On a recent case I was investigating a mobile device that couldn’t connect to a mailbox over ActiveSync. After spending a few minutes collecting information about the mailbox and its associated devices I realized that this task could be performed a lot faster by using a PowerShell script.
Most mobile device troubleshooting cases boil down to one of a few common issues:
- AD accounts with permission inheritance disabled
- Mailboxes with disabled protocols
- Devices blocked by personal block lists, device access rules, or organization policies
- EWS block lists (as is the case with Outlook for iOS when it connects using the REST API)
Even though Office 365 MDM and Intune are available, there’s still a lot of usage of ActiveSync out there in the world, especially for on-premises customers. So I am sharing the PowerShell script that I wrote for ActiveSync troubleshooting.
EAS Troubleshooter helps you to troubleshoot Exchange ActiveSync device problems by collecting relevant information about a mailbox’s configuration and device associations. When you run EAS Troubleshooter against a mailbox you’ll see information about the mailbox protocol configuration, associated devices, device status, and more. This information will give you a fast look at the state of ActiveSync for the mailbox, helping you to narrow in on any problems quickly.
Usage
You can download EAS Troubleshooter from the TechNet Gallery. Run the script from an Exchange Management Shell or Exchange Online remote PowerShell session.
[PS] C:\Scripts\EASTroubleshooter>.\Start-EASTroubleshooter.ps1 -Mailbox alan.reid
EAS Troubleshooter uses simple console output with color-coding to draw your attention to potential issues. The goal is to highlight factors that may be contributing to mobile device connectivity problems so that you know where to focus your investigation.
Frequently Asked Questions
Here are some answers and tips that will help you interpret the output of EAS Troubleshooter. If your question is not answered here please leave a comment below.
Q: What is the AD Perms Inheritance item?
For ActiveSync to work the Exchange servers need access to read information from the Active Directory user object of the mailbox user. If permissions inheritance is disabled on the user object then the correct ACLs may not be in place. You can enable permissions inheritance on the object by opening Active Directory Users and Computers, selecting View -> Advanced Features, and then in the properties of the user object choosing the Security tab and then selecting Advanced.
Note that permissions inheritance will be disabled automatically if the user is in a protected security group such as Domain Admins, Account Operators, or any other “admin” group.
This AD permissions check is not applicable to Exchange Online mailboxes.
Q: What do I do if the ActiveSync protocol is disabled?
You can re-enable the ActiveSync protocol for the mailbox using the Exchange Admin Center or the Set-CASMailbox cmdlet in the Exchange Management Shell.
Q: What do the EWS Protocol and EWS Access Policy items mean?
The EWS settings are applicable to Outlook for iOS and Android when connecting to Exchange Online mailboxes using the REST API. See this blog post for more details.
Q: What are the allow/block device ID lists?
Each mailbox can have specific device IDs blocked or allowed. These personal exemptions will override other controls such as device access rules or the organization-level ActiveSync settings. You can add or remove device IDs from these lists using Set-CASMailbox.
Q: What does the ActiveSync Access State mean?
Refer to this article about the allow/block/quarantine process and how ActiveSync device state is determined.
Q: What does the ActiveSync Access State Reason mean?
This property explains how the ActiveSync access state has been determined. Possible values include:
- Global – access has been determined by the organization-level ActiveSync settings
- Individual – access has been determined by a personal allow/block list (refer to earlier info in this FAQ)
- DeviceRule – access has been determined by a device access rule (examples here, here and here)
Q: EAS Troubleshooter says a device is blocked/allowed but that doesn’t seem correct?
EAS Troubleshooter is just giving you information to help with your investigation. It can’t accurately diagnose every possible cause or account for every scenario. Use the information provided to lead you to a solution that takes into account your own environment and the specifics of your support case.
Q: What about Intune/MDM?
EAS Troubleshooter looks at configurations that impact ActiveSync devices/apps as well as the EWS configuration that impacts Outlook for iOS/Android REST API connectivity. If your devices are controlled by Intune, Office 365 MDM, or a third party MDM, then there may be other configurations in those systems that you need to look into.
Q: What else can I use to troubleshoot ActiveSync connections?
The Remote Connectivity Analyzer can be used to perform external ActiveSync connectivity tests. You can also use Exchange Analyzer to look for problems with your on-premises server configuration. For on-premises troubleshooting, there is also the Exchange Server Troubleshooting Companion, and for Exchange Online there is Office 365 for IT Pros.
Tried to run the script on exchange 2016 but got this error
EWS Protocol: Not set
EWS Access Policy: Not set
Cannot process argument transformation on parameter ‘Identity’. Cannot convert the “xxx.local/xxx/USERS/ICT/Name
Surname/ExchangeActiveSyncDevices/iPhone§4ULM4R7J4L7JT8AD04F7D2JL58” value of type “Deserialized.Microsoft.Exchange.Data.Directory.ADObjectId” to type
“Microsoft.Exchange.Configuration.Tasks.MobileDeviceIdParameter”.
+ CategoryInfo : InvalidData: (:) [Get-MobileDeviceStatistics], ParameterBindin…mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MobileDeviceStatistics
+ PSComputerName : exp01.xxx.local
Sadly it seems Microsoft have decided to bin off the Technet Gallery (rather than just make it read only) so that link is now dead. Any chance of it being uploaded somewhere new?
Hi Keith,
I found it on Pauls own GitHub
https://github.com/cunninghamp/EASTroubleshooter/blob/master/Start-EASTroubleshooter.ps1
Can you guide me in a scenario?
