which fetched the required information.

    Thanks

  3. Ed Kummel says:

    This may sound weird…but for auditing purposes, is it possible to show *WHEN* a mobile device was released from Quarantine?

  4. David says:

    Thanks, Paul.

    All of your articles are brilliant. I’d just finished implementing a default rule of quarantine but needed to allow devices already connected (and that we approve of). So a script I ran first simply added these allowed devices to the ActiveSyncAllowedDeviceIDs attribute for each CASMailbox. My filter for this script was a particular device model and the device must have synced in the last 3 day. If the device did not meet this filter it was not added.

    This article (well, the powershell within it) allowed me to remove stale device partnerships based on if the device had been quarantined.

    Once again, many thanks.

  5. Normunds says:

    How to remove the quarantined devices where mailboxes no longer exist actually?

    If the answer is ‘raise support call’ – how do I phrase it correctly, so that support understands it?

Leave a Reply

Your email address will not be published. Required fields are marked *