After Upgradation from 2013 to 2016 Active Sync is unable to sync all Folders and Subfolders but can connect and also can see few folders.
Active Sync Logs say Sync Key is not matching or invalid.
I tried to create a new policy/rule to reset Sync Key but still the same issue.
Any suggestions here?
HI Deep Saha, i didnt upgrade from Exchange 2013 however just in the last month i started having issues with a user that has over 13000 mailbox folders/subfolders (not of inbox as we delete everything older than 30 days in the inbox which would apply to subfolders) User native mail app on iphone not working well, typically going blank or having white spaces in the inbox eventually refreshing normally and the outlook app for ios not working well at all.
I am almost convinced it is related to the number of subfolders however i have not been able to find the proof of this.
This is a great script but I have run into an issue with it as well as running a manual command to pull back a list of devices from Office365 cloud. Slow is one thing but never bringing results is what is happening and again not just on your script but if I run a get-mobiledevicestatistics for any particular users mailbox manually. Ive tried it on my own acct and purposefully deleting all but a handful of devices before trying just to rule out number of devices hanging it up.
# Retrieve the mobile device statistics (this part can be slow)
$MobileDeviceStats = @(foreach ($mobiledevice in $MobileDevices) {Get-MobileDeviceStatistics $mobiledevice.Identity})
Write-Host “”
Write-Host -ForegroundColor White ” *** Mailbox Allow/Block Device ID List ***”
Write-Host “”
$AllowedDeviceIds = @($CASMailbox.ActiveSyncAllowedDeviceIds)
$BlockedDeviceIds = @($CASMailbox.ActiveSyncBlockedDeviceIds)
# Output the list of allowed device IDs
if ($AllowedDeviceIds.Count -gt 0) {
Write-ResultsToConsole -Pretext “Allowed Device IDs” -Result “$($AllowedDeviceIds.Count) devices”
#List each device ID and the device’s friendly name
foreach ($DeviceId in $AllowedDeviceIds) {
Write-Host “ID: $($DeviceId) ($(Get-MobileDeviceFriendlyName $DeviceId))”
}
}
else {
#If there are no allowed device IDs output a result of None
Write-ResultsToConsole -Pretext “Allowed Device IDs” -Result “None”
}
Working for a Long time with quarantine and allow. Was working fine without any Problems. Now i have 2 phones different users, after the device is allowed and after 5 – 15 Minutes, don’t really can say how long the device goes from allow to block. Absolute no idea what‘s the reason for hat. DeviceAccessStateReason: Individual. Can set it back to allow but same thing after some Minutes blocked again. Exchange 2013 CU21
Hi,
I have been troubleshooting an issue, as suddenly several users started receiving this email:
Your phone won’t be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.
Information about your mobile phone:
Device model: Outlook for iOS and Android
Device type: Outlook
Device ID:
Device OS: Outlook for iOS and Android 1.0
Device user agent: Outlook-iOS-Android/1.0
Device IMEI:
Exchange ActiveSync version: 14.1
Device access state: Blocked
Device access state reason: Global
When I check the device is still syncing, no issues.
Do you have a clue of the reason of this emails?
Hi
Is there a comand to execute for All mailbox
Regards
Hi,
Thanks for the script that helps us a lot vefry help full, Please could you share a script that showoing mailboxes that use the active service sync and another that users use owa
Regards
It is a nice scripts, but not good if you have a device, like I have, there isent able to sync contact changes from device to Exchange.
How would you troubleshoot that issue?
Pingback: PowerShell Script for TroubleShooting Exchange ActiveSync Devices | COMPUGEDDON
Many thanks! It’s very helpful for my daily work with employees and students and their mobile devices.
Greetings, Michael
Great Script Paul. However how do you get the AD Perms Inheritance to work when you have a multi domain? Exchange is at the root with users in other domains. with the AD module it will only run in the root so it will not find the users. Love that to be a update to the script, beyond that its perfect!!
I figured it out for anyone else who has a multiple DC’s within a forest. On line 179 add in -server “your rootdomain:3268” this was it is looking at the Global catalog and will find the user to do the search. So my line looks like the following..
Get-ADUser -Filter ‘SamAccountName -eq $samAccountName’ -server XYZ-AB.com:3268 -Properties nTSecurityDescriptor -ErrorAction STOP
The Real Person!
The Real Person!
Good catch. I don’t have any environments like that but great that you were able to work it out.
Thanks Paul! Your articles are an invaluable resource and I certainly appreciate your sharing!
Thank you so much for this. This helps. Good to see an on premise article again
*smile*
Thanks….
Does it work with Exchange 2010 (on prem) ?
Mark, it looks like if you edit the script a bit it will.
Make a change on line 167: Get-MobileDevice -> Get-ActiveSyncDevice
Make a change on line 235: Get-MobileDeviceStatistics -> Get-ActiveSyncDeviceStatistics
The Real Person!
The Real Person!
Correct, just need to change the cmdlets back to the 2010 versions.
Mark,
to get also the device type:
Make a change on line 277: $Device.ClientType -> $Device.DeviceType
Great script. One of the biggest issues we run into with Active Sync seems to be with users having too many folders. Can you add that sort of check into the script?
The Real Person!
The Real Person!
I’ll add a note to my Github repo but I’m not sure what threshold would be “too many”.
We have seen issues with over 1,000 sub folders. Usually it’s over 10,000 though. A folder count and even an item count would be great, just for reference.
the “excessive” sub folder issues are a general client issue, not directly related to activesync.